Securing secrets in Bash shell scripts while learning to pass the AWS Certified Security - Specialty (SCS-C01) exam
Overview
- Secure Bash Script
- AWS Security Certification SCS-C01
- Learning materials from AWS
- 3rd-party video courses
- Practice Tests
- Major AWS cloud services
- Lifecycle Actions
- Security Principles
- Security Landscape
- AWS CAF (Cloud Adoption Framework)
- Hands-on
- Amazon/AWS Products
- difference between CloudTrail vs Cloudwatch
- S3 access
- EC2
- How does AWS WAF and Shield work
- AWS Organizations – including Service Control Policies and enforcements
- Data in Transit
- CloudFront
- IAM Policies
- Controls: Visibility (AWS Config)
- Automation (OpsWorks, CodeDeploy)
- Summary
- Blog articles
- Social Twitter Feeds:
- More on Security
Secure Bash Script
Prep-work:
NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.
- Manually obtain an AWS account and setup AWS login from Terminal. See my instructions.
- Manually or in IaC create AWS KMS (Key Mangement Service) instance (or use an existing one if it exists)
- Manually Add & encrypt key (if one is not specified)
I am working on a Bash/Z shell script so you can copy and paste a single command and paste on your Terminal to do all the following:
- Install AWS CLI after pre-requisites (NodeJs)
- Request that you (manually) obtain an account and setup AWS login from Terminal
- Define IAM credentials (if one isn’t specified)
-
Auto-rotate keys service every month?
- Retrieve key within shell and format JSON response
This would be using https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
An alternative is AKEYLESS, which enables authentication with several clouds (AWS IAM, Azure AD, SAML, LDAP, API key). See https://akeyless.readme.io/docs/cli
AWS Security Certification SCS-C01
The AWS Certified Security - Specialty certification SCS-C01 home page is at
The exam costs $300 USD (50% off if you’ve cleared another certification).
Practice exam: 40 USD.
PROTIP: The exam is difficult becuase you need to correctly answer at least 75% of 65 multiple-choice questions in over 3 hours without breaks (170 minutes). Many of the questions are long paragraphs and have multiple answers.
Domain Topics for AWS Security
- 12% (Network and) Incident Response (Forensics)
- 20% Logging and Monitoring
- 26% Infrastructure Security
- 20% Identity and Access Management (IAM)>
- 22% Data Protection
Exam Readiness 2h free video by Blaine Sundrud
Cert Prep: AWS Security Specialty Certification
CloudAcademy’s 31h video cert prep
VIDEO: 1h COURSE: Demystifying the AWS Certified Security Specialty Exam by Michael Brown covers the options for Key Management (FIPS 140-2 HSM):
- AWS KMS (Key Management Service) - shared service managed by AWS
- Cloud HSM - private hardware HSM cluster on AWS
-
On-premise HSM
- The AWS Encryption SDK
- Amazon DynamoDB encryption client
- AWS Secrets Manager
Links to learning content on specific topics specified in Amazon’s exam guide PDF:
- (Network and) Incident Response (Forensics) 12%
- Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys.
- Verify that the Incident Response Plan includes relevant AWS services.
- Evaluate the configuration of automated alerting, and execute possible remediation of security-related incidents and emerging issues.
- Logging and Monitoring 20%
- Design and implement security monitoring and alerting.
- Troubleshoot security monitoring and alerting.
- Design and implement a logging solution.
- Troubleshoot logging solutions.
- Infrastructure Security 26%
- Design edge security on AWS (NACLs, VPC Flow Logs)
- Design and implement a secure network infrastructure.
- Troubleshoot a secure network infrastructure.
- Design and implement host-based security.
- Identity and Access Management 20%
- Design and implement a scalable authorization and authentication system to access AWS resources.
- Troubleshoot an authorization and authentication system to access AWS resources.
- Data Protection 22%
- Design and implement key management and use.
- Troubleshoot key management.
- Design and implement a data encryption solution for data at rest and data in transit.
Topics (Abilities Validated by the Certification)
- Security controls for workloads on AWS.
- Specialized data classifications and AWS data protection mechanisms
- Data encryption methods and AWS mechanisms to implement them
- Secure Internet protocols and AWS mechanisms to implement them
-
AWS security services and features of services to provide a secure production environment
- Production deployment using AWS security services and features
- Tradeoff decisions with regard to cost, security, and deployment complexity given a set of application requirements
- Security operations and risk
The Future of Security:
- Static Code Analysis
- Vulnerability Management
- Compliance Checks
- Web Application Scanning
- Configuration Assessments
Golden AMI Pipeline of EC2 images at https://github.com/Qualys-Public
https://app.pluralsight.com/paths/certificate/aws-certified-security-specialty
CAUTION: Amazon tests on GUI and CloudFormation, not Terraform>, Ansible, and other IaC. At time of writing CDK (Cloud Data Kit)> was too new to be included in the test.
Learning materials from AWS
Amazon Training offers a 3-day live/classroom Security Engineering on AWS course offered by various vendors for USD $1,485 - $2,095.
Paid AWS Virtual Classes
For those who can afford it, Amazon’s live instructor-led classes:
$600 for 1 day AWS Security Essentials
AWS Amazon Tech Talks Videos
- Well-architected framework
- How to Build and Endpoint Security Strategy is AWS
- How to secure app pipelines in AWS
- How to Protect Enterprise Systems with Cloud-Based Firewalls
https://aws.amazon.com/events/online-tech-talks/on-demand/?ott-on-demand-all.sort-by=item.additionalFields.startDateTime&ott-on-demand-all.sort-order=desc
https://pages.awscloud.com/Remediating-Amazon-GuardDuty-and-AWS-Security-Hub-Findings_2019_0320-SID_OD.html?&trk=ep_card-el_a131L000005uKBhQAM&trkCampaign=NA-FY19-AWS-DIGMKT-WEBINAR-SERIES-March_2019_0320-SID&sc_channel=el&sc_campaign=pac_2018-2019_exlinks_ondemand_OTT_evergreen&sc_outcome=Product_Adoption_Campaigns&sc_geo=NAMER&sc_country=mult Remediating Amazon GuardDuty and AWS Security Hub Findings
https://pages.awscloud.com/AWS-Transit-Gateway-Reference-Architectures-for-Many-Amazon-VPCs_2019_0811-NET_OD.html?&trk=ep_card-el_a131L0000057bPDQAY&trkCampaign=NA-FY19-AWS-DIGMKT-WEBINAR-SERIES-August_2019_0811-NET&sc_channel=el&sc_campaign=pac_2018-2019_exlinks_ondemand_OTT_evergreen&sc_outcome=Product_Adoption_Campaigns&sc_geo=NAMER&sc_country=mult AWS Transit Gateway Reference Architectures for Many Amazon VPCs
Videos of 2019 #reInforce which take a dive deep into cloud security, IAM, and compliance. Steve Schmidt, CISO of Amazon Web Services.
Articles from AWS on Security
Among https://aws.amazon.com/whitepapers
-
PDF: Amazon Web Services: Overview of Security Processes, March 2020
-
https://d1.awsstatic.com/whitepapers/compliance/GDPR_Compliance_on_AWS.pdf?did=wp_card&trk=wp_card
Security and Compliance documentation
Compliance resources
Well architected Framework
Within Digital Training library pops up a new window:
- Cloud Audit Academy covers differences in auditing the cloud versus on-premises. attestation
AWS KMS Cryptographic Details (details what happens behind the scenes with HSMs)
PDF: DDoS Mitigation whitepaper
Data Residency: AWS Policy Perspectives
Building a Scalable and Secure Multi-VPC AWS Network Infrastructure
3rd-party video courses
- Pluralsight
- CloudAcademy.com
- LinuxAcademy.com
- OReilly
- LinkedIn Learning
- Udemy 23.5 hr by Zeal Zora with 1 practice test
Pluralsight
Pluralsight’s Security video courses:
-
identity-access-management-aws-users by Brian Eiler
-
aws-cloud-security-monitoring by Saravanan Dhandapani (@) Jun 26, 2019
-
aws-security-best-practices by Joseph Lee Hunsaker
-
Architecting for Security on AWSArchitecting for Security Mar 08, 2020 By Ben Piper
ACloudGuru.com
ACloudGuru’s 20 hour AWS Certified Security - Specialty 2020 includes a practice exam along with sections on “Incident Response & AWS In The Real World” and “Updates Based On Student Feedback”.
is part of their 173 hour Learning Path of video courses.
CloudAcademy.com
LinkedIn Learning
OReilly.com
OReilly’s website does not provide lab time, but does have famous authors.
Qwiklabs.com
Qwiklabs.com provides time (an hour at a time) on servers to perform their step-by-step instructions on specific topics.
Practice Tests
About $200 USD is you get all of them.
-
$41.30 USD (money back) ad https://www.vmexam.com/aws/scs-c01-aws-certified-security-specialty for 205+ questions for 2 months.
-
The AWS Certification Quiz Show: CQ E13 (AWS Security - Specialty) Nov 3, 2019 with Paul Hawkins (using ___)
-
$25 https://www.braincert.com/course/21137-AWS-Certified-Security-Specialty-Practice-Exams provides 150 questions (3 practice tests - 50 questions each)
-
$11 https://www.udemy.com/course/scs-c01-aws-certified-security-specialty-practice-tests/
-
$40 https://www.whizlabs.com/aws-certified-security-specialty/
-
$69 for 333 questions ($100 with software) at https://www.dumpskey.com/amazon/aws-security-specialty-braindumps or https://www.ebay.com/itm/Amazon-AWS-Certified-Security-Specialty-SCS-C01-Exam-Test-QA-SIM-PDF-Simulator-/253754800538 or https://www.dumps4download.com/scs-c01-dumps.html
Major AWS cloud services
My webpage on cyber-security covers industry-wide terms (vendor-agnostic).
But AWS
- Load balancer
Lifecycle Actions
Sequence to develop a secure web application within AWS cloud:
- Use accounts with MFA, not long term passwords.
- SSH from key pairs generated.
- Protect S3 CloudTrail and Billing buckets.
- Don’t create public access to S3 buckets.
- Creaet “Admin” roles with limited privilege.
- Leverage IAM roles for EC2.
- Control traffic to EC2 using clear Security Groups.
- Enable communication by users and between app and database with roles having minimal IAM policies necessary.
- Setup apps with SSL certificates for HTTPS communication in transit.
- Decrypt data using a key.
- Setup read-only application and infrastructure logs [CloudTrail].
- Setup API Gateway and firewalls to manage access.
- Setup alerts
- Watch trends in application and infrastructure logs periodically.
- Setup backups using read and
- HA and Multi-region operation
- Review billings monthly.
Security Principles
-
Least privilege
- Handle keys with care
- Asociate IAM Role to compute resource
- Programmatic AssumeRole via STS SDK
- Encrypt “All the Things”
- Require KMS Keys
- Data at rest: Use only encrypted EBS volumes
- S3 buckets
- RDS or Aurora databases
- Data in transit: S3 bucket config, CloudFront Cert. Manager
- Monitor continuously
- CloudTrail Logs (cross region)
- S3 Access Logging
- VPC Flow Logs
- Billing Logs
- Audit Regularly
- Trusted Advisor
- AWS Config
- Custom Scripts
At a high level, within AWS Cloud Security at aws.amazon.com/security is the mantra:
- Prevent
- Detect
- Respond
- Remediate
Security Landscape
- Governance
- Management (CloudWatch, CloudTrail, Config)
- Protection
- Encryption (AWS CloudHSM, KMS)
- Detection (A Macie, AWS Firewall Manager, AWS Security Hub, AWS Guard Duty)
AWS CAF (Cloud Adoption Framework)
MEMONIC?
- Business
- People
- Governnce
- Platform
- Security
- Operations
AWS policies
AWS uses several types of “policies” to determine whether to allow or deny access requests made by a principal (such as a user).
AWS policies can be defined in-line or “managed” by AWS policy “objects” defined in JSON documents attached to IAM identities or AWS resources (entities).
Each AWS policy defines “permissions policies” and “permissions boundaries”:
Permissions policies are attached to a resource in AWS (identified by an ARN). Within a single account, AWS evaluates all permissions policies together. Permissions policies are the most common policies. You can use the following policy types as permissions policies:
-
When a managed or inline policy is attached to an IAM user, user group, or role, the policy defines the permissions for that entity. They are called “Identity-based policies”.
-
Resource-based policies attach a JSON policy document to an AWS resource (if that service supports resource-based policies).
-
Each Access Control List (ACL) is also attached to resources (a list of principals with permission to access resource which supports ACLs).
Permissions boundaries (an advanced AWS feature) controls the maximum permissions that each entity can have. When more than one permissions boundaries applies to a request, AWS evaluates each permissions boundary separately. You can apply a permissions boundary in the following situations:
-
AWS Service Control Policies (SCPs) are applied to designated member accounts within an AWS Organizations organization or organizational unit (OU).
-
IAM users or roles – You can use a managed policy for a user or role’s permissions boundary. See Permissions Boundaries for IAM Entities in the IAM User Guide.
-
Access control lists (ACLs) control what specific principals can access a resource. ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure.
Hands-on
Create a multi-account setup with web servers running on EC2 instances as well as web services running through API Gateway, Lambda and S3.
Use CloudFront, WAF, Shield. Install CloudWatch Logging agents on a few EC2 instances, consolidate logs in a central account, implement log file validation (extra credit — write a script to actually validate files based off events when new file is posted).
Grant one account read and read/write access to another account’s S3 buckets using IAM roles.
Protect your EC2 instances with a homegrown proxy (install Squid or something), give them internet access and use NACLs and security groups to open a finite set of ports and restrict some IPs (use a VPN for testing),
Apply Service Control Policies through the organization (as examples, restrict regions or mandate S3 encryption. They can be found here: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html). Do this every day of the week before your exam and recite the script in your sleep the day of the exam :)
Do all of this in CloudFormation and Terraform
– from Chiradeep Chhaya
Create AWS Security Group using CLI:
IP=10.10.10.10 CIDR=32 AWS_GROUP="xxxx" AWS_SEC_GROUP=mycorp_mydiv_myproj_mydept_mychargecode_myversion aws ec2 authorize-security-group-ingress --group-id "sg-$AWS_GROUP" \ --ip-permissions FromPort=10,ToPort=23,IpProtocol=tcp,IpRanges="[{CidrIp=$IP/$CIDR}]"
Hardening before creating AMI:
- Exclude SSH authorized keys
- Remove and disable passwords for all user accounts
- Securely delete all shell history and system log files containing sensitive data find /root/.history /home//*.history -exec rm -f {} \;
- Clear event logs
Amazon/AWS Products
AWS Firewall Manager
etc. to simplify WAF admin across accounts.
Security Hub
summarizes
Amazon Inspector for EC2
Weekly Runs vulnerability assessments of AWS Networks and Hosts based on templates reaching targets.
-
Install agent using keypair on targets (instances):
ssh -i awsgm.pem ec2-user@ec2-12-345-456-444.compute.-1.amazonaws.com wget https://inspector-agent.amazonaws.com/linux/latest/install sudo bash install
-
Run using service-linked Role, collecting for an hour.
Findings by severity.
Generate report, which include “CIS Benchmarks”.
AWS Trusted Advisor
5 categories for AWS accounts:
- FREE Security (MFA, ports)
-
FREE Service Limits (Auto Scaling)
- Cost optimization (upgrade)
- Performance
- Fault Tolerance
COURSE: Qwiklabs.com “Auditing Your Security with AWS Trusted Advisor”
AWS Organizations
Account management service to consolidate accounts.
Amazon Macie
VIDEO Makes use of Machine Learning technology developed within Amazon.
identify and classify PII (Personally Identifiable Information) in events and sessions involving critical assets (in S3)m , by content type, using regex.
Issue risk alerts by location.
AWS Config
Get Started: Settings, Rules, Review.
The type of rules that can be setup and how to automatically remediate non-compliant rules utilizing lambda
Recorder Snapshot of current configs.
Config items with history.
Config stream automatically updated (notifies SNS)
AWS Config logs
VPC Flow Logs
Setup:
- VPC
- Your VPCs
- Create Flow Log
- Filter All
- Destination Log Group
- IAM Role
- Security Rules
Log Format | Description |
---|---|
2 | Version of log |
123456789012 | AWS Account |
eni-081b2cff388ebbea33 | Network interface id |
194.26.39.111 | Origin IP address |
172.31.81.72 | Dest. IP address |
8080 | Origin port |
3398 | Dest. port |
6 | Protocol |
1 | Packets |
40 | Bytes |
158251432 | Epoch start |
158251812 | Epoch end |
REJECT | Action |
OK | Logging status |
AWS Guard Duty
Identifies findings by using machine learning to analyze logs from:
- DNS logs (login attempts?)
- VPC flow logs (Network traffic)
- CloudTrail Event logs (API calls)
- CloudTrail Management Events
- CloudTrail S3 Data Events
Findings invoke CloudWatch Events EventBridge which send:
- Notifications to SNS
- Invocation of Lambda
Enable for 30-day trial. Use sample files with Trusted IP Lists. member accounts.
Amazon Detective
New in 2020, Amazon Detective enables an Org management Administrator to delegate a Detective Administrator account for the org. Administrator to invite members (even outside the org) to contribute data.
Detective provides visualizations (with Machine Learning and statistical analysis) to interactively explore and trace through time-based findings from Guard Duty:
- login attempts
- API calls (from CloudTrail)
- Network Traffic (VPC flows)
Detective is classified as a Security Investigation service.
Abuse Notice
https://aws.amazon.com/premiumsupport/knowledge-center/aws-abuse-report/
Key Management
PDF: AWS Key Management Service Best Practices
KMS options:
- API commands (Encrypt, Decrypt, Recrypt)
- CMK – AWS created vs Imported
- How to enforce annual rotation of keys
difference between CloudTrail vs Cloudwatch
SSL communication from on-premise to ec2 including how legacy applications communicate when changing from an ELB to ALB.
S3 access
Bucket ACL’s but know the difference between an ACL and Policy Cross-Account Access (S3)
EC2
How to regain access to an EC2 or change the key pair if they’ve been compromised
How does AWS WAF and Shield work
When and why should you implement a proxy server
Network Access Control List (Stateless) vs Security Groups (SG’s are stateful)
AWS Organizations – including Service Control Policies and enforcements
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html
Cloudfront OAI communicate to S3
Think static website or content
AWS Athena and viewing VPC flow logs
Query the VPC flow logs
VPC flow logs – How can you automate or make sure VPC flow logs are enabled (Hint: AWS Config & Lambda)
Troubleshooting Why some instances are writing logs to Cloudwatch and others aren’t or they stopped after a period of time
Data in Transit
SSL for HTTPS
CloudFront
Only HTTP, not UDP protocol.
read intro to AWS Security Processes</a>
- Confidentiality (MFA)
- Integrity (Cert Manager, IAM, Bucket policies)
- Availability (Multi-AZ, Auto-scaling)
IAM Policies
Types of IAM policies:
- AWS managed policies
- Customer (administrator) managed policies
- Inline policies
S3 Bucket policies
https://d1.awsstatic.com/training-and-certification/docs-security-spec/AWS_Certified_Security_Specialty_Exam_Guide_v1.5.pdf Exam Blueprint
https://acloud.guru/course/aws-certified-developer-associate-june-2018/learn/9df1a869-ca43-95a9-4b47-70c611ac3cab/e6e9fcbf-7ff2-e9de-d3db-1404fd7adb5c/watch?backUrl=~2Fcourses&backUrl=%2Fcourses
https://aws.amazon.com/compliance/shared-responsibility-model/
AWS data centers: facilities, networking, hardware, software OS,
- infrastructure services (EC2, EBS, VPC),
- Container services (S3, MySQL RDS, EMR, Beanstalk),
- Astracted services via APIs (SQS, SES, Glacier)
Controls: Visibility (AWS Config)
Auditability, Controllability (KMS, HSM FIPS-140-2 compliance dedicated hw), Agility (adapt to changes Cloud Formation, Elastic Beanstalk)
Automation (OpsWorks, CodeDeploy)
https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_management_console_access.html https://github.com/coinbase/assume-role
Python
https://github.com/gene1wood/aws_assume_roles
Terraform
https://www.youtube.com/watch?v=1JAx2npuprk&list=PLtK75qxsQaMIHQOaDd0Zl_jOuu1m3vcWO&index=1
Summary
AWS Artifact is a no-cost self-service portal to AWS’ compliance reports such as SOC2.
Blog articles
-
https://jayendrapatil.com/aws-certification-security-identity-services-cheat-sheet/ Cheat Sheet
-
https://www.netenrich.com/2019/01/aws-certified-security-specialty-exam-tips/
-
https://medium.com/@cbchhaya/aws-certified-security-specialty-scs-c01-4b8a62d3c680 suggests 4 months of preparation using 4 account setup and used attached as well as detached accounts with AWS Organizations.
Do you really know this stuff? Take the practice test For the AWS Certified Security – Specialty SCS-C01
Social Twitter Feeds:
- @awscloud
- @awssecurityinfo
- @awsidentity
More on Security
This is one of a series on Security in DevSecOps:
- SOC2
- FedRAMP
-
CAIQ (Consensus Assessment Initiative Questionnaire) by cloud vendors
- Git Signing
- Hashicorp Vault
- WebGoat known insecure PHP app and vulnerability scanners
- AWS Security (certification exam)
- Cyber Security
- Security certifications