Compliance Frameworks
ISO PCI HIPAA FedRAMP NIST SAS70 SOC1 FISMA FIPS140-2
How to mitigate DDoS attacks?
Minimize the attack surface area - use ALB with WAFs Be ready to scale to absorb attacks - use auto scaling groups Safeguard exposed resources - Learn normal behaviour of your application
- It’s a free service that protects all AWS customers on Elastic Load Balancing, Amazon CloudFront and Route 53.
- It protects against SYN/UDP floods, reflection attacks, and other Layer 3 and Layer 4 attacks.
AWS Shield
- provides a always-on flow-based monitoring of network traffic and active application monitoring to provide near real-time notifications of DDoS attacks.
- DDoS Response Team 24x7 to manage and mitigate application layer DDoS attacks
- Protects your AWS bill against higher fees due to Elastic Load Balancing, CloudFront and Route 53 usage spikes during a DDoS attack.
- $3000 a month
AWS Shield Advanced
What services can you use to mitigate DDoS attacks?
- CloudFront
- ELBs
- Route53
- WAF
- Autoscaling
- CloudWatch
How can you get a report of all of the users in your account who uses MFA?
Get credential reports on the IAM console.
Which service is used to grant users limited and temporary access to AWS resources.
User can come from three sources:
- Federation (typically done with Active Directory)
- Federation with Mobile Apps
- Cross Account Access
Security Token Service
Joining a list of users in one domain (such as IAM) with a list of users in another domain (such as AD, Facebook, etc), what does this define?
- Federation
- Identity Broker
- Identity Store
- Identity?
Federation
A service that allows you to take an identity from point A and join it (federate it) to point B, what does this define?
Identity Broker
Services like AD, Facebook, Google, etc., what does this define?
- Federation
- Identity Broker
- Identity Store
- Identity?
Identity Store
A user of a service like Facebook, etc., what does this define?
- Federation
- Identity Broker
- Identity Store
- Identity?
Identity
How does STS work?
- Authenticate against third party first (AD, Facebook, Google)
- Then you authenticate against STS.
- STS will give you a token.
- When you try and access your AWS resource
- That resource will check that token against IAM
- If everything’s correct it will give you access to the platform.
4 Main services for Security & Logging
- AWS CloudTrail - API Calls
- AWS Config - Alerts any changes
- AWS CloudWatch
- VPC Flow Logs
How can you control access to Log Files?
3 ways
- IAM users, groups, roles and policies
- S3 bucket policies
- MFA
How can you obtain alerts on Log File Creation and Misconfiguration?
- Alerts when logs are created or fail:
- CloudTrail notifications
- AWS Config Rules
- Alerts are specific, but don’t divulge detail:
- CloudTrail SNS notifications only point to log file location
How can you manage changes to AWS Resources and Log files?
Log changes to system components:
- CloudTrail
- AWS Config Rules
Controls exist to prevent modifications to logs:
- IAM and S3 controls and policies
- CloudTrail log file validation → you can see if somebody modified log files
- CloudTrail log file encryption
What is WAF?
- Layer 7 Firewall
- Monitor HTTP/HTTPS requests that are forwarded to CloudFront, ALB, or API Gateway.
- Let’s you control access to your content.
- IP addresses
- Query string parameters
- If blocked, user gets a 403 error code.
WAF Behaviors:
- Allow all or Block all requests except the ones that you specify
- Count the requests that match the properties you specify
WAF provides more protection against web attacks using conditions that you specify, give some examples.
- IP addresses that requests originate from
- Country
- Values in request headers
- Strings that appear in requests, either specific string or string that match regular expression (regex) patterns.
- SQL Injection
- Cross-site scripting
Which services does WAF Integrates with?
- CloudFront
- API Gateway
- Application Load Balancer (only)
In an IAM policy, what action does IAM:PassRole allows?
The IAM:PassRole allows any affected entity to pass roles to AWS services or Accounts, granting them permission to assume the role.
Using AWS WAF, two types of rules can be set:
- Regular rules
- Rate-based rules
What is the difference between them two?
Regular rule:
- Allow or block a matching IP address
Rate-based rules:
- It considers the number of requests coming from a particular IP in a five minute interval, if those requests exceeds the threshold limit, WAF will block the IP address.
What is Hypervisor?
Hypervisor is the physical host that is going to run your virtual machines.
What is HVM?
Hardware Virtual Machine
- Windows only
- Guests are fully virtualized.
- The VMs on top of the hypervisor are no aware that they are sharing processing time with other VMs
