20200604 SECURITY

发表于2020年6月4日作者

palo alto networks

https://www.paloaltonetworks.com/resources/guides/prisma-access-for-users-deployment-guide

https://www.youtube.com/watch?v=UkgUcl3db1A

https://aws.amazon.com/marketplace/pp/B07QDBGS6L?ref_=srh_res_product_title

Intrusion detection and intrusion prevention systems

#IDS IPS

https://aws.amazon.com/marketplace/solutions/infrastructure-software/ids-ips

guard duty

https://aws.amazon.com/guardduty/

#monitoring without auto blocking access function

#advanced can be used to protect from DDOS

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. With the cloud, the collection and aggregation of account and network activities is simplified, but it can be time consuming for security teams to continuously analyze event log data for potential threats. With GuardDuty, you now have an intelligent and cost-effective option for continuous threat detection in the AWS Cloud. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs. With a few clicks in the AWS Management Console, GuardDuty can be enabled with no software or hardware to deploy or maintain. By integrating with Amazon CloudWatch Events, GuardDuty alerts are actionable, easy to aggregate across multiple accounts, and straightforward to push into existing event management and workflow systems.

aws control tower

aws firewall manager

https://www.youtube.com/watch?v=wocz0drq8-8

can see change in AWS CONFIG

aws waf and shield

aws single sign on

aws inspector is for EC2

https://aws.amazon.com/inspector/

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

Amazon Inspector security assessments help you check for unintended network accessibility of your Amazon EC2 instances and for vulnerabilities on those EC2 instances. Amazon Inspector assessments are offered to you as pre-defined rules packages mapped to common security best practices and vulnerability definitions. Examples of built-in rules include checking for access to your EC2 instances from the internet, remote root login being enabled, or vulnerable software versions installed. These rules are regularly updated by AWS security researchers.

Service control policies

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html

SCPs are similar to IAM permission policies and use almost the same syntax. However, an SCP never grants permissions. Instead, SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU). For more information, see Policy Evaluation Logic in the IAM User Guide.

How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI?

https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/

What Is AWS Secrets Manager?

https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html

What are AWS WAF, AWS Shield, and AWS Firewall Manager?

AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to an Amazon API Gateway API, Amazon CloudFront or an Application Load Balancer. AWS WAF also lets you control access to your content. Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, API Gateway, CloudFront or an Application Load Balancer responds to requests either with the requested content or with an HTTP 403 status code (Forbidden). You also can configure CloudFront to return a custom error page when a request is blocked.

At the simplest level, AWS WAF lets you choose one of the following behaviors:

* Allow all requests except the ones that you specify – This is useful when you want CloudFront or an Application Load Balancer to serve content for a public website, but you also want to block requests from attackers.

* Block all requests except the ones that you specify – This is useful when you want to serve content for a restricted website whose users are readily identifiable by properties in web requests, such as the IP addresses that they use to browse to the website.

* Count the requests that match the properties that you specify – When you want to allow or block requests based on new properties in web requests, you first can configure AWS WAF to count the requests that match those properties without allowing or blocking those requests. This lets you confirm that you didn’t accidentally configure AWS WAF to block all the traffic to your website. When you’re confident that you specified the correct properties, you can change the behavior to allow or block requests.

Using AWS WAF has several benefits:

* Additional protection against web attacks using conditions that you specify. You can define conditions by using characteristics of web requests such as the following:

* IP addresses that requests originate from.

* Country that requests originate from.

* Values in request headers.

* Strings that appear in requests, either specific strings or string that match regular expression (regex) patterns.

* Length of requests.

* Presence of SQL code that is likely to be malicious (known as SQL injection).

* Presence of a script that is likely to be malicious (known as cross-site scripting).

* Rules that can allow, block, or count web requests that meet the specified conditions. Alternatively, rules can block or count web requests that not only meet the specified conditions, but also exceed a specified number of requests in any 5-minute period.

* Rules that you can reuse for multiple web applications.

* Managed rule groups from AWS and AWS Marketplace sellers.

* Real-time metrics and sampled web requests.

* Automated administration using the AWS WAF API.

AWS Shield

You can use AWS WAF web access control lists (web ACLs) to help minimize the effects of a distributed denial of service (DDoS) attack. For additional protection against DDoS attacks, AWS also provides AWS Shield Standard and AWS Shield Advanced. AWS Shield Standard is automatically included at no extra cost beyond what you already pay for AWS WAF and your other AWS services. AWS Shield Advanced provides expanded DDoS attack protection for your Amazon EC2 instances, Elastic Load Balancing load balancers, CloudFront distributions, and Route 53 hosted zones. AWS Shield Advanced incurs additional charges.

For more information about AWS Shield Standard and AWS Shield Advanced, see AWS Shield.

AWS Firewall Manager

AWS Firewall Manager simplifies your administration and maintenance tasks across multiple accounts and resources for AWS WAF rules, AWS Shield Advanced protections, and Amazon VPC security groups. The Firewall Manager service automatically applies your rules and other security protections across your accounts and resources, even as you add new accounts and resources.

For more information about Firewall Manager, see AWS Firewall Manager.

Best Practices for DDoS Mitigation on AWS

https://www.youtube.com/watch?v=HnoZS5jj7pk&feature=youtu.be

#other ,not seen

Advanced Techniques for Securing Your Web Applications with AWS WAF and AWS Shield

https://www.youtube.com/watch?v=lU_zPruIL9w

問題52: 正解

You are working as a Solutions Architect for a multinational financial firm. They have a global online trading platform in which the users from all over the world regularly upload terabytes of transactional data to a centralized S3 bucket. What AWS feature should you use in your present system to improve throughput and ensure consistently fast data transfer to the Amazon S3 bucket, regardless of your user’s location?

AWS Direct Connect

FTP

Use CloudFront Origin Access Identity

Amazon S3 Transfer Acceleration

（正解）

説明

Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and your Amazon S3 bucket. Transfer Acceleration leverages Amazon CloudFront’s globally distributed AWS Edge Locations. As data arrives at an AWS Edge Location, data is routed to your Amazon S3 bucket over an optimized network path.

FTP is incorrect because the File Transfer Protocol does not guarantee fast throughput and consistent, fast data transfer.

AWS Direct Connect is incorrect because you have users all around the world and not just on your on-premises data center. Direct Connect would be too costly and is definitely not suitable for this purpose.

Using CloudFront Origin Access Identity is incorrect because this is a feature which ensures that only CloudFront can serve S3 content. It does not increase throughput and ensure fast delivery of content to your customers.

Reference:

http://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html

Check out this Amazon S3 Cheat Sheet:

https://tutorialsdojo.com/aws-cheat-sheet-amazon-s3/

S3 Transfer Acceleration vs Direct Connect vs VPN vs Snowball vs Snowmobile:

https://tutorialsdojo.com/aws-cheat-sheet-s3-transfer-acceleration-vs-direct-connect-vs-vpn-vs-snowball-vs-snowmobile/

Comparison of AWS Services Cheat Sheets:

https://tutorialsdojo.com/comparison-of-aws-services-for-udemy-students/

macie

Amazon Macie

https://aws.amazon.com/macie/

Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Amazon Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property and provides you with dashboards and alerts that give visibility into how this data is being accessed or moved. The fully managed service continuously monitors data access activity for anomalies and generates detailed alerts when it detects the risk of unauthorized access or inadvertent data leaks. Today, Amazon Macie is available to protect data stored in Amazon S3, with support for additional AWS data stores soon.

Creating an opportunistic IPSec mesh between EC2 instances

https://aws.amazon.com/jp/blogs/security/creating-an-opportunistic-ipsec-mesh-between-ec2-instances/

Service control policies

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_type-auth.html#orgs_manage_policies_scp

What is AWS Organizations?

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html

Here are some of the best practices while creating an AWS account root user:

1) Use a strong password to help protect account-level access to the AWS Management Console. 2) Never share your AWS account root user password or access keys with anyone. 3) If you do have an access key for your AWS account root user, delete it. If you must keep it, rotate (change) the access key regularly. You should not encrypt the access keys and save them on Amazon S3. 4) If you don’t already have an access key for your AWS account root user, don’t create one unless you absolutely need to. 5) Enable AWS multi-factor authentication (MFA) on your AWS account root user account.

AWS Root Account Security Best Practices: via – https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

AWS Security Hub

https://aws.amazon.com/security-hub/?aws-security-hub-blogs.sort-by=item.additionalFields.createdDate&aws-security-hub-blogs.sort-order=desc

Penetration Testing

https://aws.amazon.com/security/penetration-testing/

AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for 8 services, listed in the next section under “Permitted Services.”

Logging IAM and AWS STS API Calls with AWS CloudTrail

https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html

CloudTrail logs sign-in events to the AWS Management Console, the AWS discussion forums, and AWS Marketplace. CloudTrail logs successful and failed sign-in attempts for IAM users and federated users.

For AWS account root users, only successful sign-in events are logged. Unsuccessful sign-in events by the root user are not logged by CloudTrail.

As a security best practice, AWS does not log the entered IAM user name text when the sign-in failure is caused by an incorrect user name. The user name text is masked by the value HIDDEN_DUE_TO_SECURITY_REASONS. For an example of this, see Example Sign-in Failure Event Caused by Incorrect User Name, later in this topic. The user name text is obscured because such failures might be caused by user errors. Logging these errors could expose potentially sensitive information. For example:

* You accidentally type your password in the user name box.

* You choose the link for one AWS account’s sign-in page, but then type the account number for a different one.

* You forget which account you are signing in to and accidentally type the account name of your personal email account, your bank sign-in identifier, or some other private ID.

What are AWS WAF, AWS Shield, and AWS Firewall Manager?

https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html

Authentication using HTTPS client certificates

https://medium.com/@sevcsik/authentication-using-https-client-certificates-3c9d270e8326

PCI compliance

https://aws.amazon.com/compliance/pci-dss-level-1-faqs/

SSL

Symmetric vs. Asymmetric Encryption – What are differences

https://www.ssl2buy.com/wiki/symmetric-vs-asymmetric-encryption-what-are-differences

Difference Between Symmetric and Asymmetric Encryption

Symmetric encryption uses a single key that needs to be shared among the people who need to receive the message while asymmetrical encryption uses a pair of public key and a private key to encrypt and decrypt messages when communicating.

Symmetric encryption is an old technique while asymmetric encryption is relatively new.
Asymmetric encryption was introduced to complement the inherent problem of the need to share the key in symmetrical encryption model, eliminating the need to share the key by using a pair of public-private keys.
Asymmetric encryption takes relatively more time than the symmetric encryption.