Troubleshooting Security Scenarios

Question 1

CloudWatch issues?

Answer 1

1. Start with IAM user/role as possible cause. Look if cloudwatch:Get, cloudwatch:List is allowed in IAM policy
2. Check if Cloudwatch agent is installed, running, and EC2 has role permission to write to Cloudwatch Logs
3. Lambda automatically adds permission to allow itself to write to CloudWatch logs in addition to your permissions
4. Lambda basic events are logged in CloudWatch but detailed logging is NOT enabled by default coz it is a lot

Question 2

CloudTrail logs missing?

Answer 2

Is CloudTrail enabled
S3 bucket name correct
S3 prefix correct/exists/not deleted
S3 bucket policy
S3 and Lambda Data events are NOT enabled by default, –enable them explicitly if needed

Question 3

What if auditor can’t access CloudTrail logs from CloudWatch?

Answer 3

Does their account have CloudTrailReadOnlyAccess

Question 4

Network Infrastructure / connectivity issues?

Answer 4

1. Subnet
2. Routing table
3. SG rules
4. NACL rules inbound+outbound
5. NATGW
6. IGW

Question 5

How to setup peering between VPC?

Answer 5

Update both routing tables

Question 6

Quick win for Network Infrastructure / connectivity issues?

Answer 6

Check VPC flow logs for allow/reject messages for hint where it is getting blocked

Question 7

Authentication/Authorization Issues

Answer 7

Evaluate least privilege- remember explicit allow overrides implicit deny, but explicit deny overrides all

Question 8

Authentication/Authorization Issues for Organizations?

Answer 8

check if service boundaries have policies blocking access

Question 9

What are the STS roles and use cases?

Answer 9

• STS:AssumeRoleWithWebIdentity = if user is authenticated by Meta (Facebook), Google etc Web Identity Provider
  
  • STS:AssumeRoleWithSAML = if authenticated by AD, SAML ID provider
  • STS:AssumeRole = if authenticated by AWS

Question 10

Cross Account Issues? User in dev wants to access prod account

Answer 10

Does dev have IAM Allow Action:sts:AssumeRole?
Does prod account have sts:AssumeRole allowed for dev ARN as the Principal?
Check Trust Relationships in IAM

Question 11

What permissions to apply to KMS for cross-account access?

Answer 11

KMS Key policy in prod needs “Add other account” updated.
Dev account IAM policy should have kms:Decrypt/DescribeKey allowed for Resource ARN of prod account

Question 12

If Lambda unable to take action based on triggers?

Answer 12

check Lambda Execution role has right permissions

Question 13

What is Lambda Function Policy?

Answer 13

What resources can trigger Lambda

Question 14

What is Lambda Execution role

Answer 14

What resources Lambda can acess

Question 15

How to use Lambda with Secrets Manager?

Answer 15

It needs to be explicitly given permissions to access Secrets Manager in Execution role to pull data from RDS etc.