Misc Notes

  • You need to let AWS in order to do a vulnerability scanning and penetration testing. For nano, micro and small instances, it’s not permitted anyway

Shared Responsibility Model

  • Managed services, AWS is responsible for patching, anti-virus etc, however you are responsible for account management and user access. It is recommended that MFA be implemented, communicate to these services using SSL/TSL and that API/user activity logging be setup with CloudTrail
  • AWS will handle basic security tasks like guest operating system (OS) and database patching, firewall configuration and disaster recovery. For these managed services, all you have to do is configure logical access controls for the resources and protect your credentials.
  • Management of guest OS is your responsibility which could include updates and security patches
  • Launching and maintaining instances, patching the guest OS or database, or replicating databases is AWS’ responsibilities.
  • Master keys are specific to the region. You cannot download, you can only refer to it. They are not synchronized. Key Management Service is regional

Instance Isolation

  • Different instances running on the same physical machine are isolated from each other using Xen Hypervisor. In addition, the AWS firewall resides within the hypervisor layer, between the physical network interface and the instance’s virtual interface. All packets must pass through this layer, thus an instance’s neighbors have no more access to that instance than any other host on the Internet and can be treated as if they are on separate physical hosts. The physical RAM is separated using similar mechanisms

Guest Operating Systems

  • Virtual instances are completely controlled by you, the customer. You have full root access or administrative control over accounts, services and applications. AWS does not have any rights to your instances or the guest OS. Encryption of sensitive data is generally a good practice, and AWS provides the ability to encrypt EBS volumes and their snapshots with AES 256. The encryption occurs on the servers that host the EC2 instances, providing encryption of data as it moves between EC2 instances and EBS storage. In order to be able to do this efficiently and with low latency, the EBS encryption is only available on EC2’s more powerful instance types (M3,C3,R3, G2)

Firewall

  • Amazon EC2 provides a complete firewall solution; this mandatory inbound firewall is configured in a default deny-all mode and Amazon EC2 customers explicitly open the ports needed to allow inbound traffic

ELB

  • SSL Termination on the load balancer is supported. Web Servers do not need to do the decryption. ELB allows you to identify the originating IP address of a client connecting to your servers.

Direct Connect

  • Bypass internet service providers in your network path. You can procure rack space within the facility housing the AWS Direct Connect location and deploy your equipment nearby. Once deployed, you can connect this equipment to AWS Direct Connect using a cross-connect. Using industry standard 802.1q VLANs, the dedicated connection can be partitioned into multiple virtual interfaces. This allows you to use the same connection to access public resources such as objects stored in S3 using public IP address space, and private resources such as Amazon EC2 instances running within an Amazon VPC using private IP space, while maintaining the network separation between the public and private environments.

  • You cannot RDP or SSH in to an RDS instance to see what is going on with the operating system
  • It is not possible to attach ephemeral storage to a micro instance
  • Elastic Network Interface remains active after you terminate an instance
  • Cloud Trail cannot assume a Role.

FEDERATING ACCESS TO YOUR AWS ENVIRONMENT

  • You can use a role to configure your SAML 2.0-compliant IdP and AWS to permit your federated users to access the AWS Management Console. The role grants the user permissions to carry out tasks in the console
  • IAM federation supports these use cases: Web-based single sign-on (WebSSO) to the AWS Management Console from your organization. Users can sign in to a portal in your organization, select an option to go to AWS, and be redirected to the console without having to provide additional sign-in information
  • Web Federation - Use Cognito Identity Pool which works as a broker. You can store keys etc. Once it knows that you have an authenticated user, it will go and assume a role based on this user. It’s like a store where you don’t store huge files but only credentials, mainly for user preferences, UI, settings etc

Sessions

  • Allow temporary access to your AWS account
  • Generated Security Token Service (STS)
  • Obtained by calling
  • GetFederationToken
  • AssumeRole
  • AssumeRoleWithSAML
  • AssumeRoleWithWebIdentity

Comparison

AssumeRole AssumeRoleWithSAML
Works across accounts Works across accounts
Sessions up to 1 hr Sessions up to 1 hr
Supports policy scoping Supports policy scoping
Requires AWS cred Doesn’t require AWS cred
Requires custom proxy Uses off-the-shelf software

Amazon Cognito

  • It is used for mobile users for their identity and data sync service. It used for guest user sign-in, unique identity across devices and syncing app data across devices. It supports Amazon, Facebook, Google and any OIDC provider. Use Case
  • AWS powered app that supports sign in with SalesForce
  • Sample JavaScript app based on AssumeRoleWithWebIdentity Benefits
  • Developers don’t maintain database or usernames and passwords
  • Users don’t need yet another username and password
  • Apps don’t embed long term AWS cred
  • Broad selection of identity providers User Pools
  • Provides a directory profile for all users which you can access through an SDK
  • Supports user federation through a third-party identity provider
  • Signed users receive authentication tokens
  • Tokens can be exchanged for AWS access via Amazon Cognito identity pools Identity Pools
  • Authenticates users with web identity providers, including Amazon Cognito user pools
  • Assigns temporary AWS credentials via AWS STS
  • Supports anonymous guest users

SUMMARY

Corporate Identities

  • Enable corp users to access to your account using single sign on
  • Custom federation proxy: GetFederationToken or AssumeRole
  • SAML 2.0: AssumeRoleWithSAML
  • AWS Directory Service: Hosted AssumeRole based proxy Social Identities
  • Enable apps to access to your account on behalf of the end users
  • Amazon Cognito: AssumeRoleWithWebIdentity with OIDC