sameer fakhoury
  • Home
  • CTF Writeups
  • Course Summaries
  • Cyber Reports
  • Articles
  • Event Notes
  • About Me
AWS Securing Networking Services - cloud computing security - summary CH4

AWS Securing Networking Services - cloud computing security - summary CH4

Technical requirements

  1. DNS (Domain Name System): A system translating human-readable domain names into IP addresses for efficient internet communication.
  2. CDN (Content Delivery Network): A globally distributed network of servers optimizing web content delivery for improved speed and user experience.
  3. VPN (Virtual Private Network): Establishes secure, encrypted connections over the internet for remote access to private networks, enhancing privacy and data security.
  4. DDoS (Distributed Denial of Service): A cyber attack overwhelming a target system with massive traffic from multiple sources, mitigated by DDoS protection services.
  5. WAF (Web Application Firewall): Security solution protecting web applications from online threats by monitoring and filtering HTTP traffic for vulnerabilities.
  6. Virtual Networking: Utilizes software to create and manage computer networks, enabling flexibility, scalability, and efficient resource use in a virtualized environment.
  7. ACL (Access Control List): A set of rules defining permissions or restrictions on network traffic, often used in routers or firewalls to control access to resources based on source or destination IP addresses.
  8. VPC (Virtual Private Cloud): A virtual network environment within a cloud service provider's infrastructure, allowing users to launch and manage resources in an isolated and customizable network, enhancing security and network control in the cloud.
  9. Software-Defined Networking (SDN) is a network architecture that uses software to centrally manage and control the flow of data

Securing virtual networking

  • Each cloud provider has its own implementation of virtual networking.
  • Shared Responsibility Model:
    • Cloud provider and customer share responsibilities for the network.
    • Cloud provider is responsible for the physical network layer within data centers.
    • Customers are responsible for virtual networking layers (Amazon VPC)., including access between virtual servers, managed storage services, and databases.
  • Traditional On-Premises Networking:
    • Involves physical connections between devices, using concepts like VLANs and subnetting for network segmentation and security.
  • Cloud Networking (Software-Defined Networking - SDN):
    • Cloud networks are software-based and utilize SDN → software-defined networking
    • Micro-segmentation allows configuring access control rules between instances, even within the same subnet.
    • Enables auditing and control of access to resources like APIs.
  • Virtual Network → Network area in the cloud environment hosting common resources like virtual servers and managed databases, organized into subnets.
  • Key Points on Virtual Networks:
    • Access to subnets is controlled by access controls, including Layer 4 firewalls.
    • Subnets can be private (no direct internet access) or public (internet access allowed).
    • To grant internet access to private subnet resources, a NAT gateway must be configured.
    • Multiple virtual networks can connect through peer connections.

Best practices for securing network access to Amazon VPC

  • Amazon Virtual Private Cloud (Amazon VPC) is the → Amazon virtual networking service
  • mechanisms to protect access to resources inside a VPC:
    1. Network ACLs:
      • Type: Stateless mechanism.
      • Scope: Protects access at the subnet level.
      • Configuration: Requires both inbound and outbound rules.
      • Rules: Supports both allow and deny rules.
    2. Security Groups:
      • Type: Stateful mechanism.
      • Scope: Protects access at the instance level.
      • Configuration: Involves setting up inbound rules.
      • Rules: Supports only allow rules.
  1. Create a final deny rule for both inbound and outbound traffic for better protection when creating custom network ACLs.
  2. Create subnets based on the resource's function (public subnets for web servers, private subnets for database servers).
  3. Limit the source IP address (or CIDR) for remote access protocols (SSH/RDP) to well-known sources.
  4. Limit the source IP address (or CIDR) for file sharing protocols (CIFS/SMB/FTP) to well-known sources.
  5. Use security groups to control access between public resources (load balancers, publicly facing web servers) and private resources (databases) and restrict access to the minimum required ports/protocols.
  6. In large-scale environments with multiple AWS accounts, centrally use AWS Firewall Manager to create and enforce VPC security groups.
  7. To allow outbound access from internal resources in private subnets to internet destinations (based on the IPv4 protocol), use NAT gateways or any self-hosted NAT proxy.

Best practices for monitoring Amazon VPC

  • monitor Amazon VPC using the following built-in services:
    1. Amazon Cloud Watch:
      • Service for monitoring VPC components.
      • Monitors ingress/egress traffic volumes in the VPC.
    2. VPC Flow Logs:
      • Service for logging network activity within the VPC.
      • Captures traffic metadata, including source, destination, port, timestamp
      • Useful for troubleshooting and investigating security-related events.
  1. Enable Cloud Watch Logs to monitor VPC components' activity and traffic between VPC resources and the VPC endpoint
  2. Use AWS Cloud Trail to monitor VPC configuration.
  3. Enable VPC Flow Logs to log and further analyze allowed and denied traffic activity.
  4. Use AWS Config or AWS Security Hub → to detect inbound access to resources inside your VPC via unencrypted protocols (such as HTTP instead of HTTPS, or LDAP instead of LDAPS).

Securing DNS services

  • translating hostnames into IP addresses, different types of DNS records services (such as Alias, CNAME)
  • Amazon Route 53 → is the Amazon managed DNS service

Best practices for securing Amazon Route 53

  1. Create IAM group, add users, and grant Route 53 permissions.
  2. Enable Domain Name System Security Extensions DNSSEC signing for public-hosted zones → protect against DNS spoofing attacks
  3. Use a new CMK for signing new public-hosted zones.
  4. Enable privacy protection for managed domains.
  5. Implement sender policy framework SPF record for authorized mail servers on Route 53.
  6. Utilize private hosted zones for internal resource DNS records.
  7. Enable public DNS query logging for analysis.
  8. Enable Resolver query logging to analyze information → for Route 53 Resolver DNS Firewall block rules.

Securing CDN services

  • service for distributing content closer to the customer
  • CDNs cache content (images, videos, static web pages) in multiple worldwide locations.
  • CDNs act as a defense against DDoS attacks by serving requests before reaching servers or applications.

Best practices for securing Amazon Cloud Front:

  • Amazon Cloud Front is the → AWS managed CDN service.
  1. Restrict server access to CDN segments only.
  2. Share content securely via HTTPS.
  3. Prioritize TLS 1.2 over older protocols for HTTPS distribution.
  4. Use Cloud Front signed URLs for private content.
  5. Implement field-level encryption for added protection.
  6. Employ AWS WAF for application-layer attack protection.
  7. Enable Cloud Front standard logs for secure audit logging in an S3 bucket with strict access controls.

Securing VPN services

  • VPNs → allow network-based access to private resources over untrusted networks.
  • VPN, along with a firewall, secures access to internal resources.
  • Corporate users can securely connect to the cloud environment from the corporate network or remotely.
  • The VPN encrypts the connection to the cloud environment.
  • MFA can be enforced for users connecting via a client VPN.

Best practices for securing AWS Site-to-Site VPN

  • AWS Site-to-Site VPN → securely connects your corporate network to AWS via IPsec channel.
  1. Restrict AWS resource access with VPC security groups.
  2. Use pre-shared keys for non-sensitive VPN environments.
  3. For highly sensitive VPNs, employ ACM Private CA certificates.
  4. Create IAM group, add users, and grant required VPN permissions.
  5. Monitor VPN tunnels with Cloud Watch for traffic thresholds.
  6. Use Cloud Trail to track user activity on AWS VPN.

Securing AWS Client VPN

  • AWS Client VPN → enables internet connection to AWS via OpenVPN client in a secure TLS channel from any location.
  1. Restrict AWS resource access with VPC security groups.
  2. Use AWS Client VPN Active Directory authentication for AWS Directory Service.
  3. Employ AWS Client VPN single sign-on for SAML 2.0 federated authentication.
  4. In highly sensitive environments, use AWS Client VPN certificate-based authentication with ACM.
  5. Manage access with client certificate revocation lists for certificate-based authentication.
  6. Monitor VPN tunnels with Cloud Watch for traffic thresholds.
  7. Track user activity on AWS VPN using Cloud Trail.

Securing DDoS protection services

  • Because cloud providers have very large bandwidth, they can offer (as a paid service) mechanisms to protect customers' environments from DDoS attacks
  • services help to mitigate DDoS attacks:
    1. DDoS protection services
    2. Auto-scaling groups with load-balancing services
    3. CDN services
    4. WAF services

Securing AWS Shield

  • AWS shield → is the Amazon managed DDoS protection service.
  • two price models:
    1. AWS Shield Standard:
      • Default and free Layer 7 DDoS protection (HTTP/HTTPS) for all customers.
    2. AWS Shield Advanced:
      • Provides Layers 3/4 (Network layer) and Layer 7 (Application layer) DDoS protection.
      • Offers additional protection for AWS services including DNS (Route 53), CDN (Cloud Front), Elastic Load Balancing (ELB), and virtual machines (EC2).
      • Includes support from the AWS DDoS response team.

Best practices for securing AWS Shield

  1. AWS Shield Standard → for web production environments.
  2. AWS Shield Advanced → for large-scale, enhanced insights.
  3. Register EIP register an Elastic IP → for quicker detection in AWS Shield Advanced.
  4. Generate real-time attack reports in AWS Shield Advanced.
  5. Combine AWS Shield and WAF, monitor with Cloud Watch for alerts on request spikes.

Securing WAF services

  • an application-layer firewall with capabilities to detect and mitigate common HTTP/HTTPS based attacks against your publicly exposed web applications.
  • AWS WAF → is the AWS managed web application firewall service
  • AWS WAF offers protection against the following types of attacks:
    1. Guards against Layer 7 DDoS attacks when combined with AWS Shield.
    2. Defends against common web application attacks.
    3. Shields against non-human generated traffic (bots).
  • AWS WAF Protection for Amazon Services:
    • Amazon Cloud Front: Amazon's managed CDN service.
    • Amazon API Gateway: Amazon's managed API gateway service.
    • Amazon ALB: Amazon's managed Application Load Balancer service (Layer 7 load balancer).

Best practices for securing AWS WAF

  1. Use web ACLs with allow or block actions for external web resource protection.
  2. Customize Cloud Watch metric names for easier rule detection.
  3. Monitor web ACL activity with Amazon Cloud Watch.
  4. Create custom rules for non-standard web application attack protection.
  5. Subscribe to AWS Marketplace rules for enhanced security.
  6. Centrally enforce WAF rules in large-scale environments with AWS Firewall Manager.
  7. Send WAF logs to Amazon Kinesis Data Firehose for real-time log reviews.
  8. Enable logging for newly created web ACLs with AWS Config.
  9. Limit AWS WAF Console permissions with AWS IAM.
  10. Log AWS WAF Console actions using AWS Cloud Trail.

©sameer fakhoury

GitHubLinkedIn