AWS Security Services Overview

May 26, 2021



Cloud security is the most critical topic for customers that are already using cloud computing in one form or another. As the technology world's interest in cloud computing increased, it has become the focus of attackers. The scenarios of hacking the cloud are endless. To name a few, attackers could steal sensitive information, deliver malware to a server or prevent computing processes to just damage in the cloud environments. According to Security Magazine, 80% of the companies have experienced at least one cloud data breach in the last two years. The risk is crucial. Let's see how we deal with it!

Image shows AWS Security Services Overview

AWS Security: Strengthen your security posture

Amazon Web Services (AWS) is one of the most flexible and secure cloud computing environments today. Millions of customers trust and use AWS infrastructure and services for their systems, applications, and development processes. AWS security starts on AWS core infrastructure that is designed to meet all security requirements. AWS builds its infrastructure to satisfy requirements for global banks, the military and other high sensitivity organizations. In addition, AWS monitors its own infrastructure 24/7 to help ensure the confidentiality, integrity, and availability of customer’s data.

Image shows aws responsibility model

Besides these, security considerations are not a related topic that only AWS should fix, implement or consider. Security is a shared responsibility between AWS and its customers. AWS’s ultimate responsibility is the security of the cloud. AWS must protect the infrastructure and software related to storage, database, computing, or networking. AWS should manage security issues between regions, availability zones, and edge locations synchronously. Secondly, customer responsibility is the security in the cloud. Customers’ security responsibilities will vary depending on the AWS resources that they use. For example, if customers use s3 buckets as a storage area, they should consider all access management, encryption, and storage security standards and rules for AWS S3. As a responsibility, AWS offers many security-related services for its customers. Usage of these AWS security services, evaluating security results, and taking remediation steps for configuration are customers’ responsibilities. To provide an AWS security perspective for customers, let's overview these AWS security services together:

Image shows AWS Identity and Access Management Services

AWS Identity and Access Management Services:

  1. Identity and Access Management
  2. AWS Single Sign-On
  3. Amazon Cognito
  4. AWS Directory Service
  5. AWS Resource Access Manager
  6. AWS Organizations

AWS Identity and Access Management (IAM)

AWS IAM provides management of all IAM users and resource access. All IAM users, roles, and policies should be managed with at least privilege principle. If there is a misconfiguration related to users, roles, and policies, there could be unauthorized access to your resources which is too critical. To audit your IAM environment, you could use IAM Access Analyzer and open-source tools such as Cloudsplaining.

AWS Single Sign-On

AWS Single Sign-on is a very popular phrase nowadays. It means with one login, users can access all accounts, applications. In AWS, SSO is a cloud-based solution to manage access to all of the accounts configured in your AWS Organization. It can also integrate with other third-party applications. It is a very useful solution, especially for enterprise customers.

Amazon Cognito

Amazon Cognito is an authentication and authorization server for your clients. It has two concepts:

a. User Pools: User pools provide user management, Oauth2.0 Authorization for tokens, identity provider (Google, Facebook, etc.) support, advanced security options such as MFA, compromised credentials detection, ease of use, lots of SDK and API support.

b. Identity Pools: Identity Pools provides temporary AWS Security credentials (access key, secret key) to access other AWS services for the client side.

AWS Directory Service

AWS Directory Service allows you to connect your AWS resources with an existing on-premises Active Directory or set up a new stand-alone directory in the AWS cloud. All of your users can access AWS resources and applications with AWS Directory Service easily from on-premises directory.

AWS Resource Access Manager

AWS Resource Manager (RAM) allows you to securely share AWS resources between a single AWS account or within an AWS organization. RAM audits usage details for shared resources using CloudWatch and CloudTrail. It also provides centralized security controls with AWS Organizations.

AWS Organizations

AWS Organizations is designed for making central account management simple. You can create groups of accounts and then apply policies to those groups that centrally control the use of AWS services down to the API level across multiple accounts. Additionally, AWS Organizations offers you billing management with a consolidated billing option.

Image shows AWSDetection Services

AWS Detection Services

  1. AWS Security Hub
  2. Amazon GuardDuty
  3. AWS Inspector
  4. AWS Config
  5. AWS CloudTrail
  6. AWS IoT Device Defender

AWS Security Hub

AWS Security Hub provides a centralized structure for security alerts related services such as AWS GuardDuty, AWS Macie, AWS Inspector, or other 3rd party security tools. Security Hub monitors all CIS Benchmarks automatically and send notification for alerts. It’s useful for companies that have lots of AWS accounts and want to monitor detection results. You could review all your results and findings related to your AWS accounts on Security Hub.

Amazon GuardDuty

AWS GuardDuty performs intelligent threat detection and can alert us when things go wrong. It uses machine learning algorithms and threat intelligence to analyze groups of events. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs. AWS GuardDuty finds lots of threat patterns such as compromised EC2 instances, stolen credentials, mining operations on EC2 instances, and prioritizes them with 'HIGH', 'LOW', 'MEDIUM' tags.

AWS Inspector

AWS Inspector tests the network accessibility of your Amazon EC2 instances and the security states of your applications. It performs an assessment on the target EC2 instances and checks for any vulnerabilities and potential security threats related to CVEs and CIS benchmarks. It integrates your security testing as a part of your development. Additionally, it recommends corrective actions for your vulnerabilities. It could be used with AWS CloudWatch and CloudTrail for monitoring and alerting.

AWS Config

AWS Config ensures AWS accounts have security configuration standards. AWS Config uses rules to define security standards and finds non-compliant resources and configuration changes. It also automatically remediates problems. With AWS Config, you achieve “Compliance as Code” and continuous compliance.

AWS CloudTrail

AWS CloudTrail monitors all activities in your accounts. It records all API events such as login into an AWS account, deleting an S3 bucket, launching an EC2 instance, and store historical logs related to all of them. It could be integrated with other AWS services such as CloudWatch, GuardDuty, etc. CloudTrail helps us answer these questions: “Who made the change?” “When did these changes happen?” All AWS CloudTrail usage is recommended for all AWS CIS benchmarks, it should be enabled for all regions in your account.

AWS IoT Device Defender

Image shows iot

AWS IoT Device Defender is an audit service that could be useful for the IoT world. It audits IoT configurations such as IoT policy and client certificate misconfigurations to make sure that they aren’t deviating from security best practices. It also monitors security metrics from IoT devices and compares results with expected device behaviors.

Image shows AWS Infrastructure Protection Services

WS Infrastructure Protection Services:

  1. AWS Firewall Manager
  2. AWS Shield
  3. AWS WAF
  4. AWS Network Firewall

AWS Firewall Manager

AWS Firewall Manager configures and manages firewall rules across an AWS organization. With AWS Firewall Manager, you can easily manage your WAF Rules, AWS Shield Advanced Protections, VPC security, DNS Firewall rules.

AWS Shield

Image shows ddos

AWS Shield protects your environment against DDoS attacks. It has two different types:

Standard: The standard type is enabled by default and no additional cost is charged. It protects against SYN/UDP floods, reflection attacks, etc. AWS Shield Standard stopped DDoS attacks to AWS environments in February 2020.

Advanced: AWS Shield Advanced costs $3000 per month per organization. It provides enhanced protection for EC2, CloudFront, Global Accelerator, Route53, etc. Also, it has business and enterprise support.

AWS WAF

Image shows waf

AWS WAF is a web application firewall that helps protect your web applications or APIs against common attacks such as XSS, SQL injection, etc. It also limits the number of calls, limits request size for your APIs. WAF detects and prevents malicious traffic that could affect your AWS resources. To do these, WAF uses access control lists (ACLs) that consist of rules and action sets. API Gateway, CloudFront, or Load Balancers could be integrated with WAF. Nowadays, when web applications are becoming a target, therefore the use of WAF can be life-saving.

AWS Network Firewall

Image shows aws data protection

AWS Data Protection:

  1. AWS Macie
  2. AWS Key Management Service (KMS)
  3. AWS CloudHSM
  4. AWS Certificate Manager (ACM)
  5. AWS Secrets Manager

AWS Network Firewall is a managed firewall service that works for your AWS VPC. Network Firewall is one of the powerful services introduced in AWS 2020 re:Invent event. It provides intrusion prevention and detection, and web filtering to protect your virtual networks on AWS.

AWS Macie

AWS Macie is an intelligent threat detection service for AWS S3. As we all know, S3 security is one of the main points of the AWS environment. Macie gives us an overview of the S3 bucket security posture, monitors API calls related to S3, and raises alarms for potential threats. It could find your API keys uploaded to S3 buckets by mistake on the development process, it could detect personally identifiable info (credit card number, addresses, etc.) and it can detect your data being stolen.

AWS Key Management Service (KMS)

Image shows AWS Key Management Service

AWS KMS is a service that enables you to easily create and manage the keys used for cryptographic operations. It supports symmetric and asymmetric encryption. KMS has FIPS 140-2 Level 3 compliance. Lots of AWS services (EC2, RDS, S3, etc.) could be integrated with KMS. It provides data integrity and confidentiality in the AWS environment with CloudHSM components.

AWS CloudHSM

AWS CloudHSM is a cloud-based dedicated hardware module for your encryption key management. Companies that have regulatory compliance requirements should use CloudHSM. CloudHSM meets FIPS 140-2 Level 3 security requirement standards. It is more expensive than other AWS security services, so you need to determine your needs for your environments.

AWS Certificate Manager (ACM)

Image shows aws certificate manager

AWS ACM is a manager for your SSL/TLS certificates in the AWS environment. It manages to validate and configure SSL/TLS certificates. Server certificates (EC2, ECS, CloudFront), client certificates (API GW client certificates), IoT device certificates (for mutual authentication) are managed by the AWS certificate manager.

Image shows aws incident response services

AWS Secrets Manager

AWS Secrets Manager provides a secure area for storing secrets such as passwords, user credentials, third-party keys, or any sensitive information. In this secure area, all secrets could be stored, managed, and rotated regularly. The most common scenario for the AWS Secrets Manager usage is creating a secret and using this for the RDS connections.

CloudEndure Disaster Recovery

CloudEndure Disaster Recovery provides customers to shift their disaster recovery strategy to AWS from existing physical or virtual data centers, private clouds, or other public clouds. It also supports cross-region / cross-AZ disaster recovery in AWS.

AWS Detective

At AWS re:invent 2019 event, AWS announced a preview of Amazon Detective. When there is a security finding that you want to find the root cause and take action, AWS Detective comes to mind. AWS Detective uses machine learning, statistical analysis, threat intelligence tools to make sense of potential security issues.

In the next weeks, we will talk about these AWS security services deeply one by one. We will do some basic PoC designs on different user scenarios. Until then, please stay safe in the cloud!