Security Certification

Incident response

  • Key compromise
    • Determine access associated with exposed key
    • Make keys inactive
    • Add explicit deny policy to IAM principal
    • Review logs for possible backdoor
  • EC2 compromise
    • Isolate instance through security group
    • Take EBS snapshot and memory dump
    • Perform forensics analysis
  • GuardDuty
    • Allow IPs to avoid unnecessary alerts during penetration testing
    • Supports VPC flow, CloudTrail (including CloudTrailLoggingDisabled), and Route53 DNS logs
    • If using 3rd party DNS resolver, GuardDuty does not process this data
  • Penetration tests
    • Allowed without prior approval for nine services: EC2 (including NAT and ELB), RDS, CloudFront,Aurora, API Gateway, Fargate, Lambda, Lightsail, and Elastic Beanstalk
    • May see older questions about "Pre-authorized scanning engine from marketplace"
  • Abuse notice
    • Received if workload is being used for non-AUP conforming purposes
  • Stolen laptop use-case: modify authorized_key file of all EC2 instances
  • CloudTrail stores 90 days in console. After that, can use Athena to query S3.

Logging and monitoring

  • VPC flow log format
  • Inspector scans target based on tag key-value pair
    • Uses supported baselines, e.g., CVE, CIS, best practices, network reachability, etc.
    • Some, like CVE, require Inspector agent
  • Systems manager
    • Run command
    • Patch compliance: check instance compliance status
    • Patch baseline: which patches are needed, define approval
    • Maintenance window
    • Parameter store: prefer SecureString, uses KMS
  • Config records config changes and provides compliance rule sets, integrated with Lambda for auto-remediation
    • Audit IAM policies before/after Incident
    • Detect CloudTrail disabled
    • Verify instances are using specific AMI
    • Detect security group rules on specific ports
    • Detect internet gateway addition to non-authorized VPC
    • Detect EBS volume encryption
  • WAF is layer 7, integrates with ALB, CloudFront, and API Gateway
  • CloudWatch logs can centrally store server and application logs
    1. Assign IAM role to instance allowing CloudWatch push
    2. Install CloudWatch Agent
    3. Configure appropriate config to start agent
    • To troubleshoot, verify awslogs service is running manually or via Run Command and verify IAM policy
    • Metric filters used to identify errors
    • Alarms can be sent after metrics reach threshold
  • IP packet inspection achieved at VPC level with all outbound traffic sent to proxy server or at host level with appropriate agent, not with flow logs
  • CloudTrail
    • Enable for all regions and store data centrally
      1. Create S3 bucket in central account
      2. Configure CloudTrail in all accounts to push logs to central account
    • To update log prefix, first modify S3 bucket policy and then update trail

Infrastructure security

  • DDoS mitigation: Shield, CloudFront, Auto-Scaling, Route53, WAF, CloudWatch
  • Direct Connect
    • Region-specific outside of US, dedicated connection between data center and AWS
    • Not encrypted, use VPN tunneling if required
  • CloudFront
    • Signed URLs: real-time messaging protocol (RTMP) (cookies not supported), restrict access to specific files, users are using client without cookie support
    • Signed cookies: multiple restricted files
    • Supports custom TLS certificates in PEM format, must be imported into US East (N. Virginia) region, key length cannot exceed 2048 bits
  • VPC endpoints
    • Can use to allow only specific S3 buckets within account
    • Can use with KMS and aws:sourceVpc condition key to allow only specific VPCs to access KMS and ensure private DNS is enabled
  • Network ACL
    • Stateless, works at subnet level, max 40 rules with default of 20. If you need more, use, e.g., iptables
  • URL allowlist, e.g., "server should only access URL related to package updates", enabled via AWS Marketplace custom proxy like Squid
  • SES
    • TLS for encrypted SMTP connection, ports 25, 587, and 2587
  • Can disable instances from using Amazon-provided DNS by disabling DNS resolution in VPC
  • Can use host-based IDS for file integrity, integrate with CloudWatch for alerting
  • For IPS, install agent on instance and report to central SIEM server

Identity and access management

  • Cross-account IAM role troubleshooting
    1. Verify sts:AssumeRole granted
    2. Verify appropriate RoleArn is added
    3. Verify external ID
  • VPN used for remote employees to connect to private VPC resources, can use VPN appliance from AWS Marketplace like OpenVPN
  • When integrating AD, DNS should point to AD
  • SCPs can only restrict access, impact root user as well
  • Active Directory Federation Service (ADFS) is a Microsoft SSO solution
    • Supports SAML, AD groups are associated/mapped with IAM roles where all users in group can assume role
    • In AD, direction of trust is opposite direction of access
  • IAM role can be used across multiple services by modifying trust policy

Data protection

  • ACM is regional, must be in same region as ELB and in US East (N. Virginia) for CloudFront
    • Cannot export public certificates created by ACM but can export private certificates
  • AWS uses SafeNet Luna SA 700 HSA CloudHSM, tamper-evident
  • CloudTrail logs are server-side encrypted by default in S3, can optionally use SSE-KMS
  • KMS
    • Automated rotation works for AWS KMS generated key material, cannot be used for imported key material, you must manually rotate them. You can do this by creating a new CMK and mapping an existing key alias to it.
    • For cross-region imported CMKs, you can re-wrap the data encryption key from the source region using the CMK
    • If you accidentally delete imported CMK, download a new wrapping key and import key into existing CMK
  • ELB
    • If app is using custom protocol, use TCP instead of HTTP(S) listeners
    • Supports Perfect Forward Secrecy (PFS), need to enable ECDHE key exchange
  • Glacier Vault lock can be aborted when InProgress
  • For user to start instance with encrypted EBS, must have kms:Decrypt and kms:CreateGrant permissions
  • Enabling Secrets Manager rotation causes immediate rotation
  • Parameter store SecretString troubleshooting
    • Application must have permission to access CMK
    • CMK is not found because of, e.g., incorrect identifier
    • CMK is not enabled resulting in InvalidKeyId exception


  • Can specify which API operations users are allowed to call in IAM policies and enforce MFA
  • Docker security
    • Can limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries
    • Can segregate containers by host, function, and data classification
  • CloudHSM
    • Can integrate with KSM via custom key store feature
    • Allows immediate deletion of key material (rather than waiting seven days)
    • Allows key usage audits independently of KMS and CloudTrail

Stay up to date

Get notified when I publish. Unsubscribe at any time.