Chapter 7

Security

Security is a critical component for the success of any organization. A complete guide to full
security architectures is beyond the scope of this book and should be explored by any
organization that would face serious consequences if a security breach occurs. This chapter
breaks down security into the following components:

• Who is responsible for what parts of the VPC?

• Principle of least privilege.
• Industry compliance.
• Identity and access management.
• Multiple account strategies.
• Network ACLs, security groups, WAF.
• Intrusion detection and prevention
• Distributed denial of service attacks and prevention.
• Service catalogs.
• Systems manager parameter store.

AWS Shared Security Model

While outsourcing the data center to the cloud can help with costs, agility, scalability, and even
security, there is still a substantial amount of security that must be performed by the customer.
When outsourcing an organization’s data center to AWS, security and compliance
responsibilities are shared between AWS and the customer. This is called the shared security
model. In the shared security model, AWS maintains the security of the cloud, and the
customer maintains the security of their VPC.53

94
The diagram below shows the AWS shared responsibility model.

Securing the Cloud

AWS manages keeping the cloud secure. Keeping the cloud secure is really about managing the
following functions:

• Physical security – Keeping the facility locked, keeping unauthorized users out of the
AWS data centers.
• Principle of least privilege – Limiting who from AWS can manage assets in the cloud.
• Security of the cloud – Keeping the cloud secure (firewalls, system patching, routing,
IDS/IPS, change management).
• Keeping all AWS applications secure with patching and maintaining the underlying
components of serverless applications offered by AWS.
• Keeping the AWS network secure with secure routing, VLANs, route filtering, firewalls,
and intrusion prevention and detection (IDS/IPS).

Securing the VPC

The customer is responsible for securing all aspects of their VPC. This means the customer is
responsible for the following security components:

• Identity and access management – Determine who is allowed in the VPC and define
their functions.

95
 • Principle of least privilege – Grant the least privileges necessary for employees and
partners to perform their functions effectively.
• Data security – Manage encryption.
• Maintenance of customer-designed applications.
• Management of the VPC routing tables.
• Managing traffic allowed into the VPC – Firewalls, NACLs, security groups.
• Maintenance of the operating systems and applications stored on EC2 compute
instances.
• Physical security – Keep the devices that connect to the cloud secure from unauthorized
users.

Principle of Least Privilege

One of the most critical components of security is the principle of least privilege. The principle
of least privilege is really about making sure individuals and systems using the cloud can access
only the functions necessary to perform their role effectively. Granting more than the minimal
level of privileges can enable users or hackers to intentionally or accidentally damage the VPC.
Additionally, privileges should be revoked when no longer needed, i.e., when an employee
leaves the company.54

The diagram below shows the principle of least privilege by allowing access to the management
console only to individuals who need access for their job function.

96
Industry Compliance

Many industries throughout the world are highly regulated. Often these industries have a legal
requirement that requires a level of security, data retention, and auditing policies. AWS
supports many international compliance requirements.55
Some key compliance standards are:

• PCI DSS – for payment cards

• ISO 9001. 27001, 27017, 27018
• Fed ramp
• HIPAA – US health care privacy

A full list can be seen at https://aws.amazon.com/compliance/programs/.

Identity and Access Management

Identity and access management is a key component of any security architecture. Identity and
access management is about identifying the user and giving the user access to the resources
necessary to perform their functions.56 Identity and access management is also referred to as
AAA. The key components of AAA:

• Authentication – Identify the user.

• Authorization – Determine if the user is allowed to access the resource.
• Accounting – The ability to see what the user has done.

AWS divides IAM into users and roles. An IAM user is a person accessing the AWS cloud.
Generally speaking, an IAM role is used by an AWS service to access another service, i.e., EC2
accessing a DynamoDB.

AWS has some specific components of its IAM systems. AWS uses the concept of principals. In
AWS a principal is an IAM entity that is permitted to access AWS recourses. AWS further breaks
down the principal concept into root users, IAM users, and roles.

97
The diagram below shows the functions of authentication, authorization, and accounting.

Root User

The root user is the person who created the AWS account. The root user has full system access.
The root user can access the console and has programmatic access to AWS resources. Since the
root user can do anything, including deletion of the VPC, it’s best to use the root account to set
up the VPC and then immediately create an IAM user with appropriate access to the VPC. This is
similar in practice as not using the root account to log in to a UNIX or Linux system to prevent
accidental system damage.

98
The diagram below shows an example of the root user privileges.

IAM Users

IAM users are identities that have permissions to interact with AWS resources. IAM users are
create by principals with administrative access. IAM users can be created with the AWS
management console, CLI, or SDKs. IAM users are permanent unless deleted by an
administrator.

The diagram below shows provides an IAM user accessing an AWS VPC.

99
Roles and Security Tokens

Roles are used to provide access to AWS services. There are three types of roles in the AWS
environment:

• EC2 roles
• Cross account roles
• Identity federations

EC2 Roles

EC2 roles enable EC2 computing instances to access AWS services, i.e., S3 and DynamoDB. To
set up an EC2 Role, an IAM role is created and then applied to the EC2 instance. By creating the
EC2 role, there is no need to store AWS credentials on the EC2 instance, which further
enhances security.57 Here is how EC2 roles work:

1. An EC2 role is created.

2. The EC2 role is applied to an EC2 instance.
3. When the EC2 instance attempts access AWS services, a temporary token is provided to
allow access.
4. The AWS service recognizes the tokens and grants access.
5. As temporary tokens expire, new tokens are generated frequently.
6. By rotating tokens, security is enhanced as no password (key) needs to be passed to the
application.
7. This greatly enhances security. If an EC2 instance were to be hacked, no passwords are
given to the hacker. Since the tokens expire and are rotated frequently, even if hackers
were to gain access to a token, it could not be used for long.

The diagram below shows an example of an EC2 instance accessing DynamoDB with an EC2
role.

100
Cross-Account Roles

In the modern technology environment, it is frequently necessary for an organization to share

resources with other business partners. In order to connect with organizations outside the VPC,
cross-account roles are used. Connecting to other organizations can create significant business
opportunities, but that connectivity also brings security challenges. The partner company may
need access to certain resources but should not have access to any resource that could
compromise the organization if lost or stolen. While it’s always essential to provide access with
the principle of least privilege, nowhere is it more critical than with connecting to external
organizations.58,59 Therefore, be very strategic in assigning permissions to cross-account roles.
Cross-account roles work in the following manner:

1. A role is created for the external user

2. The external user connects to the AWS Secure Token Service (STS) and receives a
temporary token.
3. The external user then provides the temporary token to AWS and is authorized to access
the VPC.

The diagram below shows a cross-account role being used to access external VPCs.

101
Identity Federations

IAM is such a critical function for organizational security. As organizations grow in size and
complexity, IAM can become challenging to manage. Often the best way to scale IAM systems is
to connect (federate) with an identity provider. A VPC can connect to an identity provider and
use its IAM database within AWS. Connections with an identity provider are built by building a
trust relationship with the identity provider. After the trust relationship is established, a
connection is made with OpenID connect (OIDC) or Security Assertion Markup Language 2.0
(SAML). 60

Identity providers can be an organization’s active directory or LDAP systems or external

providers such as Google, Amazon, Facebook, Twitter, or LinkedIn. AWS has three choices for
authentication with identity providers that are single sign on, Federated IAM, and AWS Cognito.

The diagram below shows how identity federations work with the AWS platform.

AWS Single Sign-On

AWS Single Sign-On enables the user to authenticate once to the identity provider, and then
they will not need to sign on to access AWS services.61 IT works in the following manner:

1. The user signs on to the identity provider.

2. The user is authenticated by the identity provider.
3. The identity provider determines what group (permissions) to give the user.
4. The user is given permissions and is authenticated and authorized to use AWS services.

102
The diagram below shows how Single Sign-On works with the AWS platform.

Federated IAM

Federated IAM provides a means to authenticate with an external identity provider. Federated
IAM enables significant and granular control over user functions. Federated IAM works in the
following manner:

1. A user attempts authentication.

2. The request is forwarded to the identity provider.
3. The identity provider authenticates the users.
4. The identity provider determines the user’s privileges.
5. The identity provider grants privileges based upon job role, the organization’s cost
center, and other factors.

AWS Cognito

AWS Cognito is an identity and data synchronization service. AWS Cognito enables
organizations to synchronize identity management and data across mobile devices. Cognito
provides authentication, authorization, and user management for web and mobile apps. AWS
Cognito users can sign in directly with a username and password, or with a third-party identity
provider such as Facebook or Google.62 AWS Cognito is simple and efficient. Cognito works in
the following manner:

103
 1. The user attempts authenticate against Cognito.
2. Cognito authenticates the user.
3. Cognito provides a token for the user.
4. User device trades token for credentials.
5. The credentials are then used to access AWS services.

The diagram below shows how AWS Cognito is used to authenticate mobile devices to access
the AWS platform.

AWS Directory Service

Another means to create a scalable IAM solution is with the AWS Directory Service. The AWS
Directory Service provides hosted, dedicated tenant, Windows Active directory (AD) servers.
These are high-availability servers spread across two availability zones with the default
configuration. The AD servers are actual Microsoft AD servers hosted by AWS. Being actual
Microsoft AD servers, Microsoft dependent workloads can function in the AWS VPC. 63

AWS Directory Service can also be integrated with customers on premises Microsoft AD domain
controllers. AWS Directory Service can also be used by AWS services such as EC2, RDS for SQL
server, end user computing, and AWS WorkSpaces for IAM functions. The hosted AD servers

104