AWS Securing Compute Services - cloud computing security - summary CH2

What is a Compute Services?

• Compute Services → from the traditional virtual machines (VMs), through managed databases (run on VMs on the backend), to modern compute architecture such as containers and eventually server less.

What is a Virtual Machine

1. digital version of a physical computer
2. can run programs and operating systems, store data, connect to networks
3. requires maintenance such as updates and system monitoring.

• Multiple VMs
1. Multiple VMs can be hosted on a single physical machine → often a server
2. managed Multiple VMs → using virtual machine software
3. This provides flexibility for compute resources (compute, storage, network) to be distributed among VMs as needed → increasing overall efficiency
4. This architecture provides the basic building blocks for the advanced virtualized resources

Virtualization Technologies → Role of virtualization

1. Emulates part or all of a computer or network
2. Uses virtual machines (VMs)
• Logical computers running an operating system
• Borrow hardware from physical host computer
• Function as → independent systems
3. Host and guest machines differ
• Host: physical machine running a hypervisor
• Guest: virtual machine running in a hypervisor
• note: hypervisor acts as a virtualization layer, allowing multiple virtual machines to run on the same physical hardware simultaneously.
• Communicate using hypervisor, or VMM (virtual machine manager)

Amazon Elastic Compute Cloud (EC2)

• simple explanation for EC2 and AWS relation
• AWS is like a big toolbox: Imagine you have a huge toolbox with lots of tools inside. Each tool is a different service that helps you do something specific in the digital world.
• EC2 is one of the tools in that toolbox: Specifically, EC2 is like a magical wrench. It allows you to create and use virtual computers (instances) in the cloud. These virtual computers can be tailored to your needs, whether you want a fast one for playing games or a simple one for basic tasks.

• Amazon Elastic Compute Cloud (Amazon EC2) provides → on-demand, scalable computing capacity in the Amazon Web Services (AWS) Cloud.
• Using Amazon EC2
• reduces hardware costs so you can develop and deploy applications faster
• launch virtual servers
• configure security and networking
• manage storage
• Add capacity (scale up) for compute-heavy tasks
• Manage monthly/yearly processes efficiently
• Scale up to address spikes in website traffic
• A web traffic spike is a massive and sometimes unexpected increase in internet activity on a website.
• (Scale down) reduce capacity → when usage decreases

Architecture of an Amazon EC2 instance

Securing VMs

1. Select machine type based on vCPU and memory needs (e.g., general-purpose, compute optimized).
• machine type (or size) is a ratio between the amount of virtual CPU
2. Choose an operating system image (Windows, Linux, etc.).
3. Configure storage, including additional volumes and connections to file sharing services.
4. Set up network settings, including access controls and micro-segmentation.
5. Configure permissions for accessing cloud resources.
6. Deploy the desired application.
7. Start using the service.
8. Perform ongoing maintenance of the operating system.

Best practices for Securing Amazon Elastic Compute Cloud (EC2)

• Amazon Machine Image (AMI) in AWS EC2:
• AMI is a template for virtual machines in AWS EC2, It includes an operating system and any additional software needed.
• Instance in AWS EC2:
• you can consider EC2 as a big apartment building, and an instance as one of the individual apartments or rooms within that building. Each apartment (instance) is self-contained, with its own set of resources and configurations.

1. Deploy EC2 instances with trusted AMIs.
2. Minimize packages in AMIs for reduced attack surface.
3. Employ Amazon built-in agents for various EC2 tasks → backup, patch management
4. opt for new-gen EC2 instances based on AWS Nitro System for enhanced performance, security, and data isolation → which offloads virtualization functions (such as network, storage, and security) to dedicated software

Best practices for authenticating to an instance

1. Secure private keys by storing them in a protected location → Consider AWS Secrets Manager for secure storage and retrieval of SSH keys.
2. Avoid storing private keys on exposed hosts; use AWS Systems Manager, particularly Session Manager, for SSH-less access → alternative to logging in using SSH, without an SSH key,
3. Join Windows or Linux instances to an Active Directory (AD) domain for login using AD credentials → and avoid using local credentials or SSH keys completely

Best practices for securing network access to an instance

1. Control access to AWS resources, including EC2 instances, using security groups (at the instance level) or network access control lists (NACLs) (at the subnet level).
1. which are equivalent to the on-premises layer 4 network firewall or access control mechanism
2. Configure parameters → like source/destination IP or CIDR, destination port, and protocol (TCP/UDP).
3. For Linux machine management, restrict inbound network access to TCP port 22; for Windows, use TCP port 3389.
4. Secure remote access (SSH/RDP) by limiting source IP, considering alternatives like VPNs tunnel, bastion hosts, or AWS Systems Manager Session Manager.
5. Restrict source IPs for file sharing protocols (CIFS/SMB/FTP).
6. Provide names and descriptions for security groups for purpose.
7. Use tagging to associate security groups with specific AWS resources.
8. Minimize allowed ports in a security group to the required service or application.

• AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can centrally manage permissions that control which AWS resources users can access.

Best practices for conducting patch management

1. patch management as a crucial aspect of ongoing instance maintenance.
2. Employ AWS Systems Manager Patch Manager for standardized deployment of security patches on Windows or Linux-based instances.
• Configure a patch baseline.
• Schedule scans for deviations from the baseline.
• Install missing security patches.
• Review Patch Manager reports.
3. Use AWS Systems Manager Compliance to ensure all EC2 instances are up to date.
4. Establish an IAM group with minimal privileges for authorized team members to conduct patch deployment.
5. Utilize tagging for EC2 instances to organize patch deployment groups (e.g., production versus development environments).
6. For stateless EC2 instances (where no user session data is stored inside an EC2 instance) , replace existing instances with new ones created from up-to-date operating system images.

Best practices for securing backups

• Backing up is crucial for EC2 instance recovery
• AWS Backup service encrypts backups in transit and at rest using AWS KMS AWS Key Management Service , adding an extra layer of security beyond EBS Elastic Block Store volume or snapshot encryption keys.

1. Set up AWS Backup with an IAM role for access to encryption keys in AWS KMS.
2. Configure AWS Backup with an IAM role for access to the backup vault.
3. Use tagging for backups associate with specific EC2 instances → better understanding of which backup belongs to which EC2 instance.
4. Consider replicating backups to another AWS region for additional redundancy.

Containers in Cloud

1. Containers encapsulate software processes or microservices, enabling them to be executable in various computing environments.
2. They can store diverse executable files such as configuration files, software code, libraries, and binary programs.
3. Containers in the cloud are hosted in an online environment, allowing users to access them from any location. However, they remain separate from the underlying cloud infrastructure.
4. application is not tied to a specific cloud, operating system, or storage space, allowing Containerized software to execute in any environment.

Securing containers

1. Containers represent the next evolution in computing after virtual machines (VMs).
2. They function similarly to VMs but have a significantly smaller footprint.
3. Unlike deploying an application with an entire operating system in VMs, containers only include the necessary operating system libraries and binaries for the required application.
4. Containers have a small footprint, storing only the essential libraries and binaries.
5. They offer portability, allowing developers to create an application within a container on their laptop and seamlessly run it in a large-scale production environment with numerous container instances.
6. Containers enable fast deployment and updates in comparison to VMs.

Containers vs Virtual Machines

Securing Amazon Elastic Container Service (ECS)

• ECS is Amazon's managed container orchestration service.
• It seamlessly integrates with various AWS services
1. Amazon Elastic Container Registry (ECR) for container storage
2. AWS IAM for permission management
3. Amazon Cloud Watch for ECS monitoring.

Best practices for configuring IAM for Amazon ECS

• AWS IAM is the supported service for managing permissions to access and run containers through Amazon ECS

1. Assign minimal IAM permissions to Amazon ECS for specific tasks (e.g., running tasks, accessing S3 buckets, monitoring with CloudWatch Events).
2. When managing multiple AWS accounts, use temporary credentials through AWS Security Token Service or AssumeRole to operate ECS on the target account with credentials from a source AWS account.
3. Utilize service roles, enabling ECS to assume roles and access resources like S3 buckets.
4. Control access to Amazon Elastic File System (EFS) from ECS using IAM roles.
5. Implement multi-factor authentication (MFA) for end users with AWS console access, especially for privileged actions involving ECS management.
6. Enforce policy conditions, such as secure channel connections (SSL/TLS), MFA usage, or specific login hours, for ECS service access by end users.

Best practices for conducting auditing and monitoring in Amazon ECS

• Auditing is a crucial part of data protection
• AWS allows you to enable logging and auditing using two built-in services:
1. Amazon CloudWatch: Enables logging of container activities and setting alarms based on predefined thresholds → such as low memory or high CPU
2. AWS CloudTrail: A service for monitoring API activities related to the ECS cluster, capturing any actions performed on it.

1. Activate Amazon CloudWatch alarms to detect high-performance usage anomalies in the ECS cluster behavior.
2. Enable AWS CloudTrail to monitor any actions performed on the ECS cluster.
3. Restrict access to CloudTrail logs to a minimal number of employees, preferably in an AWS management account, beyond the reach of end users and ECS cluster administrators, to prevent potential tampering or deletion of audit logs.

Best practices for enabling compliance on Amazon ECS

• Security configuration is a crucial part of your infrastructure.
• Amazon allows you to conduct ongoing compliance checks against well-known security standards (such as the Center for Internet Security Benchmarks)

1. Use trusted container images and store them securely in Amazon ECR → a private repository for organizational images - Amazon Elastic Container Registry
2. Regularly run the Docker Bench for Security tool to ensure compliance with Center for Internet Security (CIS) Benchmarks for Docker containers.
3. Build container images from scratch to mitigate the risk of malicious code in preconfigured third-party images.
4. Implement regular scans for vulnerabilities in libraries and binaries within container images, ensuring timely updates.
5. Configure container images with a read-only root filesystem to prevent the unintended upload of malicious code.

Securing serverless/function as a service

• Serverless or Function as a Service (FaaS) implies that as a customer, you are not responsible for managing the underlying compute infrastructure, including tasks such as operating system maintenance, scaling, and runtime management.
• Instead, you import your code (in a supported language by the cloud provider), choose the runtime, specify the required memory per function, and set triggers to invoke the function.
• VMs, containers, serverless

Securing AWS Lambda

• AWS Lambda is the Amazon serverless service.
• can integrate with other AWS services, such as
1. AWS IAM for managing permissions to AWS Lambda
2. Amazon CloudWatch for monitoring AWS Lambda
3. and Amazon S3 and Amazon EFS for persistent storage

Best practices for configuring IAM for AWS Lambda

1. Grant minimal IAM permissions for newly created AWS Lambda functions, matching a specific IAM role to each function for tasks like running, accessing S3, and monitoring with Cloud Watch Events.
2. Use open source tools like serverless-puresec-cli to generate IAM roles for Lambda functions.
3. Avoid storing credentials directly in Lambda code.
4. Utilize AWS Secrets Manager for storing sensitive data, such as credentials.
5. Enhance Lambda function protection by configuring AWS Lambda behind Amazon API Gateway.
6. For security in sensitive environments, encrypt Lambda environment variables using Customer Master Key (CMK) management.
7. Implement TLS 1.2 for encrypting sensitive data over the network.
8. Enforce multi-factor authentication (MFA) for end users with access to AWS API, including console, CLI, and SDK, especially for privileged actions like managing the Lambda service.

Best practices for securing network access to AWS Lambda

• A virtual private cloud (VPC) is a secure, isolated private cloud hosted within a public cloud. VPC customers can run code, store data, host websites, and do anything else they could do in an ordinary private cloud, but the private cloud is hosted remotely by a public cloud provider.
• AWS Lambda can be deployed either as an external resource outside your VPC or inside your VPC

1. Employ Amazon API Gateway → to control access to your Lambda function, restricting it based on specific IP addresses or CIDR blocks.
2. If your Lambda function is outside a VPC and requires access to resources inside, use AWS PrivateLink to secure network traffic within your VPC through an interface VPC endpoint.
3. For Lambda functions within a VPC needing internet access, use a NAT gateway to provide required access without exposing Lambda directly to the internet.
4. Encrypt traffic to and from your Lambda functions using TLS 1.2 for enhanced security.

Best practices for conducting auditing and monitoring in AWS Lambda

• AWS allows you to enable auditing using → AWS CloudTrail service: a service that allows you to audit API-related activities

1. Activate enhanced monitoring for your Lambda functions.
2. Employ Amazon CloudWatch to identify spikes in Lambda usage.
3. Utilize AWS CloudTrail to monitor API activities associated with your Lambda function.