Monday, 21 March 2022

AWS Certificate Manager

 

  • A service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet as well as resources on private networks.
  • ACM is integrated with the following services:
    • Elastic Load Balancing
    • Amazon CloudFront – To use an ACM certificate with CloudFront, you must request or import the certificate in the US East (N. Virginia) region.
    • AWS Elastic Beanstalk
    • Amazon API Gateway
    • AWS CloudFormation
  • AWS Certificate Manager manages the renewal process for the certificates managed in ACM and used with ACM-integrated services.
  • You can import your own certificates into ACM, however you have to renew these yourself.

Concepts

    • ACM Certificate are X.509 version 3 certificates. Each is valid for 13 months.
    • When you request an ACM certificate, you must validate that you own or control all of the domains that you specify in your request.
    • Each ACM Certificate must include at least one fully qualified domain name (FQDN). You can add additional names if you want to.
    • You can create an ACM Certificate containing a wildcard name (*.example.com) that can protect several sites in the same domain (subdomains).
    • You cannot download the private key for an ACM Certificate.
    • The first time you request or import a certificate in an AWS region, ACM creates an AWS-managed customer master key (CMK) in AWS KMS with the alias aws/acm. This CMK is unique in each AWS account and each AWS region. ACM uses this CMK to encrypt the certificate’s private key.
    • You cannot add or remove domain names from an existing ACM Certificate. Instead you must request a new certificate with the revised list of domain names.
    • You cannot delete an ACM Certificate that is being used by another AWS service. To delete a certificate that is in use, you must first remove the certificate association.
    • Applications and browsers trust public certificates automatically by default, whereas an administrator must explicitly configure applications to trust private certificates.

Types of Certificates For Use With ACM

    • Public certificates 
      • ACM manages the renewal and deployment of public certificates used with ACM-integrated services.
      • You cannot install public ACM certificates directly on your website or application, only for integrated services.
    • Private certificates
      • ACM Private CA provides three ways to create and manage private certificates. 1) You can choose to delegate private certificate management to ACM. When used in this way, ACM can automatically renew and deploy private certificates used with ACM-integrated services. 2) You can export private certificates from ACM and use them with EC2 instances, containers, on-premises servers, and IoT devices. ACM Private CA automatically renews these certificates and sends an Amazon CloudWatch notification when the renewal is completed. You can write client-side code to download renewed certificates and private keys and deploy them with your application. 3) ACM Private CA gives you the flexibility to create your own private keys, generate a certificate signing request (CSR), issue private certificates from your ACM Private CA, and manage the keys and certificates yourself. You are responsible for renewing and deploying these private certificates.
    • Imported certificates
      • If you want to use a third-party certificate with ACM integrated services, you may import it into ACM using the AWS Management Console, AWS CLI, or ACM APIs. ACM does not manage the renewal process for imported certificates. You are responsible for monitoring the expiration date of your imported certificates and for renewing them before they expire. You can use the AWS Management Console to monitor the expiration dates of imported certificates and import a new third-party certificate to replace an expiring one.
    • CA certificates
      • ACM private CA can issue certificates to identify private certificate authorities. These certificates allow CA administrators to create a private CA hierarchy, which provides strong security and restrictive access controls for the most-trusted root CA at the top of the trust chain, while allowing more permissive access and bulk certificate issuance for subordinate CAs lower in the chain.

ACM Private Certificate Authority

    • ACM PCA allows you to create a private certificate authority (CA) and then use ACM to issue private certificates.
    • With ACM Private CA, you can create complete CA hierarchies, including root and subordinate CAs. A CA hierarchy provides strong security and restrictive access controls for the most-trusted root CA at the top of the trust chain, while allowing more permissive access and bulk certificate issuance for subordinate CAs lower in the chain.
    • A private CA handles the issuance, validation, and revocation of private certificates within a private network. It is comprised of two major components: The first is the CA certificate, a cryptographic building block upon which certificates can be issued. The second is a set of run-time services for maintaining revocation information through the Certificate Revocation List (CRL).
    • Benefits of a Private CA
      • Create certificates with any subject name you want.
      • Create certificates with any expiration date you want.
      • Use any supported private key algorithm and key length.
      • Use any supported signing algorithm.
      • Configure certificates in bulk using templates.
    • Automatic renewal is not available for ACM Private CA certificates for which ACM does not create the private key and certificate signing request (CSR).
    • You cannot copy private CAs between Regions. To use private CAs in more than one Region, you must create your CAs in those Regions.

Domain Verification for Certificates

    • Before the Amazon certificate authority can issue a certificate for your site, AWS Certificate Manager must verify that you own or control all of the domain names that you specified in your request. You can choose either email validation or DNS validation when you request a certificate.
    • For DNS validation, ACM uses CNAME (Canonical Name) records to validate that you own or control a domain.
    • In the DNS validation console page, ACM will provide you a CNAME record that you must add to your DNS database, whether it be Route 53 or other hosts.
    • For email validation, ACM sends email to the 3 contact addresses listed in WHOIS and to 5 common system addresses for each domain that you specify. To validate it, one of the recipients must click on the approval link.

Pricing

    • There is no additional charge for provisioning public or private SSL/TLS certificates you use with ACM-integrated services, such as Elastic Load Balancing and API Gateway.
    • You are billed for each active ACM Private CA per month pro-rated
    • For private certificates, ACM Private CA allows you to pay monthly for the service and certificates you create. You pay less per certificate as you create more private certificates.
Posted by at No comments:

AWS Artifact

 

  • A self-service central repository of AWS’ security and compliance reports and select online agreements.
  • An audit artifact is a piece of evidence that demonstrates that an organization is following a documented process or meeting a specific requirement (business compliant). 
  • AWS Artifact Reports include the following:
    • ISO,
    • Service Organization Control (SOC) reports, 
    • Payment Card Industry (PCI) reports, 
    • and certifications that validate the implementation and operating effectiveness of AWS security controls.

aws artifact

  • AWS Artifacts Agreements include 
    • the Nondisclosure Agreement (NDA) 
    • the Business Associate Addendum (BAA), which typically is required for companies that are subject to the HIPAA Act to ensure that protected health information (PHI) is appropriately safeguarded.

  • All AWS Accounts with AWS Artifact IAM permissions have access to AWS Artifact. Root users and IAM users with admin permissions can download all audit artifacts available to their account by agreeing to the associated terms and conditions. You will need to grant IAM users with non-admin permissions access to AWS Artifact.
  • To use organization agreements in AWS Artifact, your organization must be enabled for all features.
  • AWS Artifact Agreements
    • AWS Artifact Account Agreements apply only to the individual account you used to sign into AWS.
    • AWS Artifact Organization Agreements apply to all accounts in an organization created through AWS Organizations, including the organization’s management account and all member accounts. Only the management account in an organization can accept agreements in AWS Artifact Organization Agreements.
    • Management accounts and member accounts of an Organization can have AWS Artifact Account Agreements and AWS Artifact Organization Agreements of the same type in place at the same time.
    • If you have accounts in separate organizations that you want covered by an agreement, you must log in to each organization’s management account and accept the relevant agreements through AWS Artifact Organization Agreements.
    • Terminating the organization agreement does not terminate the account agreement.
    • When a member account is removed from an organization (e.g. by leaving the organization, or by being removed from the organization by the management account), any organization agreements accepted on its behalf will no longer apply to that member account.
  • Business Associate Addendum (BAA)
    • You can accept the AWS BAA for your individual account, or if you are a management account in an organization, you can accept the AWS BAA on behalf of all accounts in your organization.
    • Upon accepting the AWS BAA in AWS Artifact Agreements, you will instantly designate your AWS account(s) for use in connection with protected health information (PHI) and HIPAA.
    • If you terminate an online BAA under the Account agreements tab in AWS Artifact, the account you used to sign into AWS will immediately cease to be a HIPAA Account, unless it was also covered by an organization BAA.
    • If you are a user of a management account and terminate an online BAA in AWS Artifact, all accounts within your organization will immediately be removed as HIPAA Accounts, unless they were covered by individual account BAAs.
    • If you have both an account BAA and an organization BAA in place at the same time, the terms of the organization BAA will apply instead of the terms of the account BAA.
  • AWS Australian Notifiable Data Breach Addendum (ANDB Addendum)
    • Using the management account of your organization you can use the Organization agreements tab in AWS Artifact Agreements to accept an ANDB Addendum on behalf of all existing and future member accounts in your organization. 
    • When both the account ANDB Addendum and organizations ANDB Addendum are accepted, the organizations ANDB Addendum will apply instead of the account ANDB Addendum.
    • If you terminate an account ANDB Addendum under the Account agreements tab in AWS Artifact, the AWS account you used to sign into AWS Artifact will not be covered by an ANDB Addendum with AWS, unless it is also covered by an organizations ANDB Addendum.
    • If you are a user of a management account and terminate an organizations ANDB Addendum within the Organization agreements tab in AWS Artifact, the AWS accounts in that AWS organization will not be covered by an ANDB Addendum with AWS, unless they are covered by an account ANDB Addendum
  • Most errors you receive from AWS Artifact can be resolved by adding the necessary IAM permissions.
Posted by at No comments:

Amazon Macie

 

  • A security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property.
  • Amazon Macie allows you to achieve the following:
    • Identify and protect various data types, including PII, PHI, regulatory documents, API keys, and secret keys
    • Verify compliance with automated logs that allow for instant auditing
    • Identify changes to policies and access control lists
    • Observe changes in user behavior and receive actionable alerts
    • Receive notifications when data and account credentials leave protected zones
    • Detect when large quantities of business-critical documents are shared internally and externally

Concepts

    • An Alert is a notification about a potential security issue that Macie discovers. Alerts appear on the Macie console and provide a comprehensive narrative about all activity that occurred over the last 24 hours.
      • Basic alerts – Alerts that are generated by the security checks that Macie performs. There are two types of basic alerts in Macie:
        • Managed (curated by Macie) basic alerts that you can’t modify. You can only enable or disable the existing managed basic alerts.
        • Custom basic alerts that you can create and modify to your exact specifications.
      • Predictive alerts – Automatic alerts based on activity in your AWS infrastructure that deviates from the established normal activity baseline. More specifically, Macie continuously monitors IAM user and role activity in your AWS infrastructure and builds a model of the normal behavior. It then looks for deviations from that normal baseline, and when it detects such activity, it generates automatic predictive alerts.
    • Data source is the origin or location of a set of data. 
      • AWS CloudTrail event logs and errors, including Amazon S3 object-level API activity. You can’t modify existing or add new CloudTrail events to the list that Macie manages. You can enable or disable the supported CloudTrail events, thus instructing Macie to either include or exclude them in its data security process.
      • Amazon S3 objects. You can integrate Macie with your S3 buckets and/or specify S3 prefixes
    • User, in the context of Macie, a user is the AWS Identity and Access Management (IAM) identity that makes the request.
  • There are certain file formats that Macie does not support, such as wav files.
  • Once Macie begins monitoring your data, it uses several automatic content classification methods to identify and prioritize your sensitive and critical data and to accurately assign business value to your data. Each classification has a designated risk level between 1 and 10, with 10 being the highest risk and 1 being the lowest. These methods include:
    • Content Type Classification – Macie uses an identifier that is embedded in the file header of your data objects. Macie can assign only one content type to an object. You can’t modify existing or add new content types. You can only enable or disable any existing content types, thus enabling or disabling Macie to assign them to your objects during the classification process.
    • File Extension Classification – Macie offers a set of managed file extensions. Macie can assign only one file extension to an object. You can’t modify existing or add new file extensions. You can enable or disable any existing file extensions, thus enabling or disabling Macie to assign them to your objects during the classification process.
    • Theme Classification – Object classification by theme is based on keywords that Macie searches for as it examines the contents of data objects. Macie can assign one or more themes to an object. You can’t modify existing or add new themes. You can enable or disable any existing themes, thus enabling or disabling Macie to assign them to your objects during the classification process.
    • Regex Classification – Macie offers a set of managed regexes. Object classification by regex is based on specific data or data patterns that Macie searches for as it examines the contents of data objects. Macie can assign one or more regexes to an object. You can’t modify existing or add new regexes. You can enable or disable any existing regexes, thus enabling or disabling Macie to assign them to your objects during the classification process.
    • PII Classification – Object classification by personally identifiable information (PII) is based on recognizing any personally identifiable artifacts based on industry standards such as NIST-80-122 and FIPS 199.
    • Support Vector Machine–Based Classifier – It classifies content inside your S3 objects (text, token n-grams, and character n-grams) that Macie monitors and their metadata features (document length, extension, encoding, headers) to accurately classify documents based on content.
  • You can use the Research tab in the Macie console to construct and run queries in the query parser and conduct in-depth investigative research of your data and activity that Macie monitors.
  • If you disable Macie, the following actions occur:
    • It no longer has access to the resources in the management account and all member accounts. You must add member accounts again if you decide to reenable Macie.
    • It stops processing the resources in the management account and all member accounts. After Macie is disabled, the metadata that Macie collected while monitoring the data in your management and member accounts is deleted. Within 90 days from disabling Macie, all of this metadata is expired from the Macie system backups.
  • Other Additional Features
    • You can scan Amazon S3 buckets across multiple AWS accounts, and perform scoping of scans by object prefix.
    • An estimation of the costs of these job runs is sent to you for review before you run them.
    • Once a job is submitted, findings are generated in the Amazon Macie console and sent out through Amazon EventBridge where sensitive data location information is included in the findings. This allows for identification of sensitive data within objects using detail such as line numbers, page numbers, record index, or column and row numbers.
Posted by at No comments:

Amazon Inspector

 

  • An automated security assessment service that helps you test the network accessibility of your EC2 instances and the security state of your applications running on the instances.
  • Inspector uses IAM service-linked roles.

Features

  • Inspector provides an engine that analyzes system and resource configuration and monitors activity to determine what an assessment target looks like, how it behaves, and its dependent components. The combination of this telemetry provides a complete picture of the assessment target and its potential security or compliance issues.
  • Inspector incorporates a built-in library of rules and reports. These include checks against best practices, common compliance standards and vulnerabilities.
  • Automate security vulnerability assessments throughout your development and deployment pipeline or against static production systems.
  • Inspector is an API-driven service that uses an optional agent, making it easy to deploy, manage, and automate.

Amazon Inspector

Concepts

  • Inspector Agent – A software agent that you can install on all EC2 instances that are included in the assessment target, the security of which you want to evaluate with Inspector.
  • Assessment run – The process of discovering potential security issues through the analysis of your assessment target’s configuration and behavior against specified rules packages.
  • Assessment target – A collection of AWS resources that work together as a unit to help you accomplish your business goals. Inspector assessment targets can consist only of EC2 instances.
  • Assessment template – A configuration that is used during your assessment run, which includes
    • Rules packages against which you want Inspector to evaluate your assessment target,
    • The duration of the assessment run,
    • Amazon SNS topics to which you want Inspector to send notifications about assessment run states and findings,
    • Inspector-specific attributes (key-value pairs) that you can assign to findings generated by the assessment run that uses this assessment template.
    • After you create an assessment template, you can’t modify it.
  • Finding – A potential security issue discovered during the assessment run of the specified target.
  • Rule – A security check performed during an assessment run. When a rule detects a potential security issue, Inspector generates a finding that describes the issue.
  • Rules package – A collection of rules that corresponds to a security goal that you might have.
  • Telemetry – EC2 instance data collected by Inspector during an assessment run and passed to the Inspector service for analysis.
  • The telemetry data generated by the Inspector Agent during assessment runs is formatted in JSON files and delivered in near-real-time over TLS to Inspector, where it is encrypted with a per-assessment-run, ephemeral KMS-derived key and securely stored in an S3 bucket dedicated for the service.

Rules Packages and Rules

  • Inspector compares the behavior and the security configuration of the assessment targets to selected security rules packages.
  • Rules are grouped together into distinct rules packages either by category, severity, or pricing.
  • Each rule has an assigned severity level
    • HighMedium, and Low levels all indicate a security issue that can result in compromised information confidentiality, integrity, and availability within your assessment target.
    • The Informational level simply highlights a security configuration detail of your assessment target.
  • The findings generated by rules in the Network Reachability package show whether your ports are reachable from the internet through an internet gateway, a VPC peering connection, or a VPN through a virtual gateway. These findings also highlight network configurations that allow for potentially malicious access, such as mismanaged security groups, ACLs, IGWs, and so on.

Assessment Reports

  • A document that details what is tested in the assessment run, and the results of the assessment.
  • You can view the following types of assessment reports:
    • Findings report – this report contains the following information:
      • Executive summary of the assessment
      • EC2 instances evaluated during the assessment run
      • Rules packages included in the assessment run
      • Detailed information about each finding, including all EC2 instances that had the finding
    • Full report – this report contains all the information that is included in a findings report, and additionally provides the list of rules that passed on all instances in the assessment target.

Pricing

  • Pricing is based on two dimensions
    • The number of EC2 instances included in each assessment
    • The type(s) of rules package you select: host assessment rules packages and/or the network reachability rules package
Posted by at No comments:

Amazon GuardDuty

 

  • An intelligent threat detection service. It analyzes billions of events across your AWS accounts from AWS CloudTrail (AWS user and API activity in your accounts), Amazon VPC Flow Logs (network traffic data), and DNS Logs (name query patterns).

How It Works

Amazon GuardDuty

  • GuardDuty is a regional service.
  • Threat detection categories
    • Reconnaissance — Activity suggesting reconnaissance by an attacker, such as unusual API activity, intra-VPC port scanning, unusual patterns of failed login requests, or unblocked port probing from a known bad IP.
    • Instance compromise — Activity indicating an instance compromise, such as cryptocurrency mining, backdoor command and control activity, malware using domain generation algorithms, outbound denial of service activity, unusually high volume of network traffic, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials used by an external IP address, and data exfiltration using DNS.
    • Account compromise — Common patterns indicative of account compromise include API calls from an unusual geolocation or anonymizing proxy, attempts to disable AWS CloudTrail logging, changes that weaken the account password policy, unusual instance or infrastructure launches, infrastructure deployments in an unusual region, and API calls from known malicious IP addresses.

  • Amazon GuardDuty provides three severity levels (Low, Medium, and High) to allow you to prioritize response to potential threats.
  • CloudTrail Event Source
    • GuardDuty analyzes CloudTrail management events and S3 data events. (Read about types of CloudTrail trails for more information.)
    • GuardDuty processes all CloudTrail events that come into a region, including global events that CloudTrail sends to all regions, such as AWS IAM, AWS STS, Amazon CloudFront, and Route 53.
  • VPC Flow Logs Event Source
    • VPC Flow Logs capture information about the IP traffic going to and from Amazon EC2 network interfaces in your VPC.
  • DNS Logs Event Source
    • If you use AWS DNS resolvers for your EC2 instances (the default setting), then GuardDuty can access and process your request and response DNS logs through the internal AWS DNS resolvers. Using other DNS resolvers will not provide GuardDuty access to its DNS logs.
  • GuardDuty vs Macie
    • Amazon GuardDuty provides broad protection of your AWS accounts, workloads, and data by helping to identify threats such as attacker reconnaissance, instance compromise, and account compromise. Amazon Macie helps you protect your data in Amazon S3 by helping you classify what data you have, the value that data has to the business, and the behavior associated with access to that data.

GuardDuty Findings

    • GuardDuty generates findings when it detects unexpected and potentially malicious activity in your AWS environment. These are viewable via Console, GuardDuty CLI or API operations.
    • A Finding’s summary includes:
      • Finding type – a concise yet readable description of the potential security issue.
      • Severity – a finding’s assigned severity level of either High, Medium, or Low.
      • Region – the AWS region in which the finding was generated.
      • Count – the number of times GuardDuty generated the finding after you enabled GuardDuty in your AWS account.
      • Account ID – the ID of the AWS account in which the activity took place that prompted GuardDuty to generate this finding.
      • Resource ID – the ID of the AWS resource against which the activity took place that prompted GuardDuty to generate this finding.
      • Threat list name – the name of the threat list that includes the IP address or the domain name involved in the activity that prompted GuardDuty to generate the finding.
      • Last seen – the time (your local timezone if checked through console, and UTC if checked through CLI or API) at which the activity took place that prompted GuardDuty to generate this finding.
    • A finding’s Resource affected section includes:
      • Resource role – a value that usually is set to Target because the affected resource can be a potential target of an attack.
      • Resource type – the type of the affected resource. This value is either AccessKey or Instance.
      • Instance ID – the ID of the EC2 instance involved in the activity that prompted GuardDuty to generate the finding.
      • Port – the port number for the connection used during the activity that prompted GuardDuty to generate the finding.
      • Access key ID – access key ID of the user engaged in the activity that prompted GuardDuty to generate the finding.
      • Principal ID – the principal ID of the user engaged in the activity that prompted GuardDuty to generate the finding.
      • User type – the type of user engaged in the activity that prompted GuardDuty to generate the finding.
      • User name – The name of the user engaged in the activity that prompted GuardDuty to generate the finding.
    • A finding’s Action section includes:
      • Action type – the finding activity type. This value can be one of the following: NETWORK_CONNECTION, AWS_API_CALL, PORT_PROBE, or DNS_REQUEST.
      • API – the name of the API operation that was invoked and thus prompted GuardDuty to generate this finding.
      • Service name – the name of the AWS service (GuardDuty) that generated the finding.
      • Connection direction – the network connection direction observed in the activity that prompted GuardDuty to generate the finding. The values can be INBOUND, OUTBOUND, and UNKNOWN.
      • Protocol – the network connection protocol observed in the activity that prompted GuardDuty to generate the finding.
    • A finding’s Actor section includes:
      • Location – location information of the IP address involved in the activity that prompted GuardDuty to generate the finding.
      • Organization – ISP organization information of the IP address involved in the activity that prompted GuardDuty to generate the finding.
      • IP address – the IP address involved in the activity that prompted GuardDuty to generate the finding.
      • Port – the port number involved in the activity that prompted GuardDuty to generate the finding.
      • Domain – the domain involved in the activity that prompted GuardDuty to generate the finding.
    • A finding’s Details section includes:
      • ThreatPurpose – describes the primary purpose of a threat or a potential attack. Can have the following values:
        • Backdoor – this value indicates that the attack has compromised an AWS resource and is capable of contacting its home command and control (C&C) server to receive further instructions for malicious activity.
        • Behavior – this value indicates that GuardDuty is detecting activity or activity patterns that are different from the established baseline for a particular AWS resource.
        • Cryptocurrency – this value indicates that GuardDuty is detecting software that is associated with cryptocurrencies.
        • Pentest – sometimes owners of AWS resources or their authorized representatives intentionally run tests against AWS applications to find vulnerabilities, like open security groups or access keys that are overly permissive. These pen tests are done in an attempt to identify and lock down vulnerable resources before they are discovered by attackers.
        • Persistence – this value indicates that a principal in your AWS environment is exhibiting behavior that is different from the established baseline. Such as a principal has no prior history of updating network configuration settings, or updating policies or permissions attached to AWS users or resources.
        • Policy – this value indicates that your AWS account is exhibiting behavior that goes against recommended security best practices.
        • PrivilegeEscalation – this value informs you that a specific principal in your AWS environment is exhibiting behavior that can be indicative of a privilege escalation attack.
        • Recon – this value indicates that a reconnaissance attack is underway, scoping out vulnerabilities in your AWS environment by probing ports, listing users, database tables, and so on.
        • ResourceConsumption – this value indicates that a principal in your AWS environment is exhibiting behavior that is different from the established baseline. Such as a principal has no prior history of launching EC2 instances.
        • Stealth – this value indicates that an attack is actively trying to hide its actions and its tracks.
        • Trojan – this value indicates that an attack is using Trojan programs that silently carry out malicious activity. Sometimes this software takes on an appearance of a legitimate program. Sometimes users accidentally run this software. Other times this software might run automatically by exploiting a vulnerability.
        • UnauthorizedAccess – this value indicates that GuardDuty is detecting suspicious activity or a suspicious activity pattern by an unauthorized individual.
      • ResourceTypeAffected – describes which AWS resource is identified in this finding as the potential target of an attack. Currently, only EC2 instances and principals (and their credentials) can be identified as affected resources in GuardDuty findings.
      • ThreatFamilyName – describes the overall threat or potential malicious activity that GuardDuty is detecting.
      • ThreatFamilyVariant – describes the specific variant of the ThreatFamily that GuardDuty is detecting. Attackers often slightly modify the functionality of the attack, thus creating new variants.
      • Artifact – describes a specific resource that is owned by a tool that is used in the attack.
    • You can create filters for your GuardDuty findings.
      • suppression rule is a filter used to automatically archive new findings. After you create a suppression rule, new findings that match the criteria defined in the rule are automatically archived.
    • GuardDuty supports exporting active findings to CloudWatch Events and, optionally, to an Amazon S3 bucket. New Active findings that GuardDuty generates are automatically exported within about 5 minutes after the finding is generated. 

Trusted IP Lists and Threat Lists

    • Trusted IP lists consist of IP addresses that you have whitelisted for secure communication with your AWS infrastructure and applications. GuardDuty does not generate findings for IP addresses on trusted IP lists. 
    • At any given time, you can have only one uploaded trusted IP list per AWS account per region.
    • Threat lists consist of known malicious IP addresses. GuardDuty generates findings based on threat lists. 
    • At any given time, you can have up to six uploaded threat lists per AWS account per region.

Pricing

Pricing is based on the quantity of AWS CloudTrail Events analyzed (per 1,000,000 events) and the volume of Amazon VPC Flow Log and DNS Log data analyzed (per GB).

Posted by at No comments:

Amazon Detective

 

  • The service automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations. 
  • Can be integrated with AWS security services like Amazon GuardDuty, Amazon Macie, and AWS Security Hub as well as partner security products to identify potential security issues, or findings.
  • Amazon Detective can analyze trillions of events from multiple data sources such as VPC Flow Logs, AWS CloudTrail, and Amazon GuardDuty, and automatically creates a unified, interactive view of your resources, users, and the interactions between them over time. This allows you to identify the underlying reasons for the findings, drill down into relevant historical activities, and quickly determine the root cause of a security concern.
  • Amazon Detective’s prebuilt data aggregations, summaries, and context help you to quickly analyze and determine the nature and extent of possible security issues.
  • How It Works

Amazon Detective

Concepts

    • Investigation – The process of performing triage on suspicious or interesting activity, determining the scope, getting to its underlying source or cause, and then determining how to proceed.
    • Behavior graph – A linked set of data generated from incoming source data that is associated with one or more AWS accounts. Each behavior graph uses the same structure of findings, entities, and relationships.
    • Management account – The AWS account that owns a behavior graph and that uses the behavior graph for investigation. The management account invites member accounts to contribute their data to the behavior graph. Management accounts can also view data usage for the behavior graph, and remove member accounts from the behavior graph.
    • Member account – An AWS account that a management account invited to contribute data to a behavior graph. Member accounts can respond to the behavior graph invitation and remove their account from the behavior graph. They have no other access to the behavior graph.
    • Finding – A security issue detected by Amazon GuardDuty.
    • Entity – An item extracted from the incoming data. Each entity has a type, which identifies the type of object it represents. Examples include IP addresses, Amazon EC2 instances, and AWS users.
      • For each entity, the source data is also used to populate entity properties. Property values can be extracted directly from source records or aggregated across multiple records.
    • Relationship – Activity that occurs between individual entities. Relationships are also extracted from the incoming source data.
      • Similar to an entity, a relationship has a type, which identifies the types of entities involved and the direction of the connection. An example of a relationship type is an IP address connecting to an Amazon EC2 instance.
    • Profile – For a finding or an entity, a single page that provides a collection of data visualizations plus supporting guidance.
      • For findings, profiles help analysts to determine whether the finding is of genuine concern or a false positive.
      • For entities, profiles provide supporting details for an investigation into a finding or for a general hunt for suspicious activity.
    • Scope time – The time window that is used to scope the data displayed on finding and entity profiles. The default scope time for a finding profile reflects the first and last times when the suspicious activity was observed. The default scope time for an entity profile is the previous 24 hours.
  • Amazon Detective needs to be enabled on a per region basis and enables you to quickly analyze activity across all your accounts within each region.
  • Amazon Detective is a multi-account service that aggregates data from monitored member accounts under a single management account within the same region. You can configure multi-account monitoring deployments in the same way that you configure management and member accounts in Amazon GuardDuty and AWS Security Hub.
    • If you cannot use the same management accounts across all of the services, then after you enable Detective, you can optionally create a cross-account role.
  • If you are using Amazon GuardDuty, Amazon Detective will automatically ingest and process two weeks of historical log data upon activation.
  • The management account for a behavior graph can disable Amazon Detective. When you disable Detective, the behavior graph and its associated Detective data are deleted. Deleted behavior graphs cannot be restored.
  • Amazon Detective is able to analyze IAM role sessions by processing VPC flow records and CloudTrail management events from across a customer’s enabled accounts, collating data about activity performed under an IAM Role into role sessions. This lets you visualize and understand the actions that users and apps have performed using the assumed roles.
  • Amazon Detective vs Amazon GuardDuty vs AWS Security Hub
    • Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. 
    • With Security Hub, you have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions. 
    • Amazon Detective simplifies the process of investigating security findings and identifying the root cause.

Limits

    • You can maintain up to a year of aggregated findings for analysis

Common Use Cases

    • Triage security findings
    • Incident investigation
    • Hunting for hidden security threats
Posted by at No comments:

Amazon Cognito

 

  • A user management and authentication service that can be integrated to your web or mobile applications. Amazon Cognito also enables you to authenticate users through an external identity provider and provides temporary security credentials to access your app’s backend resources in AWS or any service behind Amazon API Gateway. Amazon Cognito works with external identity providers that support SAML or OpenID Connect, social identity providers (Facebook, Twitter, Amazon, Google, Apple) and you can also integrate your own identity provider.
  • An Amazon Cognito ID token is represented as a JSON Web Token (JWT). Amazon Cognito uses JSON Web Tokens for token authentication.


How It Works

Amazon Cognito

User Pools

    • User pools are user directories that provide sign-up and sign-in options for your app users.
    • Users can sign in to your web or mobile app through Amazon Cognito, or federate through a third-party identity provider (IdP).
    • You can use the aliasing feature to enable your users to sign up or sign in with an email address and a password or a phone number and a password.
    • User pools are each created in one AWS Region, and they store the user profile data only in that region. You can also send user data to a different AWS Region.
    • Tokens provided through user pools:
      • Access tokens contain scopes and groups and are used to grant access to authorized resources. Access tokens can be configured to expire in as little as five minutes or as long as 24 hours.
      • Refresh tokens contain the information necessary to obtain a new ID or access token. Refresh tokens can be configured to expire in as little as one hour or as long as ten years.
    • A User Pool is like a directory of users.
    • Manage Users
      • After you create a user pool, you can create, confirm, and manage users accounts. 
      • Amazon Cognito User Pools groups lets you manage your users and their access to resources by mapping IAM roles to groups.
      • User accounts are added to your user pool in one of the following ways:
      • The user signs up in your user pool’s client app, which can be a mobile or web app.
      • You can import the user’s account into your user pool.
      • You can create the user’s account in your user pool and invite the user to sign in.
      • Sign up authflow below

Amazon Cognito

Identity Pools 

    • Use this feature if you want to federate users to your AWS services.
    • Identity pools enable you to grant your users temporary AWS credentials to access AWS services, such as Amazon S3 and DynamoDB.
    • Identity pools support anonymous guest users, as well as the following identity providers:
        • Amazon Cognito user pools
        • Social sign-in with Facebook, Google, and Login with Amazon
        • OpenID Connect (OIDC) providers
        • SAML identity providers
        • Developer authenticated identities
    • To save user profile information, your identity pool needs to be integrated with a user pool.
    • Amazon Cognito Identity Pools can support unauthenticated identities by providing a unique identifier and AWS credentials for users who do not authenticate with an identity provider.
    • The permissions for each authenticated and non-authenticated user are controlled through IAM roles that you create.
    • Once you have an OpenID Connect token, you can then trade this for temporary AWS credentials via the AssumeRoleWithWebIdentity API call in AWS Security Token Service (STS). This call is no different than if you were using Facebook, Google+, or Login with Amazon directly, except that you are passing an Amazon Cognito token instead of a token from one of the other public providers.

Common Use Cases

    • Enable your users to authenticate with a user pool.

Amazon Cognito

    • After a successful user pool sign-in, your web or mobile app will receive user pool tokens from Amazon Cognito. You can use those tokens to control access to your server-side resources.

Amazon Cognito

    • Access resources with API Gateway and Lambda with a User Pool. API Gateway validates the tokens from a successful user pool authentication, and uses them to grant your users access to resources including Lambda functions, or your own API.

Amazon Cognito

    • After a successful user pool authentication, your app will receive user pool tokens from Amazon Cognito. You can exchange them for temporary access to other AWS services with an identity pool.

Amazon Cognito

    • Enable your users access to AWS services through an identity pool. In exchange, the identity pool grants temporary AWS credentials that you can use to access other AWS services.

Amazon Cognito

    • Grant your users access to AWS AppSync resources with tokens from a successful Amazon Cognito authentication (from a user pool or an identity pool).
    • Amazon Cognito is also commonly used together with AWS Amplify, a framework for developing web and mobile applications with AWS services.
  • Amazon Cognito Sync
    • Store and sync data across devices using Cognito Sync.
    • You can programmatically trigger the sync of data sets between client devices and the Amazon Cognito sync store by using the synchronize() method in the AWS Mobile SDK. The synchronize() method reads the latest version of the data available in the Amazon Cognito sync store and compares it to the local, cached copy. After comparison, the synchronize() method writes the latest updates as necessary to the local data store and the Amazon Cognito sync store.
    • The Amazon Cognito Sync store is a key/value pair store linked to an Amazon Cognito identity. There is no limit to the number of identities you can create in your identity pools and sync store.
    • Each user information store can have a maximum size of 20MB. Each data set within the user information store can contain up to 1MB of data. Within a data set you can have up to 1024 keys.
    • With Cognito Streams, you can push sync store data to a Kinesis stream in your AWS account.
  • Advanced Security Features
    • When Amazon Cognito detects unusual sign-in activity, such as sign-in attempts from new locations and devices, it assigns a risk score to the activity and lets you choose to either prompt users for additional verification or block the sign-in request.
    • Users can verify their identities using SMS or a Time-based One-time Password (TOTP) generator.
    • When Amazon Cognito detects users have entered credentials that have been compromised elsewhere, it prompts a password change.
  • Integration with AWS Lambda
    • You can create an AWS Lambda function and then trigger that function during user pool operations such as user sign-up, confirmation, and sign-in (authentication) with a Lambda trigger.
    • Amazon Cognito invokes Lambda functions synchronously. When called, your Lambda function must respond within 5 seconds. If it does not, Amazon Cognito retries the call. After 3 unsuccessful attempts, the function times out.
    • You can create a Lambda function as a backend to Cognito that serves auth challenges to users signing in.
Posted by at No comments:
Subscribe to: Posts (Atom)