oam/knowledge base/cloud computing/aws

Amazon Web Services

1. Networking
   1. Elastic IP addresses
2. Services
   1. CloudWatch
   2. Config
   3. Detective
   4. GuardDuty
   5. EventBridge
   6. Inspector
   7. RDS
   8. Security Hub
3. Resource constraints
4. Access control
   1. IAM policies
5. Further readings
   1. Sources

Networking

VPCs define isolated virtual networking environments.
AWS accounts include one default VPC for each AWS Region. These allow for immediate launch and connection to EC2 instances.

Subnets are ranges of IP addresses in VPCs.
Each subnet resides in a single Availability Zone.
Public subnets have a direct route to an Internet gateway. Resources in public subnets can access the public Internet.
Private subnets do not have a direct route to an Internet gateway. Resources in private subnets require a NAT device to access the public internet.

Gateways connect VPCs to other networks.
Internet gateways connect VPCs to the Internet.
NAT gateways allow resources in private subnets to connect to the Internet, other VPCs, or on-premises networks. They can communicate with services outside the VPC, but cannot receive unsolicited connection requests.
VPC endpoints connect VPCs to AWS services privately, without the need of Internet gateways or NAT devices.

Elastic IP addresses

Refer Elastic IP addresses.

Static, public IPv4 addresses allocated to one's AWS account until one releases it.
One can can rapidly remapping addresses to other instances in one's account and use them as targets in DNS records.

Services

Service	Description
CloudWatch	Observability (logging, monitoring, alerting)
Config	Compliance
Detective	FIXME
EC2	Virtual machines
ECR	Container registry
ECS	Containers as a service
EKS	Kubernetes clusters
EventBridge	FIXME
GuardDuty	Threat detection
Inspector	FIXME
RDS	Databases
S3	Storage
Sagemaker	Machine learning
Security Hub	Aggregator for security findings

Service icons are publicly available for diagrams and such.

CloudWatch

Observability service. with functions for logging, monitoring and alerting.

Metrics are whatever needs to be monitored (e.g. CPU usage). Data points are the values of a metric over time. Namespaces are containers for metrics.

Metrics only exist in the region in which they are created.

Many AWS services offer basic monitoring by publishing a default set of metrics to CloudWatch with no charge.
This feature is automatically enabled by default when one starts using one of these services.

Config

FIXME

Compliance service for assessing and auditing AWS resources.

Provides an inventory of resources.
Records and monitors resource configurations and their changes.
The data is stored in a bucket (default name config-bucket-{aws-account-number})
Changes can be streamed to 1 SNS topic for notification purposes.
Uses rules to evaluate whether the resources configurations comply.
Rule evaluation is done once every time a configuration changes, or periodically.
Resources are marked with the evaluation result (compliant, non-compliant).

Custom rules can be used to evaluate for uncommon requirements.
Custom rules leverage lambda functions.

Allows for automatic remediation for non-compliant resources by leveraging Systems Manager Automation documents.

Conformance packs are set of rules bundled together as a deployable single entity.
Defined as YAML templates.
Immutable: users cannot make changes without updating the whole rule package.
Sample templates for compliance standards and benchmarks are available.

Detective

FIXME

Uses ML and graphs to try and identify the root cause of security issues.
Creates visualizations with details and context by leveraging events from VPC Flow Logs, CloudTrail and GuardDuty.

GuardDuty

FIXME

Threat detection service.

It continuously monitors accounts and workloads for malicious activity and delivers security findings for visibility and remediation.
Done by pulling streams of data from CloudTrail, VPC Flow Logs or EKS.

Member accounts can administer GuardDuty by delegation if given the permissions to do so.

Findings are potential security issues for malicious events.
Those are also sent to EventBridge for notification (leveraging SNS).
Each is assigned a severity value (0.1 to 8+).

Trusted IP List is a whitelist of public IPs that will be ignored by the rules.
Threat IP List is a blacklist of public IPs and CIDRs that will be used by the rules.

EventBridge

FIXME

Inspector

FIXME

RDS

Read replicas can be promoted to standalone DB instances.
See Working with DB instance read replicas.

Security Hub

FIXME

Aggregator of findings for security auditing.

Uses Config to check resources' configuration by leveraging compliancy rules.

Security standards are offered as ret of rules for Config.

Data can be aggregated from different regions.
If the integration is enabled, findings from AWS services (GuardDuty) are used too within 5 minutes on average, while ones from 3rd parties can take longer.

Data can be imported from or exported to 3rd parties if the integration is enabled.
Kinda acts as a middle layer for AWS accounts.

Findings are consumed in AWS Security Finding Format (ASFF).
Those are automatically updated and deleted. Findings after 90 days are automatically deleted even if not resolved.

Can use custom insights.

Custom actions can be sent to EventBridge for automation.

Member accounts can administer Security Hub by delegation if given the permissions to do so.

Resource constraints

Data type	Component	Summary	Description	Type	Length	Pattern	Required
Statement ID	Value	Optional identifier for a policy statement	The element supports only ASCII uppercase letters (A-Z), lowercase letters (a-z), and numbers (0-9).	String	FIXME	[A-Za-z0-9]	No
Tag	Key	Required name of the tag	The string value can be Unicode characters and cannot be prefixed with "aws:". The string can contain only the set of Unicode letters, digits, white-space, _,' ., /, =, +, -, :, @ (Java regex: ^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-]*)$)	String	1 to 128	^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$	Yes
Tag	Value	The optional value of the tag	The string value can be Unicode characters. The string can contain only the set of Unicode letters, digits, white-space, _, ., /, =, +, -, :, @ (Java regex: ^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-]*)$", [\p{L}\p{Z}\p{N}_.:\/=+\-@]* on AWS)	String	0 to 256	^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$	Yes

Access control

Entity	Description	Notes
User	Represents a human or a workload. Defined by its name and credentials.	No permissions by default, need to be assigned to it
Role	Defines a set of permissions for making requests to AWS services. Defines what actions can be performed on which resources.	Can be assumed by AWS services, applications and users

To be able to assume roles:

• Users, roles or services must have the permissions to assume the role they want to assume.
• The role's trust relationship should allow the users, roles or services to assume it.

From Using service-linked roles:

A service role is an IAM role that a service assumes to perform actions on your behalf.
An IAM administrator can create, modify, and delete a service role from within IAM.

A service-linked role is a type of service role that is linked to an AWS service.
The service can assume the role to perform an action on your behalf.
Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.

IAM policies

IAM does not expose policies' Sid element in the IAM API, so it can't be used to retrieve statements.

Examples:

Give a user temporary RO access to a bucket

1. Create the policy:

   {
     "Version": "2012-10-17",
     "Statement": [{
       "Sid": "AllowAttachedPrincipalsTemporaryROAccessToBucket",
       "Effect": "Allow",
       "Action": [
         "s3:GetObject",
         "s3:GetObjectAttributes",
         "s3:ListBucket",
         "s3:ListBucketVersions"
       ],
       "Resource": [
         "arn:aws:s3:::my-bucket",
         "arn:aws:s3:::my-bucket/*"
       ],
       "Condition": {
         "DateLessThan": {
           "aws:CurrentTime": "2024-03-01T00:00:00Z"
         }
       }
     }]
   }
   

   $ aws iam create-policy --output 'yaml' \
     --policy-name 'temp-ro-access-my-bucket' --policy-document 'file://policy.json'
   - Policy:
       Arn: arn:aws:iam::012345678901:policy/temp-ro-access-my-bucket
       AttachmentCount: 0
       CreateDate: '2024-02-25T09:34:12+00:00'
       DefaultVersionId: v1
       IsAttachable: true
       Path: /
       PermissionsBoundaryUsageCount: 0
       PolicyId: ANPA2HKHE74L11PTJGB3V
       PolicyName: temp-ro-access-my-bucket
       UpdateDate: '2024-02-25T09:34:12+00:00'
   

2. Attach the newly created policy to the user:

   aws iam attach-user-policy \
     --user-name 'my-user' --policy-arn 'arn:aws:iam::012345678901:policy/temp-ro-access-my-bucket'
   

Further readings

• EC2
• Services that publish CloudWatch metrics
• Using service-linked roles
• Best Practices for Tagging AWS Resources
• Automating DNS-challenge based LetsEncrypt certificates with AWS Route 53
• Working with DB instance read replicas
• AWS' CLI

Sources

• Constraints for tags
• What is CloudWatch
• What is Amazon VPC?
• Subnets for your VPC
• Introduction to AWS IAM AssumeRole
• AWS JSON policy elements: Principal
• What is AWS Config?
• AWS Config tutorial by Stephane Maarek
• Date & time policy conditions at AWS - 1-minute IAM lesson
• IAM JSON policy elements: Sid
• Elastic IP addresses