AWS Solution Architect(Associate) - Topic 9: Cloud Security
AWS allows you to automate manual security tasks so you can shift your focus to scaling and innovating your business.
Cloud Security
Reducing Security Threats
If you are operating a public web application, you should prefer WAF in these instances mentioned below, and it can be integrated into CloudFront.
Network Access Control List (NACL)
In AWS, a network ACL (or NACL) controls traffic to or from a subnet according to a set of inbound and outbound rules. This means it represents network level security. For example, an inbound rule might deny incoming traffic from a range of IP addresses, while an outbound rule might allow all traffic to leave the subnet.
Because NACLs function at the subnet level of a VPC, each NACL can be applied to one or more subnets, but each subnet is required to be associated with one—and only one—NACL.
When you create a VPC, AWS automatically creates a default NACL for it. You can add and remove rules from a default NACL, but you can’t delete the NACL itself.
AWS Security Groups
In AWS, a security group controls traffic to or from an EC2 instance according to a set of inbound and outbound rules. This means it represents instance-level security. For example, an inbound rule might allow traffic from a single IP address to access the instance, while an outbound rule might allow all traffic to leave the instance.
Because security groups function at the instance level of a VPC, each security group can be applied to one or more instances, even across subnets. And each instance is required to be associated with one or more security groups. To be precise, a security group is associated with a network interface that is attached to an instance, but we don’t discuss that detail for simplicity.
Web Application Firewall (WAF)
AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources.
AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that control bot traffic and block common attack patterns, such as SQL injection or cross-site scripting.
KMS (Key Management Service)
AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications.
- Regional secure key management and encryption and decryption
- Manages customer master keys (CMKs)
- Ideal for S3 objects, database passwords and API keys stored in Systems Manager Parameter Store
- Encrypt and decrypt data up to 4 KB in size
- Integrated with most AWS services
- Pay per API call
- Audit capability using CloudTrail — logs delivered to S3
- FIPS 140-2 Level 2, FIPS is a US government computer security standard used to approve cryptographic modules.
- Level 3 is CloudHSM
Types of CMKs
| Type | Can View | Can Manage | Dedicated to My Account |
|---|---|---|---|
| Customer Managed | √ | √ | √ |
| AWS Managed CMK | √ | √ | |
| AWS Owned CMK | √ |
Symmetric vs Asymmetric CMKs
| Symmetric | Asymmetric |
|---|---|
| Same key used for encryption and decryption | Mathematically related public/private key pair |
| AES-256 | RSA and elliptic-curve cryptography (ECC) |
| Never leaves AWS unencrypted | Private key never leaves AWS unencrypted |
| Must call the KMS APIs to use | Must call the KMS APIs to use the private key |
| AWS services integrated with KMS use symmetric CMKs | Download the public key and use outside AWS |
| Encrypt, decrypt, and re-encrypt data | Used outside AWS by users who can’t call KMS APIs |
| Generate data keys, data key pairs, and random byte strings | AWS services integrated with KMS do not support asymmetric CMKS |
| Import your own key material | Often used in Sign messages and verify signatures |
CloudHSM
AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud.
- Dedicated hardware security module (HSM)
- FIPS 140-2 Level 3 (Level 2 is KMS)
- Manage your own keys
- No access to the AWS-managed component
- Runs within a VPC in your account
- Single tenant , dedicated hardware, multi-AZ cluster
- Industry-standard APIs — no AWS APIs
- PKCS#11
- Java Cryptography Tensions (JCE)
- Microsoft CryptoNG (CNG)
- Keep your keys safe — irretrievable if lost!
Systems Manager Parameter Store
AWS Systems Manager Parameter Store (Parameter Store) provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values.
- Component of AWS Systems Manager (SSM)
- Secure serverless storage for configuration and secrets:
- Passwords
- Database connection strings
- License codes
- API keys
- Values can be stored encrypted (KMS) or plain-text
- Separate data from source control
- Store parameters in hierarchies
- Track versions
- Set TTL to expire values such as passwords.
AWS Parameter Store vs. AWS Secrets Manager
To implement password rotation lifecycles, use AWS Secrets Manager (Secrets Manager). Secrets Manager allows you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. For more information, see What is AWS Secrets Manager?
Similarities
- Managed Key/Value Store Services. Both services can store values up to 4096 characters and allow the keys to have prefixes.
- Similar Encryption Options. Both services can leverage AWS KMS to encrypt values.
- Both Reference-able in CloudFormation. Writing on how SSM Parameter Store and AWS Secrets Manager interact with CloudFormation can be a whole separate article.
Differences
- Password Generation. AWS Secrets Manager is able to generate random secrets through the AWS CLI or SDK.
- Secrets Rotation. Another feature unique to AWS Secrets Manger is the ability to rotate the secret value. Out of the box, AWS Secrets Manager provides full key rotation integration with RDS.
- Cost. There are no additional charges for using SSM Parameter Store. However, there are limit of 10,000 parameters per account. On the other hand, AWS Secrets Manager does accrue additional costs. At the time of this writing, it costs $0.40 per secret stored and additional $0.05 for 10,000 API calls.
- Cross Account Access. Another way AWS Secrets Manager is substantially different from SSM Parameter store, is that secrets can be shared across accounts. For example, IAM users and application resources in one development or production AWS account will be able access secrets stored in a different AWS account (e.g. Security AWS Account). Such functionality is also beneficial for use cases where a customer needs to share a particular secret with a partner. The article found HERE demonstrates how to setup a cross-account AWS Secrets Manager secret.
Secrets Manager takes things several steps further and it would not be surprising to see AWS continue to build on this functionality.
References
AWS Security Blog
AWS Management & Governance Blog
- Third Party Blog
AWS Solution Architect(Associate) - Topic 9: Cloud Security
http://vincentgaohj.github.io/Blog/2021/04/12/AWS-Solution-Architect-Associate-9-Security/
