AWS Security

1. Introduction
2. AWS Security Scanners
3. AWS Security Reference Architecture AWS SRA
4. Application Security
5. Policy as Code with AWS CDK and Open Policy Agent
6. Payment Card Industry Data Security Standard compliance
7. AWS IAM
   1. Terraform IAM Policy Validator
   2. AWS IAM Anywhere
8. AWS Organizations
9. AWS Control Tower
10. AWS Firewalls
11. AWS WAF Web Application Firewall
12. AWS Secrets Manager
13. AWS Vault
14. Tweets

Introduction

• AWS Security Blog
• AWS Security
• AWS Security docs
• Tutorial: Configure Apache Web Server on Amazon Linux to use SSL/TLS
• The Most Popular AWS Security Blog Posts in 2015
• dzone: Private Subnets Are Broken on AWS
• Amazon’s customer service backdoor
• Announcing Industry Best Practices for Securing AWS Resources
• The Most Viewed AWS Security Blog Posts so Far in 2016
• Oracle Database Encryption Options on Amazon RDS
• Learn AWS Security Fundamentals with Free and Online Training
• How to Restrict Amazon S3 Bucket Access to a Specific IAM Role
• Updated Whitepaper Available: AWS Best Practices for DDoS Resiliency
• AWS Security Blog: In Case You Missed These: AWS Security Blog Posts from June, July, and August 2016
• Amazon Inspector Announces General Availability for Windows
• encrypt and decrypt data: Importing Key Material in AWS Key Management Service (AWS KMS) Use your own encryption keys with AWS Key Management Service.
• Amazon s2n: AWS’s new Open Source implementation of the SSL/TLS network encryption protocols
• dzone: 9 AWS Security Best Practices: Securing Your AWS Cloud Working with Amazon facilities, it is necessary to implement AWS security best practices to ensure the safety of the data and the cloud.
• Encrypt global data client-side with AWS KMS multi-Region keys Today, AWS Key Management Service (AWS KMS) is introducing multi-Region keys, a new capability that lets you replicate keys from one Amazon Web Services (AWS) Region into another. Multi-Region keys are designed to simplify management of client-side encryption when your encrypted data has to be copied into other Regions for disaster recovery or is replicated in Amazon DynamoDB global tables.
• dzone: Removing the Bastion Host and Improving the Security in AWS This article covers the security in AWS and overcoming the classic SSH/RDP jump with a better alternative for all OS.
• acloudguru.com: How to audit and secure an AWS account
• yobyot.com: AWS multi-region KMS keys and Data Lifecycle Manager: better together
• try.jupiterone.com: The Absolute Minimum Every Developer Must Know about AWS Security
• How to automate AWS account creation with SSO user assignment
• Security practices in AWS multi-tenant SaaS environments Many good tips, from identity management to tenant isolation.
• How to use AWS Security Hub and Amazon OpenSearch Service for SIEM
• faun.pub: Handling Exposed AWS Access Key
• github.com/aws-samples: How to set up continuous replication from your third-party secrets manager to AWS Secrets Manager
• medium.com/@neonforge: Why You Shouldn’t Use AWS managed KMS Keys
• linkedin.com: Complexities of AWS Security Groups in the Cloud World Do you feel AWS security groups are hard to implement? Are you tired of reconfiguring IP addresses in security groups whenever workloads get restarted or redeployed?
• awslabs/cognito-at-edge Serverless authentication solution to protect your website or Amplify application
• github.com/aws-samples: Service Control Policy examples Example AWS Service control policies to get started or mature your usage of AWS SCPs.
• medium.parttimepolymath.net: No more AWS Access Keys?
• darryl-ruggles.cloud: AWS SSO Credentials With Multiple Accounts

AWS Security Scanners

• github.com/awslabs/sustainability-scanner: Sustainability Scanner (SusScanner) Validate AWS CloudFormation templates against AWS Well-Architected Sustainability Pillar best practices.

AWS Security Reference Architecture AWS SRA

• docs.aws.amazon.com: AWS Security Reference Architecture (AWS SRA) 🌟
• aws.amazon.com: Update of AWS Security Reference Architecture is now available A set of guidelines for deploying the full complement of AWS security services in a multi-account environment.

Application Security

• docs.aws.amazon.com: Application security Application security (AppSec) describes the overall process of how you design, build, and test the security properties of the workloads you develop. You should have appropriately trained people in your organization, understand the security properties of your build and release infrastructure, and use automation to identify security issues.

Policy as Code with AWS CDK and Open Policy Agent

• Realize Policy-as-Code with AWS Cloud Development Kit through Open Policy Agent 🌟

Payment Card Industry Data Security Standard compliance

• PCI DSS Standardized Architecture on the AWS Cloud: Quick Start Reference Deployment

AWS IAM

• AWS Identity and Access Management - Getting Started
• AWS Identity and Access Management (IAM) best practices in 2016
• How to Record and Govern Your IAM Resource Configurations Using AWS Config
• How to Use SAML to Automatically Direct Federated Users to a Specific AWS Management Console Page
• New IAMCTL tool compares multiple IAM roles and policies
• Bring your own CLI to Session Manager with configurable shell profiles
• keepler.io: Gestionando el control de accesos en nuestro data lake en AWS
• aws.amazon.com: IAM Access Analyzer now supports over 100 policy checks with actionable recommendations to help you author secure and functional policies
• aws.amazon.com: IAM Access Analyzer Update – Policy Validation
• netflixtechblog.com: ConsoleMe: A Central Control Plane for AWS Permissions and Access - github.com/Netflix/consoleme
• cloudkatha.com: Difference between Root User and IAM User in AWS You Need to Know
• ben11kehoe.medium.com: AWS Authentication: Principals (users and roles) in AWS IAM this article uses the boto3, the AWS Python SDK, as an example, but other SDKs have analogous features.
• infoq.com: Incorrect IAM Policy Raised Questions About AWS Access to S3 Data
• iann0036/iamlive Generate an IAM policy from AWS calls using client-side monitoring (CSM) or embedded proxy
• awsiam.info: AWS IAM Search
• daan.fyi: AWS IAM Demystified
• willdady/cdk-iam-credentials-rotator: IAM Credentials Rotator AWS CDK construct for rotating IAM user credentials and sending to a third party.
• Organizing Your AWS Environment Using Multiple Accounts (white paper for best practices) Reasons you should be using multiple accounts in AWS:
  • You can constrain access to sensitive data
  • You’ll promote innovation & agility
  • You can more easily manage costs
• aws.amazon.com: When and where to use IAM permissions boundaries A permissions boundary is an IAM feature that helps your centralized cloud IAM teams to safely empower your application developers to create new IAM roles and policies in Amazon Web Services (AWS).
• Extend AWS IAM roles to workloads outside of AWS with IAM Roles Anywhere 🌟 A secure way for on-premises servers, containers, or apps to obtain temporary AWS credentials and remove the need for creating and managing long-term AWS credentials
• binx.io: Working with AWS Permission Policies 🌟
• Use IAM Access Analyzer policy generation to grant fine-grained permissions for your AWS CloudFormation service roles
• ermetic.com: Diving Deeply into IAM Policy Evaluation – Highlights from AWS re:Inforce IAM433
• globaldatanet.com: .AWS IAM Identity Center Permission Management at Scale Part 2
• awstip.com: AWS Permissions Set deep dive
• How to monitor and query IAM resources at scale – Part 1 Useful details on how AWS IAM works so that you can use it more effectively.
• github.com/aws-samples: Visualize AWS IAM Access Analyzer Policy Validation Findings
• thenewstack.io: A Deep Dive into the Security of IAM in AWS How do you tighten up identity access management when you’re using Amazon’s cloud? Here are some best practices and useful tools for keeping everything safe.

Terraform IAM Policy Validator

• awslabs/terraform-iam-policy-validator A command line tool that validates AWS IAM Policies in a Terraform template against AWS IAM best practices.

AWS IAM Anywhere

• jimmydqv.com: AWS IAM Anywhere 🌟
  • Most of us that have worked with cloud long enough has encountered hybrid cloud solutions in one way or another. I often see clients with some parts, or applications, running on-premises that need to call AWS services. I’m working with an client with an application running on-premises. The application gather data from different sources, and then upload the data files to an Amazon S3 Bucket. The data is imported and analyzed in the cloud. Up till now I needed to create an IAM User and generate long lived credentials that the on-premises part could use. That is until the recent release of IAM Anywhere.
  • IAM Anywhere rely on Public key Infrastructure (PKI) and exchange x.509 certificates for temporary AWS IAM credentials. You establish a trust between you AWS account and a Certificate Authority (CA), a trust anchor. Certificates issued by that CA can then be used to get credentials. Fields, like the Common Name (CN), in the certificate can be used as conditions in policies to limit what IAM Roles that can be assumed.

AWS Organizations

• Simplifying permissions management at scale using tags in AWS Organizations
• Standardize compliance in AWS using DevOps and a Cloud Center of Excellence (CCOE) approach
• blog.wut.dev: Moving AWS Accounts and OUs Within An Organization - Not So Simple!

AWS Control Tower

• AWS Control Tower The easiest way to set up and govern a secure multi-account AWS environment
• aws.amazon.com: New – AWS Control Tower Account Factory for Terraform
• hashicorp.com: HashiCorp Teams with AWS on New Control Tower Account Factory for Terraform AWS Control Tower Account Factory for HashiCorp Terraform (AFT), the evolution of Terraform Landing Zones, offers an easy way to set up and govern a secure, multi-account AWS environment.
• aws.amazon.com: Automate AWS Control Tower landing zone operations using APIs

AWS Firewalls

• doit-intl.com: AWS Firewalls 101: How and when to use each one
• Automatically block suspicious traffic with AWS Network Firewall and Amazon GuardDuty

AWS WAF Web Application Firewall

• AWS WAF - Web Application Firewall
• How to Automatically Update Your Security Groups for Amazon CloudFront and AWS WAF by Using AWS Lambda (boto3 python)
• How to Use AWS WAF to Block IP Addresses That Generate Bad Requests
• How to Reduce Security Threats and Operating Costs Using AWS WAF and Amazon CloudFront
• AWS WAF sample rules
• medium: Blocking bots using AWS WAF
• medium: Protecting your Web Application or APIs using AWS WAF
• faun.pub: Set up global rate limiting with AWS WAF in 5 minutes
• dev.to: AWS WAF (Web Application Firewall): Deep Dive

AWS Secrets Manager

• How to replicate secrets in AWS Secrets Manager to multiple Regions
• AWS Secrets Manager controller POC: an EKS operator for automatic rotation of secrets
• k21academy.com: AWS Secrets Manager
• blog.devops.dev: Debugging Kubernetes Secrets, Why My Pod Wouldn’t Start

AWS Vault

• AWS Vault is a tool to securely store and access AWS credentials in a development environment.
• AWS: Sourcing AWS CLI Credentials using a Custom AWS CLI Credential Provider and AWS Vault

Tweets

Click to expand!

Do you secure your @awscloud access?

11 secrets hackers don't want you to know 📈.

Number 7 will blow your mind 🤯

A thread 🔽🔽🔽#AWSCommunity

— Andrea Cavagna (@a_cava94) September 6, 2022