Security as a Practice

When we design any Solution on Cloud Security should be a practice, we must include our Framework.

Security framework should be your Intellectual property and you must make that practice so that would protect our property from any Unauthorized Access, Use, or Modification.

Again Coming back to the Old school of Words Security revolves around the CIA(Confidentiality, Integrity, and Availability)

Security in the cloud is almost like security 0n-premises DC, only without the cost and complexities of protecting.

While having Calls with Different Stakeholders to understand their requirements we end up emphasizing Talking about security on/in the cloud.

Once we design the Architecture of LLD/HLD customers get many questions/Concerns/Doubts about the security of each Individual service within the cloud.

I feel that as Solution Architect/Enterprise Architect/Practice leaders it’s our Fundamental duty to explain the Security of each service/Component used.

Below is the list of services in AWS how the security is Managed.

Kinesis Security

Kinesis Data Streams

•  SSL endpoints using the HTTPS protocol to do encryption in flight
• AWS KMS provides server-side encryption [Encryption at rest]
• For client side-encryption, you must use your own encryption libraries
• Supported Interface VPC Endpoints / Private Link – access privately
•  KCL – must get read / write access to DynamoDB table
• Kinesis Data Firehose:
• Attach IAM roles so it can deliver to S3 / ES / Redshift /
•  Can encrypt the delivery stream with KMS [Server side encryption]
• Supported Interface VPC Endpoints / Private Link – access privately

Kinesis Data Analytics

 Attach IAM role so it can read from Kinesis Data Streams and reference sources and write to an output destination (example Kinesis Data Firehose)

 AWS SQS Security:

• Encryption in flight using the HTTPS endpoint
• Can enable SSE (Server Side Encryption) using KMS
•  Can set the CMK (Customer Master Key) we want to use
•  SSE only encrypts the body, not the metadata (message ID, timestamp, attributes)
•  IAM policy must allow usage of SQS
•  SQS queue access policy
•  Finer grained control over IP
• Control over the time the requests come in

Amazon S3

•  IAM policies
•  S3 bucket policies
•  Access Control Lists (ACLs)
•  Encryption in flight using HTTPS • Encryption at rest
•  Server-side encryption: SSE-S3, SSE -KMS, SSE - C
•  Client -side encryption – such as Amazon S3 Encryption Client
•  Versioning + MFA Delete
•  CORS for protecting websites
•  VPC Endpoint is provided through a Gateway
•  Glacier – vault lock policies to prevent deletes.

DynamoDB

•  Data is encrypted in transit using TLS (HTTPS)
•  DynamoDB can be encrypted at rest
•  KMS encryption for base tables and secondary indexes
•  Only for new tables
•  To migrate un-encrypted table, create new table and copy the data
•  Encryption cannot be disabled once enabled
•  Access to tables / API / DAX using IAM
•  DynamoDB Streams do not support encryption
•  VPC Endpoint is provided through a Gateway

Lambda:

 IAM roles attached to each Lambda function

•  Sources
•  Targets
•  KMS encryption for secrets
•  SSM parameter store for configurations
•  CloudWatch Logs
•  Deploy in VPC to access private resources

Glue:

• IAM policies for the Glue service
•  Configure Glue to only access JDBC through SSL
•  Data Catalog: Encrypted by KMS
•  Connection passwords: Encrypted by KMS
•  Data written by AWS Glue – Security Configurations

1.      CloudWatch encryption mode

2.      Job bookmark encryption mode

3.      S3 encryption mode: SSE-S3 or SSE-KMS

 Athena:

•  IAM policies to control access to the service
•  Data is in S3: IAM policies, bucket policies & ACLs
•  Encryption of data according to S3 standards: SSE-S3, SSEKMS, CSE-KMS
•  Encryption in transit using TLS between Athena and S3 and JDBC
•  Fine grained access using the AWS Glue Catalog

QuickSight:

Standard edition:

1. IAM users
2.  Email based accounts

Enterprise edition:

•  Active Directory • Federated Login
• Supports MFA (Multi Factor Authentication)
•  Encryption at rest and in SPICE
•  Row Level Security to control which users can see which rows

VPC Endpoints

•  Endpoints allow you to connect to AWS Services using a private network instead of the public www network and They scale horizontally and are redundant
• They remove the need of IGW, NAT, etc… to access AWS Services

Gateway: Provisions a target and must be used in a route table ONLY S3 and DynamoDB

Interface: provisions an ENI (private IP address) as an entry point (must attach security group) – most AWS services Also called VPC Private Link

 AWS CloudTrail:

•  Provides governance, compliance and audit for your AWS Account
•  CloudTrail is enabled by default!
• Get an history of events / API calls made within your AWS Account by:

1.  Console
2.  SDK
3. CLI

 AWS Services

•  Can put logs from CloudTrail into CloudWatch Logs
•  If a resource is deleted in AWS, look into CloudTrail first
• CloudTrail shows the past 90 days of activity
• The default UI only shows “Create”, “Modify” or “Delete” events
•  CloudTrail Get a detailed list of all the events you choose
•  Ability to store these events in S3 for further analysis
•  Can be region specific or global
• CloudTrail Logs have SSE-S3 encryption when placed into S3
• Control access to S3 using IAM, Bucket Policy, etc…

SageMaker:

• Code stored in “ML storage volumes”
•  Controlled by security groups
•  Optionally encrypted at rest
• All artifacts encrypted in transit and at rest
• API & console secured by SSL
•  IAM roles
• Encrypted S3 buckets for data
• KMS integration for SageMaker notebooks, training jobs, endpoints

RDS:

•  VPC provides network isolation
•  Security Groups control network access to DB Instances
•  KMS provides encryption at rest
•  SSL provides encryption in-flight
•  IAM policies provide protection for the RDS API
• IAM authentication is supported by PostgreSQL and MySQL
•  Must manage user permissions within the database itself
• MSSQL Server and Oracle support TDE (Transparent Data Encryption)

Aurora:

• very similar to RDS
• VPC provides network isolation
• Security Groups control network access to DB Instances
• K MS provides encryption at rest
• SSL provides encryption in-flight
• IAM authentication is supported by PostgreSQL and MySQL
• Must manage user permissions within the database itself