Chapter 12: Security on AWS (Part 2)

Image result for encryption at rest cartoon


Encrypted puzzle at rest.

Related image


This is a long chapter, there's still more to go.

Again I'll start with things I'm not familiar with or look odd or interesting. I get the feeling however that this chapter is really just designed to overawe the reader with the extent and variety of security that AWS has provided. At some level I don't think the detail matters. There's security for data in transit and (mostly) at rest, security for networks, security for IP addresses, security for APIs, security for accounts, users, roles, federation, etc. Security for everything!  Again I'm not 100% sure who needs to know all this stuff? I guess security managers and administrators? And there's still the unanswered question of (1) how do you set a security goal and metrics, and (2) how do different combinations of security features get you closer to or further away (or reaching) the goal and metrics?

Back to EC2:

One way to get your AMIs updated and patched without doing it yourself is to relaunch the instances and they get updated.

Encryption of Data at Rest


EBS volumes support encryption. For example, between EC2 and EBS, but this is only supported for larger instance types as there is an overhead.

A number of parts of the book mention encryption of data at rest. Which services support this?

There's a whitepaper.

Some slides.

Another blog talks about different methods.

Page 356 says that the following services offer encryption of data at rest as a feature:

S3, EBS, Glacier, Storage Gateway, RDS, Redshift, Workspaces.

Not DynamoDB? EFS? SQS?

Where's a complete list?

There's also a service AWS Server Side Encryption (SSE). What services does it work for? Only the following? It's very difficult to search for services which support SSE (Why? Ah, it's only a S3 service!)

S3

SQS

The  white paper dates from 2014 and doesn't even mention SSE. A table summarizes options.

The latest whitepaper on compliance mentions SSE, but again not list of services supported.

There are 3 types of SSE-X service, depending on who manages the keys:

SSE-C is with customer supplied key.

SSE-KMS with KMS managed keys.

SSE-S3 with S3 managed keys.

  • Server-side encryption with customer-provided encryption keys (SSE-C).
  • SSE-S3.
  • SSE-KMS.
But the exception is that SSE can be used with SQS! The detailed SQS SSE FAQ. and detailed docs.

And the performance impact? This blog says it's minimal or even better for RDS.

There are some impacts of using server side encryption. For example, for Redshift the advice is that enabling encryption will impact performance.   And for RDS (other services to!) SSL encryption from client to application will increase the latency of the connection.  However, I'm not sure where the justifications for these can be found (benchmarks, AWS whitepapers, etc).


MAC Spoofing and ARP Spoofing


Next I came across this sentence:

Subnets: Customers create one or more subnets within each VPC; each instance launched in the VPC is connected to one subnet. Traditional Layer 2 security attacks, including MAC spoofing and ARP spoofing, are blocked.



Ok I'm still none the wiser. What's a MAC? An ARP? A spoofing???

Well spoofing is easy-ish (OED):

SPOOF

NOUN

  • 1A humorous imitation of something, typically a film or a particular genre of film, in which its characteristic features are exaggerated for comic effect.
  • ‘There are certainly examples dating back to the 1870s of photographers mixing up different images to make jokes or spoofs" (OED example)

2 A trick played on someone as a joke.
‘word got out that the whole thing had been a spoof’


A Spoof book (maybe?)

Image result for spoof famous


So this is what subnets are good for? Stopping layer 2 attacks?
Do they also stop MAC flooding?
ARP cache poisoning? (Yes, same as ARP spoofing).
The VPC security doc is useful.

MAC Flooding? (I.e. Mac = Trenchcoat in the trenches)

Image result for trench coat world war 1 mud


What other layer attacks are there?

Quick reminder of OSI layered model

7 Layers of OSI Diagram

US gov summary of layer 1-7 attacks.

Layer 1-4.

Which parts of AWS security address each of the network layer attacks?

Layer 1 attacks

Layer 2 attacks



AWS Shield is managed DDOS protection for layers 3, 4 and 7.

http://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html

Page 10 of the DDOS guide has a good table with different layers protected by different AWS services.

And this is interesting. All subnets in same VPC have layer 2 reachability:

It’s tempting to describe route tables as being similar to virtual routing and forwarding (VRF) tables. However, subnets in the same VPC can communicate directly with one another, so the separation VRFs typically provide doesn’t apply. Functionally, everything in the same VPC has Layer 2 reachability. Use security groups and Network ACLs (explained below) to provide more granular access.
And useful info about ELB layers information.

And this clarifies which layers load balancers work at:

Today we are launching a new Application Load Balancer option for ELB. This option runs at Layer 7 and supports a number of advanced features. The original option (now called a Classic Load Balancer) is still available to you and continues to offer Layer 4 and Layer 7 functionality.

 it would probably be useful to have an architectural level diagram which shows which layers each AWS service works at? TODO

 This blog points out the differences between layer 2 and 3 in terms of traditional data centres and public clouds

 All the AWS security resources in one place, but no way to search them all for "layer x" relevance pity.

Most of them don't refer to network layers at all.



Comments

  1. Sai Elakiyaa1 March 2019 at 21:21

    Worth for my valuable time, I am very much satisfied with your blog. Thanks for sharing.


    DevOps Training in Chennai
    RPA Training in Chennai
    Java Training in Chennai
    ReactJS Training in Chennai
    AWS Training in Chennai
    AWS Training

    ReplyDelete
  2. Manipriyan16 June 2019 at 20:09

    This comment has been removed by the author.

    ReplyDelete
  3. johni18 February 2021 at 04:21

    Those guidelines additionally worked to become a good way to recognize that other people online have identical fervor like mine to grasp a great deal more around this condition. and I could assume you are an expert on this subject. Same as your blog i found another one Sell On Amazon .Actually I was looking for the same information on internet for Sell On Amazon and came across your blog. I am impressed by the information that you have on this blog. Thanks a million and please keep up the gratifying work.

    ReplyDelete
  4. Rekha Roy22 November 2021 at 07:13

    Want to change your career in Selenium? Red Prism Group is one of the best training coaching for Selenium in Noida. Now start your career for Selenium Automation with Red Prism Group. Join training institute for selenium in noida.

    ReplyDelete

Post a Comment

Popular posts from this blog

Which Amazon Web Services are Interoperable?

Image
Which Amazon Web Services are Interoperable? This is a question I asked when I started studying for AWS certification, asked a few AWS certified architects at Sydney Summit 201 (the answer typically was "all of them as they all use REST APIs", really?), and have attempted to answer from the documentation. They only way I could think to answer this so far is go through the documentation for the 3500 services (according to April AWS service update) and create a dependencies graph (which services interoperate with which other services).  I've also noticed that some of the certification questions ask which for AWS X, which other AWS services interoperate with it? So obviously it's important. Obviously AWS could answer this by monitoring (E.g. with X-Ray) which services call or are called with services and create a interoperability graph and frequency of calls. I've since come up with another approach to answer this.  I've used the 16 aws reference architecture
Read more

AWS Certification glossary quiz: IAM

Image
I also keep getting stuck on IAM and key related questions so here's a quiz on IAM. Qn1  One of two possible outcomes (the other is  deny ) when an  IAM  access  policy  is evaluated. When a user makes a request to AWS, AWS evaluates the request based on all permissions that apply to the user and then returns either deny or this one. alarm permit true allo w Qn2  A web service that enables  Amazon Web Services  (AWS)  customers to manage users and user permissions within AWS. AWS user service (AUS) AWS customer service (ACS) AWS access management (AAM) AWS Identity and Access Management  (IAM) Qn3:  An  IAM   managed policy  that is created and managed by AWS. AWS management AWS policy AWS IAM policy AWS managed policy Qn4:  A web service for requesting temporary, limited-privilege credentials for  AWS Identity and Access Management  (IAM)  users or for users that you authenticate ( federated users ). AWS credential service (AWS ACS) AWS token service
Read more

AWS SWF vs Lambda + step functions? Simple answer is use Lambda for all new applications.

Image
I do like my Lamb (daaaa)! What's the difference between SWF and Lambda + step functions? Well, for a start they can be used together. Benefits and Limitations of using Lambda Tasks There are a number of benefits of using Lambda tasks in place of a traditional Amazon SWF activity: Lambda tasks don’t need to be registered or versioned like Amazon SWF activity types. You can use any existing Lambda functions that you've already defined in your workflows. Lambda functions are called directly by Amazon SWF; there is no need for you to implement a worker program to execute them as you must do with traditional activities. Lambda provides you with metrics and logs for tracking and analyzing your function executions. There are also a number of limitations regarding Lambda tasks that you should be aware of: Lambda tasks can only be run in AWS regions that provide support for Lambda. See  Lambda Regions and Endpoints  in the  Amazon Web Services General
Read more