AWS Cloud Security Services - Infrastructure Protection

Cloud Security

Cloud eases the hardware and application management, provides easy accessibility. But there are several assumptions and reservations about switching to cloud due to security.

Well if we talk about attacks it's every where, whether its cloud or on premisses, either external or internal. Hence we need to be ready always.

Cloud security, is a collection of security measures designed to protect cloud-based infrastructure, applications, and data from the external and internal threats.

Cloud security is employed in cloud environments to protect a company's data from different security concerns such as distributed denial of service (DDoS) attacks, malware, hackers, unauthorized user access or use and many other security threats.

A reliable cloud service provider (CSP) can put your mind at ease and keep your data safe with highly secure cloud services.

• Resource Drain: Lowers the burden from the developers in monitoring the attacks
• Less Expertise Dependency: We need the expertise in security for any org, but the load would be shared and dependency as well. 
• Eases Multiple Integrations: Having multiple applications and integration with security standards and monitoring itself is whole new project.
• Avoid Expensive tools: Analysis and prevention of the attacks would require tools and that would add up the cost

Way to approach cloud security is different for every organization and can be dependent on several variables but following the best practices is a good start. Putting in place adequate countermeasures to defend against modern-day cyberattacks.

Both CSP and Cloud Adopter are equally responsible in providing security.

Categorization

• Identity and Access Management
• AWS Identity and Access Management IAM
• AWS Single Sign On
• Amazon Cognito
• AWS Directory Service
• AWS Resource Access Manager
• AWS Organization
• Detection
• AWS Security Hub
• Amazon GuardDuty
• Amazon Inspector
• AWS Config
• AWS CloudTrail
• AWS IoT Device Defender
• AWS Detective
• Data Protection
• AWS Macie
• AWS Key Management Service
• AWS CloudHSM
• AWS Certificate Manager
• AWS Secrets Manager
• Infrastructure Protection
• AWS Security Groups
• AWS NACL
• AWS WAF
• AWS Shield
• AWS Network Firewall
• AWS Firewall Manager

Infrastructure Protection

Infrastructure protection is one on the key pillar of cloud services. We will only see today using AWS services to protect our infrastructure. 

Security Groups

Security groups are acting as a “firewall” on EC2 instances. Using security group, we can control both the incoming and outgoing traffic. They are stateful, which means any traffic in is allowed to go out, can go back in. So we do not need to write explicit outbound rules, as said if it is allowed in, the traffic will be allowed out as well. Supports only allow rules. 

It can reference by CIDR and security group id, there can be more than one rule assigned to an endpoint. If no rules are applied the default will be assigned, which will deny all the inbound and allow all the outbound. Evaluates all the rules before deciding whether to allow traffic. 

Security groups comes with no cost, one can have as many security groups. As you could see this is joint responsibility of the cloud consumer, the cloud provides the feature to block or allow requests. But as the user, we need to write appropriate rules.

Default: inbound denied, outbound all allowed.

Creating security groups does not involves cost.

Below are few use cases mentioned from the aws docs.

• Web server rules
• Database server rules
• Rules to connect to instances from your computer
• Rules to connect to instances from an instance with the same security group
• Rules for ping/ICMP
• DNS server rules
• Amazon EFS rules
• Elastic Load Balancing rules
• VPC peering rules

Fig: Sample rules, to allow ssh and http from everywhere 

Network ACL - NACL

NACLs are acting as a “firewall” at the subnet level. We can associate a single NACL to multiple subnets, but only one NACL can be assigned a subnet.

These stateless as the inbound and outbound rules apply for all traffic. For example, if the output traffic is allowed our request would reach out, but if expect a response, sorry it would need to have the outbound rules specified. Supports all both allow and deny rules for both inbound and outbound traffic. Here we can specify only reference a CIDR range (no hostname). 

Evaluations rules in number order when deciding to allow traffic, lowest numbered rule gets the first preference. If the lowest rule denies, the traffic will be allowed, even if the higher rule allows. The rules starts from 1 to the highest of 32766.  

Default: allow all inbound, allow all outbound

New NACL: denies all inbound, denies all outbound

Fig: Sample rules, which allows and denies the outbound traffic

WAF

AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources. This is usually at the layer 7 which is application layer.

AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that control bot traffic and block common attack patterns, such as SQL injection or cross-site scripting, limits the number of calls to the server, limits the request size.

We can get started quickly using Managed Rules for AWS WAF, a pre-configured set of rules managed by AWS or AWS Marketplace Sellers to address issues like the OWASP Top 10 security risks and automated bots requests which exploit the application. 

Deploy AWS WAF on Amazon CloudFront, the Application Load Balancer, Amazon API Gateway and AWS AppSync. 

Pricing is based on how many rules we deploy and how many web requests our application receives. Irrespective of the pricing using WAF is definitely essential:

• Frictionless setup, deploy without changing your existing architecture
• Low operation overload, ready to use, built in set of rules and as well rules set available in AWS marketplace
• Bot control, protecting against automated bots using bot controlled rules. This has been designed to help stop common and pervasive bot traffic on your application. AWS Threat Researchers continuously examine the traffic to identify and categorise bots. Combine the natively available mitigation techniques on AWS WAF. Also provides insights and visibility into bot traffic through CloudWatch.
• Customizable security, highly flexible rule engine that can inspect requests with single milliseconds latency
• Advanced automation, API driven architecture and fast rule propagation allows you to detect and respond to the threats in real time

Fig: First page of WAF

Shield

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.

A DDos is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network.  Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

There are two tiers of AWS Shield:

• AWS Shield Standard

• AWS Shield Advanced

For all AWS customers by default AWS Shield Standard is enabled for free. This provides always-on detection and defends against most common, frequently occurring network and L3/L2 transport layer DDoS attacks that target your web site or applications. 

AWS Shield Advanced provides more advanced DDoS detection, near real-time visibility into attacks. Supports integration as of now with AWS WAF a web application firewall to EC2, Elastic IP, ELB, Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 charges. It protects whatever resources associated with it and provides protection for network layer (layer 3), transport layer (layer 4), and application layer (layer 7) attacks. Costing $3000 per month per organization.

AWS Shield Advanced, provides access to Shield Response Team which is 24/7. And cost protection during the attacks. A team of specialized security engineers dedicated to provide the support during the DDOS attacks. They will help us in shield onboarding as well. Proactive engagement during the DDOS attacks, attack analysis, writing custom WAF rules for mitigations, fighting against the bots and mitigation strategies are also part of their responsibilities. AWS Shield Advanced, provides AWS WAF with no additional charges. 

Need to subscribe to AWS Shield Advanced for each AWS account that you want to protect. If you want to subscribe multiple accounts, it is recommended to use AWS Firewall Manager. Caveat, Firewall Manager doesn't support Amazon Route 53 or AWS Global Accelerator, but it supports the other resource types that can be protected by Shield Advanced. It provides supports globally.

Well one might wonder this seems to be an expensive affair, yes I can agree to this. But when it comes to business having the application resilient, audit complaint is most important. Imagine if Swiggy is not able to identify and serve potential customers' it would be a great loss for the organization. For instance during an attack, Shield Advanced promotes your network ACL to the AWS border, which can process multiple terabytes of traffic. Your network ACL is able to provide protection for your resource well beyond your network's typical capacity. It means provides cost protection during the attacks.

The story doesn't ends here, load balancer's mapped with auto scaling is usually the strategy. Imagine the costs it would shoot up for while handing these mock calls. Hiring a security engineer and his/her backup will just add up the cost so much. Compliance and regulatory also goes on toss with these attacks.  As said this is worthy investment for an application. 

Fig: Subscribe to Shied Advanced

Network Firewall

Network Firewall protects at L2/L3 which is Network/Transport layer of the VPC. Based on the security rules written, all the traffic following into and out of the network is managed and monitored. This can be setup with just a few clicks and scales automatically based on the network traffic.

Provide protections from common network threats. 

• URL filtering on outbound flows
• Pattern matching on packet data beyond IP/Port/Protocol 
• Ability to alert on specific vulnerabilities for protocols beyond HTTP/S
• Stateful Inspection
• Intrusion prevention and detection

Using Network Firewall we have below merits:

• AWS Network Firewall’s flexible rules engine lets you define firewall rules that give you fine-grained control over network traffic
• Import rules already written in common open source rule formats 
• Enable integrations with managed intelligence feeds sourced by AWS Partners

Pricing

• pay an hourly rate for each firewall endpoint.
• pay for the amount of traffic, billed by the gigabyte.

Below architecture explains now Network Firewall works, lets dig deep into it:

Credits: https://aws.amazon.com/blogs/aws/aws-network-firewall-new-managed-firewall-service-in-vpc/

Fig: Explains the Network Firewall Architecture

From the above we observe below:

• AWS Network Firewall Manager act on VPC Level, for an Availability Zone.
• Firewall endpoint is in the public subnet, which acts as fence for all the requests coming in. The firewall endpoint insects the incoming and outgoing packets based on the rules configured.
• Rules engines,  holds the firewall policy which holds the collection of stateful and stateless rule groups.
• Stateful: Stateful firewalls are capable of monitoring and detecting states of all traffic on a network to track and defend based on traffic patterns and flows. This is An intelligent system, stateful firewalls base future filtering decisions on the cumulative sum of past and present findings.
• Stateless: Stateless firewalls, however, only focus on individual packets, using preset rules to filter traffic. This provides faster performance.
• Rule groups inspects the packets and based on perform the configured action.
• Actions, below are four types of action can take place with the rules make and we can the default action as well applying for all the packets
• Pass: All the packet to reach its destination
• Drop: Block the packet to proceed further
• Forward to stateful rules: Proceed with stateful inspection
• Custom action: Sends the metric to CloudWatch with value specified in the configuration by us

This is the simple illustration of how Network Firewall secures. 

Firewall Manager

Firewall Manager helps in centrally configure and manage security rules across all accounts. This brings consistency and enforces protections as said across all the accounts, even as new applications are created. This provides single view compliance posture centrally across all the AWS accounts.

AWS Firewall Manager currently handles six types of protection policies - AWS WAF, AWS Shield, Amazon VPC security groups, AWS Network Firewall, Amazon Route 53 Resolver DNS Firewall and Palo Alto Cloud Next-generation firewalls.  

Prerequisites of using Firewall Manager are below, well also you need to run this from your administration account: 

• AWS Organization: To manage all accounts
• Firewall Administration: To deploy AWS WAF rules across
• AWS Config: To detect newly created resources

Firewall Manager creates below impact:

• Simplify management of firewall rules across all accounts
• Easily deploy managed rules across accounts
• Centrally deploy protections for VPCs
• Audit any existing security group in the VPC
• Control traffic leaving and entering network
• Protection policies are priced with a monthly fee 100$ per policy per region

Credits: https://aws.amazon.com/blogs/aws/aws-firewall-manager-central-management-for-your-web-application-portfolio/

Fig: After applying the rules validation the compliance of all the accounts

Summary

Let's recap with a small story, assume a mango seller wanting to digitize my business. I have created a web application running on ec2 instance.  

• Allow SSH for connecting from my home to the EC2 instances and HTTP from anywhere – Security Group
• Security Groups to protect Amazon Elastic Compute Cloud (Amazon EC2) instances
• Here we are allowing requests from everywhere on HTTP to hit my website
• And allowing SSH only from IP so that I only can get into the machine

As my business is doing good, but I have one competitor, As his business is getting impacted because if me, he wants to bring my application down. 

• Block the competitor – NACL
• Network ACLs to protect Amazon Virtual Private Cloud (VPC) subnets
• We can block specify IPs entering our subnet, as in NACL we have both Allow and Deny
• In Security Groups I cannot deny
• NACL has evaluations rules in number order when deciding to allow traffic, will lowest numbered rule

Now my business is doing good, but at random times getting heavy requests at same time causing hinderance to my system. Well this looks fishy I looked towards AWS how it can solve my problem.

• Block the HTTPS calls from users sending more than 1000 requests – WAF
• AWS Web Application Firewall (WAF) to protect web applications running on Amazon CloudFront, Application Load Balancer (ALB), App Sync  or Amazon API Gateway

As my business now become stable I have scaled my applications DB to private subnet, one more private subnet for the application servers and created public subnet only for the load balancer. Again am getting spike requests from different countries where absolutely I don't trade.

• Block the requests for the VPC geowise – Network Firewall
• AWS Network Firewall, a high availability, managed network firewall service for your virtual private cloud (VPC).

We have our applications running, but suddenly costs of the hardware spikes but that's not reflecting in the sales. I want to avoid these unexpected attacks and I don't want to invest in the security engineer for this.

• Protect my system from DDOS attacks – DDOS
• AWS Shield to protect against Distributed Denial of Service (DDoS) attacks.

Fantastic, I was called as best mango app. Now am opening branch in different country. Wow! But all the security lessons I don't want to loose. I have created another one application for other country but the security underline remains the same. I want the common rules should be same across my org.

• Ensure all security is aligned across accounts – Firewall Manager
• Even with accident changes, have been configured such as to revert the changes.

Let's visualise our story, please take a close look into all the security services applied:

Credits: https://www.youtube.com/watch?v=T3kqljTLR50

Conclusion

Today we have seen few of the security services which are available now current date. We have not covered the access management, data security and detection aspect of the security. 

Security comes with cost and we cannot be 100% secure, its evolving process. And cloud provided and consumer have equal contribution in bringing protection and resilience to the application.

Security is not easy, we learn from experience and research. 

References

https://docs.aws.amazon.com/

https://www.prplbx.com/resources/blog/aws-overview/

https://medium.com/nerd-for-tech/aws-series-2-deep-dive-aws-security-layer-network-web-apps-a629f60631ef

https://www.youtube.com/watch?v=T3kqljTLR50

https://medium.com/binbash-inc/aws-network-firewall-using-aws-firewall-manager-with-terraform-part-2-b402dffecfb0

https://cloud.in28minutes.com/aws-certification-security-groups-vs-nacl-comparison

https://www.cdw.com/content/cdw/en/articles/security/stateful-versus-stateless-firewalls.html