Security

  • Typically automated processes
  • Content scrapers
  • Bad bots
  • Fake user agent
  • Denial of Service (DOS)
  • Reduce security threats
  • Lower overall costs
  • With this, the incoming connection from your bad actor will terminate at the ALB itself and the resource(s) behind it would be completely unaware of that origin IP. An host based firewall would be ineffective in this case
  • Allow only the ALB security group access to your resource(s)(EC2) security group
  • Use a NACl in front of the ALB
  • You can attach a Web Application Firewall (WAF) for IP blocking and filtering
  • Traffic doesn’t terminate at the NLB
  • It passes through it, directly to your EC2 instance
  • The client IP (IP of the bad actor) is visible from end to end
  • Correction: Since the client IP is visible end to end, a firewall block on the EC2 instance would be possible, but it is better to block at the NACL. A WAF rule could be used as well
  • Regional secure key management and encryption and decryption
  • Manages customer master keys (CMKs)
  • Ideal for s3 objects, database passwords and API keys stored in Systems Manager Parameter Store
  • Encrypt and decrypt data up to 4KB in size
  • Integrated with most AWS services
  • Pay per API call
  • Audit capability using CloudTrail — logs delivered to S3
  • FIPS 140–2Level2
  • Level 3 is CloudHSM
  • Free
  • Used by default if you pick encryption in most AWS services
  • Only that service can use them directly
  • Allows key rotation
  • Controlled via key policies and can be enabled/ disabled
  • Used by AWS on a shared basis across many accounts
  • Same key used for encryption and decryption
  • Encryption algorithm is based on AES-256
  • Never leaves AWS unencrypted
  • Must call the KMS APIs to use
  • AWS services integrated with KMS use symmetric CMKs
  • Encrypt, decrypt, and re-encrypt data
  • Generate data keys, data key pairs, and random byte strings
  • Import your own key materail
  • Mathematically related public/ private key pair
  • Based on RSA and elliptic-curve cryptography (ECC) algorithms
  • Private key never leaves AWS unencrypted
  • Must call the KMS APIs to use private key
  • Download the public key and use outside AWS
  • Used outside AWS by users who can’t call the KMS APIs
  • AWS services integrated with KMS do not support assymetric CMKs
  • Sign messages and verify signatures
  • Dedicated hardware security module (HSM)
  • Conforms to FIPS 140–2Level3
  • NB: Level 2 is KMS
  • Manage your own keys
  • No access to AWS-managed component
  • Runs within a VPC in your account
  • Single tenant, dedicated hardware, multi AZ cluster
  • Works with industry standard APIs — No AWS APIs
  • PKCS#11
  • Java Cryptography Extensions (JCE)
  • Microsoft CryptoNG (CNG)
  • Keep your keys safe — irretrievable if lost
  • Use when you have strict regulatory requirements
  • Component of AWS Systems Manager (SSM)
  • Secure serverless storage for configuration and secrets:
  • Values can be stored encrypted (KMS) or plaintext
  • Separate data from source control
  • Store parameters in hierarchies
  • Track versions
  • Set TTL to expire values such as passwords
  • Similar to Systems manager Parameter Store
  • Charge per secret stored and per 10, 000 API calls
  • Automatically rotate secrets
  • Apply the new key/password in RDS for you
  • Generate random secrets
  • Protects against distributed denial-of-service (DDoS) attacks
  • Automatically enabled for all customers at no-cost
  • Protects against common layer 3 and 4 attacks:
  • $3000 per month, per org
  • Enhanced protection for EC2, ELB, CloudFromt, Global Accelerator, Route 53
  • Business and Enterprise support customers get 24 x 7 access to the DDoS Response Team (DRT)
  • DDoS cost protection
  • Lets you monitor HTTP(s) requests to CloudFront, ALB, or API Gateway
  • Control access to content
  • Configure filtering rules to allow/deny traffic:
  • Allow all requests, except the ones you specify
  • Block all requests, except the ones you specify
  • Count the requests that match the properties you specify
  • Request properties:
  • Centrally configure and manage firewall rules across an AWS Organization
  • WAF rules
  • AWS Shield Advanced protections
  • Enable security groups for EC2 and ENIs

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sunday Moses Benjamin

Sunday Moses Benjamin

... practising Software Engineering and DevOps.