Security In The Cloud
As adoption of cloud services has increased, so has the need for increased security in the cloud. The great thing about cloud security is that it not only protects data, it also protects applications that access the data. Cloud security even protects the infrastructure (like servers) that applications run on.
The way security is delivered depends on the cloud provider you're using and the cloud security options they offer.
Web Application Firewall
AWS WAF (or AWS Web Application Firewall) provides a firewall that protects your web applications. WAF can stop common web attacks by reviewing the data being sent to your application and stopping well-known attacks.
- SQL Injection
- Cross-site scripting
- Reviewing data sent
- Stopping well-known attacks
Pro tips
- You can configure CloudFront to present a custom error page when requests are blocked.
- WAF can protect web sites not hosted in AWS through Cloud Front.
AWS WAF is available under a composite dashboard, WAF & Shield, that combines the following three services:
- AWS WAF: It allows you to protect your web applications from common web exploits by monitoring and controlling the web requests coming to an Amazon API Gateway API, an Amazon CloudFront distribution, or an Application Load Balancer.
- AWS Shield: It provides continuous DDoS attack detection and automatic mitigations. AWS Shield offers two tiers of protection - Standard and Advanced.
- AWS Firewall Manager: It allows you to configure and manage firewall rules across accounts and applications centrally.
Within AWS WAF service, you can create Web access control lists (web ACLs) to monitor HTTP(S) requests for AWS resources. You can protect the following types of resources:
- CloudFront distributions
- Regional resources (Application Load Balancer, API Gateway, AWS AppSync)
While creating a web ACL, you add rules, such as conditions like originating IP addresses, that determines whether to allow/block each request.
Five-step process to create a web ACL
AWS Shield
AWS Shield is a managed DDoS (or Distributed Denial of Service) protection service that safeguards web applications running on AWS. AWS Shield offers two tiers of protection - Standard and Advanced.
- Standard tier: Standard AWS Shield is a service that you get "out of the box", it is always running (automatically) and is a part of the free standard tier.
- Advanced tier: If you want to use some of the more advanced features, you'll have to utilize the paid tier.
The standard AWS Shield Standard is always-on, using techniques to detect malicious traffic.
If you want to view the threat-event summary for resources in your account, you will have to subscribe to the Shield Advanced. The summary will include statistics, such as total events, largest bit rate, largest packet rate, and the largest request rate.
Identity & Access Management
IAM User
A user is a unique identifier generated by the IAM service and recognized by all AWS services to grant access to AWS resources. A user can be a person, system, or application that requires access to AWS services. You can generate login credentials and access keys for any user in your account. Roles and policies control the scope (permissions) of a user's access to AWS resources in your account.
-
Entity
- Person or service
- User name
- Access credentials
IAM Group
A group collects IAM users with the same level of permissions to access AWS resources. You can attach or detach permissions to a group using access control policies. A group makes it easier to manage IAM users with the same level of permissions.
- Collection of users
- Permission for a collection of users
- Easy to manage
IAM Role
A role is simply a set of policies (permissions) to access AWS services. You can assign a role either to an IAM user or an AWS service such as EC2. Creating and storing roles helps to delegate access with defined permissions without sharing long-term access keys.
- Identity
- Permissions
- Set of privileges
- Not associated with a user or group
- Can be attached to a user
Difference between an IAM role and an IAM user
An IAM user has permanent credentials that can be used to interact with AWS services directly. In contrast, an IAM role does not have any credentials; hence it cannot make direct requests to AWS services. IAM roles are assumed by authorized entities, such as IAM users, applications, or other AWS services.
Policy
An access control policy is a JSON file that defines the resource to grant access, level of access, and allowed actions. You can attach a policy to multiple users, groups, or roles to assign permissions to AWS resources.
- Granular permission
- Can be attached to Users, Groups, Roles
See a sample IAM policy that allows full EC2 access within a specific AWS region:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ec2:Region": "us-east-2"
}
}
}
]
}
How do I know if my custom policy is having the desired access permissions?
AWS offers a utility, IAM policy simulator, where you can evaluate, and validate the effects of your access control policies.
EC2 Security Group
- NOT a part of IAM
- Belong to a EC2 instance
- Built-in firewall
Recommended Read
- StackOverflow discussion - Difference between IAM role and IAM user in AWS
- In addition to IAM policies, AWS offers other types of policies, such as an S3 Bucket Policy, an SNS Topic Policy, a VPC Endpoint Policy, and an SQS Queue Policy. There is a helpful utility, AWS Policy Generator, that can generate either of the policies mentioned above.
- AWS IAM FAQs - must read.