Security

Question 1

O que acontece na criptografia em trânsito?

Answer 1

• Os dados são criptografados antes do envio e descriptografados após o recebimento

Question 2

O certificados TLS ajudam na criptografia HTTPS?

Answer 2

Sim, os certificados TLS (Transport Layer Security) são um dos principais componentes que ajudam a garantir a segurança da criptografia HTTPS (Hypertext Transfer Protocol Secure) entre cliente e servidor.

Question 3

O que é MITM atack?

Answer 3

MITM (Man-in-the-middle) é um tipo de ataque cibernético em que um invasor intercepta a comunicação entre duas partes, fazendo-se passar por um dos lados, a fim de obter informações confidenciais ou executar ações maliciosas.

Question 4

O que é criptografia Server-side encryption at rest?

Answer 4

método de criptografia de dados utilizado para proteger dados armazenados em um serviço em nuvem. Nesse método, os dados são criptografados antes de serem armazenados no disco, somente as pessoas autorizadas podem acessá-los.

Question 5

Why encryption?
Server-side encryption at rest

Answer 5

• Data is encrypted after being received by the server
• Data is decrypted before being sent
• It is stored in an encrypted form thanks to a key (usually a data key)
• The encryption / decryption keys must be managed
  somewhere, and the server must have access to it

Question 6

Encryption in flight (TLS / SSL)

Answer 6

• Data is encrypted before sending and decrypted after receiving
• TLS certificates help with encryption (HTTPS)
• Encryption in flight ensures no MITM (man in the middle attack)
  can happen

Question 7

Server-side encryption at rest

Answer 7

• Data is encrypted after being received by the server
• Data is decrypted before being sent
• It is stored in an encrypted form thanks to a key (usually a data
  key)
• The encryption / decryption keys must be managed
  somewhere, and the server must have access to it

Question 8

Client-side encryption

Answer 8

• Data is encrypted by the client and never decrypted by the server
• Data will be decrypted by a receiving client
• The server should not be able to decrypt the data
• Could leverage Envelope Encryption

Question 9

S3 Encryption for Objects

Answer 9

• There are 4 methods of encrypting objects in S3
• SSE-S3: encrypts S3 objects using keys handled & managed by AWS
• SSE-KMS: leverage AWS Key Management Service to manage
  encryption keys
• SSE-C: when you want to manage your own encryption keys
• Client Side Encryption

Question 10

SSE-S3

Answer 10

• SSE-S3: encryption using keys handled & managed by Amazon S3
• Object is encrypted server side
• AES-256 encryption type
• Must set header: “x-amz-server-side-encryption”: “AES256”

Question 11

SSE-KMS

Answer 11

• SSE-KMS: encryption using keys handled & managed by KMS
• KMS Advantages: user control + audit trail
• Object is encrypted server side
• Must set header: “x-amz-server-side-encryption”: ”aws:kms”

Question 12

SSE-C

Answer 12

• SSE-C: server-side encryption using data keys fully managed by the customer outside of AWS
• Amazon S3 does not store the encryption key you provide
• HTTPS must be used
• Encryption key must provided in HTTP headers, for every HTTP request made

Question 13

Client Side Encryption S3

Answer 13

• Client library such as the Amazon S3 Encryption Client
• Clients must encrypt data themselves before sending to S3
• Clients must decrypt data themselves when retrieving from S3
• Customer fully manages the keys and encryption cycle

Question 14

Amazon S3 - Encryption in transit (SSL/TLS)

Answer 14

• Amazon S3 exposes:
• HTTP endpoint: non encrypted
• HTTPS endpoint: encryption in flight
• You’re free to use the endpoint you want, but HTTPS is
  recommended
• Most clients would use the HTTPS endpoint by default
• HTTPS is mandatory for SSE-C
• Encryption in flight is also called SSL / TLS

Question 15

AWS KMS (Key Management Service)

Answer 15

• Anytime you hear “encryption” for an AWS service, it’s most likely
  KMS
• Easy way to control access to your data, AWS manages keys for us
• Fully integrated with IAM for authorization
• Seamlessly integrated into:
• Amazon EBS: encrypt volumes
• Amazon S3: Server side encryption of objects
• Amazon Redshift: encryption of data
• Amazon RDS: encryption of data
• Amazon SSM: Parameter store
• Etc…
• But you can also use the CLI / SDK

Question 16

AWS KMS 101

Answer 16

• Anytime you need to share sensitive information… use KMS
• Database passwords
• Credentials to external service
• Private Key of SSL certificates
• The value in KMS is that the CMK used to encrypt data can never be
  retrieved by the user, and the CMK can be rotated for extra security
• Never ever store your secrets in plaintext, especially in your code!
• Encrypted secrets can be stored in the code / environment variables
• KMS can only help in encrypting up to 4KB of data per call
• If data > 4 KB, use envelope encryption
• To give access to KMS to someone:
• Make sure the Key Policy allows the user
• Make sure the IAM Policy allows the API calls

Question 17

AWS KMS (Key Management Service)

Answer 17

• Able to fully manage the keys & policies:
• Create
• Rotation policies
• Disable
• Enable
• Able to audit key usage (using CloudTrail)
• Three types of Customer Master Keys (CMK):
• AWS Managed Service Default CMK: free
• User Keys created in KMS: $1 / month
• User Keys imported (must be 256-bit symmetric key): $1 / month
• pay for API call to KMS ($0.03 / 10000 calls)

Question 18

How does KMS work?

Answer 18

API – Encrypt and Decrypt

Question 19

Encryption in AWS Services

Answer 19

• Requires migration (through Snapshot / Backup): * EBS Volumes * RDS databases * ElastiCache * EFS network file system * In-place encryption: * S3

Question 20

KMS Automatic Key Rotation

Answer 20

• For Customer-managed CMK (not AWS managed CMK)
• If enabled: automatic key rotation happens every 1 year
• Previous key is kept active so you can decrypt old data
• New Key has the same CMK ID (only the backing key is changed)

Question 21

KMS Manual Key Rotation

Answer 21

• When you want to rotate key every 90 days, 180 days, etc…
• New Key has a different CMK ID
• Keep the previous key active so you can decrypt old data
• Better to use aliases in this case (to hide the change of key for the application)
• Good solution to rotate CMK that are not eligible for automatic rotation (like asymmetric CMK)

Question 22

KMS Alias Updating

Answer 22

• Better to use aliases in this case (to hide the change of key for the application)

Question 23

CloudHSM

Answer 23

• KMS => AWS manages the software for encryption
• CloudHSM => AWS provisions encryption hardware
• Dedicated Hardware (HSM = Hardware Security Module)
• You manage your own encryption keys entirely (not AWS)
• HSM device is tamper resistant, FIPS 140-2 Level 3 compliance
• CloudHSM clusters are spread across Multi AZ (HA) – must setup
• Supports both symmetric and asymmetric encryption (SSL/TLS keys)
• No free tier available
• Must use the CloudHSM Client Software
• Redshift supports CloudHSM for database encryption and key
  management
• Good option to use with SSE-C encryption

Question 24

IAM permissions:

Answer 24

• CRUD an HSM Cluster
  CloudHSM Software:
• Manage the Keys
• Manage the Users

Question 25

Security - Kinesis Data Streams

Answer 25

• Kinesis Data Streams
• SSL endpoints using the HTTPS protocol to do encryption in flight
• AWS KMS provides server-side encryption [Encryption at rest]
• For client side-encryption, you must use your own encryption libraries
• Supported Interface VPC Endpoints / Private Link – access privately
• KCL – must get read / write access to DynamoDB table

Question 26

Security - Kinesis Data Firehose

Answer 26

• Attach IAM roles so it can deliver to S3 / ES / Redshift / Splunk
• Can encrypt the delivery stream with KMS [Server side encryption]
• Supported Interface VPC Endpoints / Private Link – access privately
• Kinesis Data Analytics
• Attach IAM role so it can read from Kinesis Data Streams and reference
  sources and write to an output destination (example Kinesis Data Firehose)

Question 27

Security - SQS

Answer 27

• Encryption in flight using the HTTPS endpoint
• Server Side Encryption using KMS
• IAM policy must allow usage of SQS
• SQS queue access policy
• Client-side encryption must be implemented manually
• VPC Endpoint is provided through an Interface

Question 28

Security – AWS IoT

Answer 28

• AWS IoT policies:
• Attached to X.509 certificates or Cognito Identities
• Able to revoke any device at any time
• IoT Policies are JSON documents
• Can be attached to groups instead of individual Things.
• IAM Policies:
• Attached to users, group or roles
• Used for controlling IoT AWS APIs
• Attach roles to Rules Engine so they can perform their actions

Question 29

Security – Amazon S3

Answer 29

• IAM policies * S3 bucket policies * Access Control Lists (ACLs) * Encryption in flight using HTTPS * Encryption at rest * Server-side encryption: SSE-S3, SSE-KMS, SSE-C
• Client-side encryption – such as Amazon S3 Encryption Client
• Versioning + MFA Delete * CORS for protecting websites * VPC Endpoint is provided through a Gateway * Glacier – vault lock policies to prevent deletes (WORM)

Question 30

Security – DynamoDB

Answer 30

• Data is encrypted in transit using TLS (HTTPS) * DynamoDB tables are encrypted at rest * KMS encryption for base tables and secondary indexes * AWS owned key (default) * AWS managed key (aws/dynamodb) * AWS customer managed key (your own) * Access to tables / API / DAX using IAM * DynamoDB Streams are encrypted * VPC Endpoint is provided through a Gateway

Question 31

Security - RDS

Answer 31

• VPC provides network isolation
• Security Groups control network access to DB Instances
• KMS provides encryption at rest
• SSL provides encryption in-flight
• IAM policies provide protection for the RDS API
• IAM authentication is supported by PostgreSQL and MySQL
• Must manage user permissions within the database itself
• MSSQL Server and Oracle support TDE (Transparent Data
  Encryption)

Question 32

Security - Aurora

Answer 32

• (very similar to RDS)
• VPC provides network isolation
• Security Groups control network access to DB Instances
• KMS provides encryption at rest
• SSL provides encryption in-flight
• IAM authentication is supported by PostgreSQL and MySQL
• Must manage user permissions within the database itself

Question 33

Security - Lambda

Answer 33

• IAM roles attached to each Lambda function * Sources * Targets * KMS encryption for secrets * SSM parameter store for configurations * CloudWatch Logs * Deploy in VPC to access private resources

Question 34

Security - Glue

Answer 34

• IAM policies for the Glue service * Configure Glue to only access JDBC through SSL * Data Catalog: Encrypted by KMS * Connection passwords: Encrypted by KMS * Data written by AWS Glue – Security Configurations: * S3 encryption mode: SSE-S3 or SSE-KMS * CloudWatch encryption mode * Job bookmark encryption mod

Question 35

Security - EMR

Answer 35

• Using Amazon EC2 key pair for SSH credentials
• Attach IAM roles to EC2 instances for:
• proper S3 access
• for EMRFS requests to S3
• DynamoDB scans through Hive
• EC2 Security Groups
• One for master node
• Another one for cluster node (core node or task node)
• Encrypts data at-rest: EBS encryption, Open Source HDFS Encryption, LUKS + EMRFS
  for S3
• In-transit encryption: node to node communication, EMRFS, TLS
• Data is encrypted before uploading to S3
• Kerberos authentication (provide authentication from Active Directory)
• Apache Ranger: Centralized Authorization (RBAC – Role Based Access) – setup on
  external EC2
• https://aws.amazon.com/blogs/big-data/best-practices-for-securing-amazon-emr/

Question 36

Security – ElasticSearch Service

Answer 36

• Amazon VPC provides network isolation
• ElasticSearch policy to manage security further
• Data security by encrypting data at-rest using KMS
• Encryption in-transit using SSL
• IAM or Cognito based authentication
• Amazon Cognito allow end-users to log-in to Kibana through
  enterprise identity providers such as Microsoft Active Directory
  using SAML

Question 37

Security - Redshift

Answer 37

• VPC provides network isolation
• Cluster security groups
• Encryption in flight using the JDBC driver enabled with SSL
• Encryption at rest using KMS or an HSM device (establish a connection)
• Supports S3 SSE using default managed key
• Use IAM Roles for Redshift
• To access other AWS Resources (example S3 or KMS)
• Must be referenced in the COPY or UNLOAD command
  (alternatively paste access key and secret key creds)

Question 38

Security - Athena

Answer 38

• IAM policies to control access to the service
• Data is in S3: IAM policies, bucket policies & ACLs
• Encryption of data according to S3 standards: SSE-S3, SSEKMS, CSE-KMS
• Encryption in transit using TLS between Athena and S3 and JDBC
• Fine grained access using the AWS Glue Catalog

Question 39

Security - Quicksight

Answer 39

• Standard edition:
• IAM users
• Email based accounts
• Enterprise edition:
• Active Directory
• Federated Login
• Supports MFA (Multi Factor Authentication)
• Encryption at rest and in SPICE
• Row Level Security to control which users can see which rows

Question 40

AWS STS – Security Token Service

Answer 40

• Allows to grant limited and temporary access to AWS resources.
• Token is valid for up to one hour (must be refreshed)
• Cross Account Access
• Allows users from one AWS account access resources in another
• Federation (Active Directory)
• Provides a non-AWS user with temporary AWS access by linking users Active Directory credentials
• Uses SAML (Security Assertion markup language)
• Allows Single Sign On (SSO) which enables users to log in to AWS console without assigning IAM credentials
• Federation with third party providers / Cognito
• Used mainly in web and mobile applications
• Makes use of Facebook/Google/Amazon etc to federate them

Question 41

Cross Account Access

Answer 41

• Define an IAM Role for another account to access
• Define which accounts can access this IAM Role
• Use AWS STS (Security Token Service) to retrieve credentials
  and impersonate the IAM Role you have access to (AssumeRole API)
• Temporary credentials can be valid between 15 minutes to 1 hour

Question 42

What’s Identity Federation?

Answer 42

• Federation lets users outside of AWS to assume temporary role for accessing AWS resources.
• These users assume identity provided access role.
• Federation assumes a form of 3rd party authentication
• LDAP
• Microsoft Active Directory (~= SAML)
• Single Sign On
• Open ID
• Cognito
• Using federation, you don’t need to create IAM users (user management is outside of AWS)

Question 43

SAML Federation For Enterprises

Answer 43

• To integrate Active Directory / ADFS with AWS (or any SAML 2.0)
• Provides access to AWS Console or CLI (through temporary)

Question 44

Custom Identity Broker Application For Enterprises

Answer 44

• Use only if identity provider is not compatible with SAML 2.0
• The identity broker must determine the appropriate IAM policy
  https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_
  common-scenarios_federated-users.html

Question 45

AWS Cognito - Federated Identity Pools For Public Applications

Answer 45

• Goal:
• Provide direct access to AWS Resources from the Client Side
• How:
• Log in to federated identity provider – or remain anonymous
• Get temporary AWS credentials back from the Federated Identity Pool
• These credentials come with a predefined IAM policy stating their
  permissions
• Example:
• provide (temporary) access to write to S3 bucket using Facebook Login
• Note:
• Web Identity Federation is an alternative to using Cognito but AWS recommends against it

Question 46

Policies – leveraging AWS variables

Answer 46

• https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_
  policies_variables.html
• ${aws:username} : to restrict users to tables / buckets
• ${aws:principaltype} : account, user, federated, or assumed role
• ${aws:PrincipalTag/department} : to restrict using Tags
• https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_
  policies_iam-condition-keys.html#condition-keys-wif
• ${aws:FederatedProvider} : which IdP was used for the user (Cognito,
  Amazon..)
• ${www.amazon.com:user_id} , ${cognitoidentity.amazonaws.com:sub}
  …
• ${saml:sub}, ${sts:ExternalId}

Question 47

Policies - Advanced

Answer 47

• For S3 - let’s analyze the policies at:
  https://docs.aws.amazon.com/AmazonS3/latest/dev/examplebucket-policies.html
• For DynamoDB – let’s analyze the policies at:
  https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html
• Note for RDS – IAM policies don’t help with in-database security, as
  it’s a proprietary technology and we are responsible for users &
  authorization

Question 48

AWS CloudTrail

Answer 48

• Provides governance, compliance and audit for your AWS
  Account
• CloudTrail is enabled by default!
• Get an history of events / API calls made within your AWS
  Account by:
• Console
• SDK
• CLI
• AWS Services
• Can put logs from CloudTrail into CloudWatch Logs
• If a resource is deleted in AWS, look into CloudTrail first!
• CloudTrail shows the past 90 days of activity
• The default UI only shows “Create”, “Modify” or “Delete” events
• CloudTrail Trail:
• Get a detailed list of all the events you choose
• Ability to store these events in S3 for further analysis
• Can be region specific or global
• CloudTrail Logs have SSE-S3 encryption when placed into S3
• Control access to S3 using IAM, Bucket Policy, etc…

Question 49

VPC

Answer 49

Endpoints * Endpoints allow you to connect to AWS
Services using a private network instead of the public www network
* They scale horizontally and are redundant * They remove the need of IGW, NAT, etc… to access AWS Services
* Gateway: provisions a target and must be used in a route table
ONLY S3 and DynamoDB
* Interface: provisions an ENI (private IP address) as an entry point (must attach security group)
– most AWS services
Also called VPC PrivateLink