AWS Security

Securing secrets in Bash shell scripts while learning to pass the AWS Certified Security - Specialty (SCS-C01) exam

                   

Overview

• Secure Bash Script
• AWS Security Certification SCS-C01
  • Topics (Abilities Validated by the Certification)
• Learning materials from AWS
  • Paid AWS Virtual Classes
  • AWS Amazon Tech Talks Videos
  • Articles from AWS on Security
• 3rd-party video courses
  • Pluralsight
  • ACloudGuru.com
  • CloudAcademy.com
  • LinkedIn Learning
  • OReilly.com
  • Qwiklabs.com
• Practice Tests
• Major AWS cloud services
• Lifecycle Actions
• Security Principles
• Security Landscape
• AWS CAF (Cloud Adoption Framework)
  • AWS policies
• Hands-on
• Amazon/AWS Products
  • AWS Firewall Manager
  • Security Hub
  • Amazon Inspector for EC2
  • AWS Trusted Advisor
  • AWS Organizations
  • Amazon Macie
  • AWS Config
  • VPC Flow Logs
  • AWS Guard Duty
  • Amazon Detective
  • Abuse Notice
  • Key Management
• difference between CloudTrail vs Cloudwatch
• S3 access
• EC2
• How does AWS WAF and Shield work
• AWS Organizations – including Service Control Policies and enforcements
• Data in Transit
• CloudFront
• IAM Policies
• Controls: Visibility (AWS Config)
• Automation (OpsWorks, CodeDeploy)
  • Python
  • Terraform
• Summary
• Blog articles
• Social Twitter Feeds:
• More on Security

Secure Bash Script

Prep-work:

NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

1. Manually obtain an AWS account and setup AWS login from Terminal. See my instructions.
2. Manually or in IaC create AWS KMS (Key Mangement Service) instance (or use an existing one if it exists)
3. Manually Add & encrypt key (if one is not specified)

I am working on a Bash/Z shell script so you can copy and paste a single command and paste on your Terminal to do all the following:

1. Install AWS CLI after pre-requisites (NodeJs)
2. Request that you (manually) obtain an account and setup AWS login from Terminal
3. Define IAM credentials (if one isn’t specified)

4. Auto-rotate keys service every month?

5. Retrieve key within shell and format JSON response

This would be using https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

An alternative is AKEYLESS, which enables authentication with several clouds (AWS IAM, Azure AD, SAML, LDAP, API key). See https://akeyless.readme.io/docs/cli

AWS Security Certification SCS-C01

The AWS Certified Security - Specialty certification SCS-C01 home page is at

https://aws.amazon.com/certification/certified-security-specialty

The exam costs $300 USD (50% off if you’ve cleared another certification).

Practice exam: 40 USD.

PROTIP: The exam is difficult becuase you need to correctly answer at least 75% of 65 multiple-choice questions in over 3 hours without breaks (170 minutes). Many of the questions are long paragraphs and have multiple answers.

Domain Topics for AWS Security

1. 12% (Network and) Incident Response (Forensics)
2. 20% Logging and Monitoring
3. 26% Infrastructure Security
4. 20% Identity and Access Management (IAM)>
5. 22% Data Protection
   
   

Exam Readiness 2h free video by Blaine Sundrud

Cert Prep: AWS Security Specialty Certification

CloudAcademy’s 31h video cert prep

VIDEO: 1h COURSE: Demystifying the AWS Certified Security Specialty Exam by Michael Brown covers the options for Key Management (FIPS 140-2 HSM):

• AWS KMS (Key Management Service) - shared service managed by AWS
• Cloud HSM - private hardware HSM cluster on AWS

• On-premise HSM
  
  

• The AWS Encryption SDK
• Amazon DynamoDB encryption client
• AWS Secrets Manager
  
  

Links to learning content on specific topics specified in Amazon’s exam guide PDF:

1. (Network and) Incident Response (Forensics) 12%
   1. Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys.
   2. Verify that the Incident Response Plan includes relevant AWS services.
   3. Evaluate the configuration of automated alerting, and execute possible remediation of security-related incidents and emerging issues.
      
      
2. Logging and Monitoring 20%
   1. Design and implement security monitoring and alerting.
   2. Troubleshoot security monitoring and alerting.
   3. Design and implement a logging solution.
   4. Troubleshoot logging solutions.
      
      
3. Infrastructure Security 26%
   1. Design edge security on AWS (NACLs, VPC Flow Logs)
   2. Design and implement a secure network infrastructure.
   3. Troubleshoot a secure network infrastructure.
   4. Design and implement host-based security.
      
      
4. Identity and Access Management 20%
   1. Design and implement a scalable authorization and authentication system to access AWS resources.
   2. Troubleshoot an authorization and authentication system to access AWS resources.
      
      
5. Data Protection 22%
   1. Design and implement key management and use.
   2. Troubleshoot key management.
   3. Design and implement a data encryption solution for data at rest and data in transit.
      
      

Topics (Abilities Validated by the Certification)

• Security controls for workloads on AWS.
• Specialized data classifications and AWS data protection mechanisms
• Data encryption methods and AWS mechanisms to implement them
• Secure Internet protocols and AWS mechanisms to implement them

• AWS security services and features of services to provide a secure production environment

• Production deployment using AWS security services and features
• Tradeoff decisions with regard to cost, security, and deployment complexity given a set of application requirements
• Security operations and risk

The Future of Security:

• Static Code Analysis
• Vulnerability Management
• Compliance Checks
• Web Application Scanning
• Configuration Assessments

Golden AMI Pipeline of EC2 images at https://github.com/Qualys-Public

https://app.pluralsight.com/paths/certificate/aws-certified-security-specialty

CAUTION: Amazon tests on GUI and CloudFormation, not Terraform>, Ansible, and other IaC. At time of writing CDK (Cloud Data Kit)> was too new to be included in the test.

---

Learning materials from AWS

Amazon Training offers a 3-day live/classroom Security Engineering on AWS course offered by various vendors for USD $1,485 - $2,095.

Paid AWS Virtual Classes

For those who can afford it, Amazon’s live instructor-led classes:

$600 for 1 day AWS Security Essentials

AWS Amazon Tech Talks Videos

• Well-architected framework
• How to Build and Endpoint Security Strategy is AWS
• How to secure app pipelines in AWS
• How to Protect Enterprise Systems with Cloud-Based Firewalls
  
  

https://aws.amazon.com/events/online-tech-talks/on-demand/?ott-on-demand-all.sort-by=item.additionalFields.startDateTime&ott-on-demand-all.sort-order=desc

https://pages.awscloud.com/Remediating-Amazon-GuardDuty-and-AWS-Security-Hub-Findings_2019_0320-SID_OD.html?&trk=ep_card-el_a131L000005uKBhQAM&trkCampaign=NA-FY19-AWS-DIGMKT-WEBINAR-SERIES-March_2019_0320-SID&sc_channel=el&sc_campaign=pac_2018-2019_exlinks_ondemand_OTT_evergreen&sc_outcome=Product_Adoption_Campaigns&sc_geo=NAMER&sc_country=mult Remediating Amazon GuardDuty and AWS Security Hub Findings

https://pages.awscloud.com/AWS-Transit-Gateway-Reference-Architectures-for-Many-Amazon-VPCs_2019_0811-NET_OD.html?&trk=ep_card-el_a131L0000057bPDQAY&trkCampaign=NA-FY19-AWS-DIGMKT-WEBINAR-SERIES-August_2019_0811-NET&sc_channel=el&sc_campaign=pac_2018-2019_exlinks_ondemand_OTT_evergreen&sc_outcome=Product_Adoption_Campaigns&sc_geo=NAMER&sc_country=mult AWS Transit Gateway Reference Architectures for Many Amazon VPCs

Videos of 2019 #reInforce which take a dive deep into cloud security, IAM, and compliance. Steve Schmidt, CISO of Amazon Web Services.

Articles from AWS on Security

Among https://aws.amazon.com/whitepapers

• PDF: Introduction to AWS Security, January 2020

• PDF: Amazon Web Services: Overview of Security Processes, March 2020

• https://d1.awsstatic.com/whitepapers/compliance/GDPR_Compliance_on_AWS.pdf?did=wp_card&trk=wp_card

Security and Compliance documentation

Compliance resources

Well architected Framework

Within Digital Training library pops up a new window:

• Cloud Audit Academy covers differences in auditing the cloud versus on-premises. attestation

AWS KMS Cryptographic Details (details what happens behind the scenes with HSMs)

PDF: DDoS Mitigation whitepaper

Data Residency: AWS Policy Perspectives

AWS Cloud Security Learning

Scale-Out Computing on AWS

Building a Scalable and Secure Multi-VPC AWS Network Infrastructure

GxP Compliance Automation

---

3rd-party video courses

• Pluralsight
• CloudAcademy.com
• LinuxAcademy.com

• ACloudguru.com

• OReilly
• LinkedIn Learning

• Qwiklabs

• Udemy 23.5 hr by Zeal Zora with 1 practice test
  
  

Pluralsight

Pluralsight’s Security video courses:

• aws-security-introduction

• identity-access-management-aws-users by Brian Eiler

• securing-data-aws

• securing-aws-infrastructure

• securing-applications-aws

• aws-cloud-security-monitoring by Saravanan Dhandapani (@) Jun 26, 2019

• Securing AWS Networks 25 Mar 2020 by Saravanan Dhandapani

• aws-networking-deep-dive-vpc

• aws-security-best-practices by Joseph Lee Hunsaker

• Architecting for Security on AWSArchitecting for Security Mar 08, 2020 By Ben Piper

ACloudGuru.com

ACloudGuru’s 20 hour AWS Certified Security - Specialty 2020 includes a practice exam along with sections on “Incident Response & AWS In The Real World” and “Updates Based On Student Feedback”.

is part of their 173 hour Learning Path of video courses.

ACloudGuru’s Exam Simulator

CloudAcademy.com

LinkedIn Learning

OReilly.com

OReilly’s website does not provide lab time, but does have famous authors.

Chad Smith

Qwiklabs.com

Qwiklabs.com provides time (an hour at a time) on servers to perform their step-by-step instructions on specific topics.

---

Practice Tests

About $200 USD is you get all of them.

• $41.30 USD (money back) ad https://www.vmexam.com/aws/scs-c01-aws-certified-security-specialty for 205+ questions for 2 months.

• The AWS Certification Quiz Show: CQ E13 (AWS Security - Specialty) Nov 3, 2019 with Paul Hawkins (using ___)

• $25 https://www.braincert.com/course/21137-AWS-Certified-Security-Specialty-Practice-Exams provides 150 questions (3 practice tests - 50 questions each)

• $11 https://www.udemy.com/course/scs-c01-aws-certified-security-specialty-practice-tests/

• $40 https://www.whizlabs.com/aws-certified-security-specialty/

• $69 for 333 questions ($100 with software) at https://www.dumpskey.com/amazon/aws-security-specialty-braindumps or https://www.ebay.com/itm/Amazon-AWS-Certified-Security-Specialty-SCS-C01-Exam-Test-QA-SIM-PDF-Simulator-/253754800538 or https://www.dumps4download.com/scs-c01-dumps.html

---

Major AWS cloud services

My webpage on cyber-security covers industry-wide terms (vendor-agnostic).

But AWS

• Load balancer

---

Lifecycle Actions

Sequence to develop a secure web application within AWS cloud:

1. Use accounts with MFA, not long term passwords.
2. SSH from key pairs generated.
3. Protect S3 CloudTrail and Billing buckets.
4. Don’t create public access to S3 buckets.
5. Creaet “Admin” roles with limited privilege.
6. Leverage IAM roles for EC2.
7. Control traffic to EC2 using clear Security Groups.
8. Enable communication by users and between app and database with roles having minimal IAM policies necessary.
9. Setup apps with SSL certificates for HTTPS communication in transit.
10. Decrypt data using a key.
11. Setup read-only application and infrastructure logs [CloudTrail].
12. Setup API Gateway and firewalls to manage access.
13. Setup alerts
14. Watch trends in application and infrastructure logs periodically.
15. Setup backups using read and
16. HA and Multi-region operation
17. Review billings monthly.

---

Security Principles

• Least privilege

• Handle keys with care
  • Asociate IAM Role to compute resource
  • Programmatic AssumeRole via STS SDK
• Encrypt “All the Things”
  • Require KMS Keys
  • Data at rest: Use only encrypted EBS volumes
  • S3 buckets
  • RDS or Aurora databases
  • Data in transit: S3 bucket config, CloudFront Cert. Manager
• Monitor continuously
  • CloudTrail Logs (cross region)
  • S3 Access Logging
  • VPC Flow Logs
  • Billing Logs
• Audit Regularly
  • Trusted Advisor
  • AWS Config
  • Custom Scripts

At a high level, within AWS Cloud Security at aws.amazon.com/security is the mantra:

• Prevent
• Detect
• Respond
• Remediate

Security Landscape

• Governance
• Management (CloudWatch, CloudTrail, Config)
• Protection
• Encryption (AWS CloudHSM, KMS)
• Detection (A Macie, AWS Firewall Manager, AWS Security Hub, AWS Guard Duty)

AWS CAF (Cloud Adoption Framework)

MEMONIC?

• Business
• People
• Governnce
• Platform
• Security
• Operations
  
  

AWS policies

AWS uses several types of “policies” to determine whether to allow or deny access requests made by a principal (such as a user).

AWS policies can be defined in-line or “managed” by AWS policy “objects” defined in JSON documents attached to IAM identities or AWS resources (entities).

Each AWS policy defines “permissions policies” and “permissions boundaries”:

Permissions policies are attached to a resource in AWS (identified by an ARN). Within a single account, AWS evaluates all permissions policies together. Permissions policies are the most common policies. You can use the following policy types as permissions policies:

• When a managed or inline policy is attached to an IAM user, user group, or role, the policy defines the permissions for that entity. They are called “Identity-based policies”.

• Resource-based policies attach a JSON policy document to an AWS resource (if that service supports resource-based policies).

• Each Access Control List (ACL) is also attached to resources (a list of principals with permission to access resource which supports ACLs).

Permissions boundaries (an advanced AWS feature) controls the maximum permissions that each entity can have. When more than one permissions boundaries applies to a request, AWS evaluates each permissions boundary separately. You can apply a permissions boundary in the following situations:

• AWS Service Control Policies (SCPs) are applied to designated member accounts within an AWS Organizations organization or organizational unit (OU).

• IAM users or roles – You can use a managed policy for a user or role’s permissions boundary. See Permissions Boundaries for IAM Entities in the IAM User Guide.

• Access control lists (ACLs) control what specific principals can access a resource. ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure.

Hands-on

Create a multi-account setup with web servers running on EC2 instances as well as web services running through API Gateway, Lambda and S3.

Use CloudFront, WAF, Shield. Install CloudWatch Logging agents on a few EC2 instances, consolidate logs in a central account, implement log file validation (extra credit — write a script to actually validate files based off events when new file is posted).

Grant one account read and read/write access to another account’s S3 buckets using IAM roles.

Protect your EC2 instances with a homegrown proxy (install Squid or something), give them internet access and use NACLs and security groups to open a finite set of ports and restrict some IPs (use a VPN for testing),

Apply Service Control Policies through the organization (as examples, restrict regions or mandate S3 encryption. They can be found here: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html). Do this every day of the week before your exam and recite the script in your sleep the day of the exam :)

Do all of this in CloudFormation and Terraform

– from Chiradeep Chhaya

Create AWS Security Group using CLI:

IP=10.10.10.10
CIDR=32
AWS_GROUP="xxxx"
AWS_SEC_GROUP=mycorp_mydiv_myproj_mydept_mychargecode_myversion
aws ec2 authorize-security-group-ingress --group-id "sg-$AWS_GROUP" \
   --ip-permissions FromPort=10,ToPort=23,IpProtocol=tcp,IpRanges="[{CidrIp=$IP/$CIDR}]"

Hardening before creating AMI:

• Exclude SSH authorized keys
• Remove and disable passwords for all user accounts
• Securely delete all shell history and system log files containing sensitive data find /root/.history /home//*.history -exec rm -f {} \;
• Clear event logs

---

Amazon/AWS Products

AWS Firewall Manager

etc. to simplify WAF admin across accounts.

Security Hub

summarizes

Amazon Inspector for EC2

Weekly Runs vulnerability assessments of AWS Networks and Hosts based on templates reaching targets.

1. Install agent using keypair on targets (instances):

   ssh -i awsgm.pem ec2-user@ec2-12-345-456-444.compute.-1.amazonaws.com
   wget https://inspector-agent.amazonaws.com/linux/latest/install
   sudo bash install
   

2. Run using service-linked Role, collecting for an hour.

Findings by severity.

Generate report, which include “CIS Benchmarks”.

AWS Trusted Advisor

5 categories for AWS accounts:

• FREE Security (MFA, ports)

• FREE Service Limits (Auto Scaling)

• Cost optimization (upgrade)
• Performance
• Fault Tolerance

COURSE: Qwiklabs.com “Auditing Your Security with AWS Trusted Advisor”

AWS Organizations

Account management service to consolidate accounts.

Amazon Macie

VIDEO Makes use of Machine Learning technology developed within Amazon.

identify and classify PII (Personally Identifiable Information) in events and sessions involving critical assets (in S3)m , by content type, using regex.

Issue risk alerts by location.

AWS Config

Get Started: Settings, Rules, Review.

The type of rules that can be setup and how to automatically remediate non-compliant rules utilizing lambda

Recorder Snapshot of current configs.

Config items with history.

Config stream automatically updated (notifies SNS)

AWS Config logs

VPC Flow Logs

Setup:

1. VPC
2. Your VPCs
3. Create Flow Log
4. Filter All
5. Destination Log Group
6. IAM Role
7. Security Rules

Log Format	Description
2	Version of log
123456789012	AWS Account
eni-081b2cff388ebbea33	Network interface id
194.26.39.111	Origin IP address
172.31.81.72	Dest. IP address
8080	Origin port
3398	Dest. port
6	Protocol
1	Packets
40	Bytes
158251432	Epoch start
158251812	Epoch end
REJECT	Action
OK	Logging status

AWS Guard Duty

Identifies findings by using machine learning to analyze logs from:

• DNS logs (login attempts?)
• VPC flow logs (Network traffic)
• CloudTrail Event logs (API calls)
• CloudTrail Management Events
• CloudTrail S3 Data Events
  
  

Findings invoke CloudWatch Events EventBridge which send:

• Notifications to SNS
• Invocation of Lambda
  
  

Enable for 30-day trial. Use sample files with Trusted IP Lists. member accounts.

Amazon Detective

New in 2020, Amazon Detective enables an Org management Administrator to delegate a Detective Administrator account for the org. Administrator to invite members (even outside the org) to contribute data.

Detective provides visualizations (with Machine Learning and statistical analysis) to interactively explore and trace through time-based findings from Guard Duty:

• login attempts
• API calls (from CloudTrail)
• Network Traffic (VPC flows)
  
  

Detective is classified as a Security Investigation service.

Abuse Notice

https://aws.amazon.com/premiumsupport/knowledge-center/aws-abuse-report/

---

Key Management

PDF: AWS Key Management Service Best Practices

KMS options:

• API commands (Encrypt, Decrypt, Recrypt)
• CMK – AWS created vs Imported
• How to enforce annual rotation of keys

difference between CloudTrail vs Cloudwatch

SSL communication from on-premise to ec2 including how legacy applications communicate when changing from an ELB to ALB.

S3 access

Bucket ACL’s but know the difference between an ACL and Policy Cross-Account Access (S3)

EC2

How to regain access to an EC2 or change the key pair if they’ve been compromised

How does AWS WAF and Shield work

When and why should you implement a proxy server

Network Access Control List (Stateless) vs Security Groups (SG’s are stateful)

AWS Organizations – including Service Control Policies and enforcements

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html

Cloudfront OAI communicate to S3

Think static website or content

AWS Athena and viewing VPC flow logs

Query the VPC flow logs

VPC flow logs – How can you automate or make sure VPC flow logs are enabled (Hint: AWS Config & Lambda)

Troubleshooting Why some instances are writing logs to Cloudwatch and others aren’t or they stopped after a period of time

Data in Transit

SSL for HTTPS

CloudFront

Only HTTP, not UDP protocol.

read intro to AWS Security Processes</a>

• Confidentiality (MFA)
• Integrity (Cert Manager, IAM, Bucket policies)
• Availability (Multi-AZ, Auto-scaling)
  
  

IAM Policies

Types of IAM policies:

• AWS managed policies
• Customer (administrator) managed policies
• Inline policies
  
  

S3 Bucket policies

https://d1.awsstatic.com/training-and-certification/docs-security-spec/AWS_Certified_Security_Specialty_Exam_Guide_v1.5.pdf Exam Blueprint

https://acloud.guru/course/aws-certified-developer-associate-june-2018/learn/9df1a869-ca43-95a9-4b47-70c611ac3cab/e6e9fcbf-7ff2-e9de-d3db-1404fd7adb5c/watch?backUrl=~2Fcourses&backUrl=%2Fcourses

https://aws.amazon.com/compliance/shared-responsibility-model/

AWS data centers: facilities, networking, hardware, software OS,

• infrastructure services (EC2, EBS, VPC),
• Container services (S3, MySQL RDS, EMR, Beanstalk),
• Astracted services via APIs (SQS, SES, Glacier)

Controls: Visibility (AWS Config)

Auditability, Controllability (KMS, HSM FIPS-140-2 compliance dedicated hw), Agility (adapt to changes Cloud Formation, Elastic Beanstalk)

Automation (OpsWorks, CodeDeploy)

https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf

https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_management_console_access.html https://github.com/coinbase/assume-role

Python

https://github.com/gene1wood/aws_assume_roles

Terraform

https://www.youtube.com/watch?v=1JAx2npuprk&list=PLtK75qxsQaMIHQOaDd0Zl_jOuu1m3vcWO&index=1

Summary

AWS Artifact is a no-cost self-service portal to AWS’ compliance reports such as SOC2.

Blog articles

• https://jayendrapatil.com/aws-certification-security-identity-services-cheat-sheet/ Cheat Sheet

• https://www.netenrich.com/2019/01/aws-certified-security-specialty-exam-tips/

• https://medium.com/@cbchhaya/aws-certified-security-specialty-scs-c01-4b8a62d3c680 suggests 4 months of preparation using 4 account setup and used attached as well as detached accounts with AWS Organizations.

Do you really know this stuff? Take the practice test For the AWS Certified Security – Specialty SCS-C01

Social Twitter Feeds:

• @awscloud
• @awssecurityinfo
• @awsidentity

More on Security

This is one of a series on Security in DevSecOps:

1. SOC2
2. FedRAMP

3. CAIQ (Consensus Assessment Initiative Questionnaire) by cloud vendors

4. Git Signing
5. Hashicorp Vault

6. OPA (Open Policy Agent)

7. WebGoat known insecure PHP app and vulnerability scanners

8. Test for OWASP using ZAP on the Broken Web App

9. Encrypt all the things

10. AWS Security (certification exam)

11. AWS IAM (Identity and Access Management)

12. Cyber Security
13. Security certifications

---