AWS Security

DDoS Protection: WAF & Shield

What is DDOS?

akamai DDOS

分布式拒绝服务攻击 (DDoS) 是一种网络攻击。在此类攻击中,攻击者通过发送大量恶意流量造成网站、服务器或网络资源不堪重负,从而导致目标无法工作或崩溃,拒绝向合法用户提供服务,使得合法流量无法到达其目的地。

概括来说,DDoS 或 DoS 攻击就如同成百上千个虚假拼车请求所导致的意外交通堵塞。这些请求在拼车服务看来似乎合法,因此服务会调度驾驶员接人,从而不可避免地使城市街道拥堵。这会导致正常的合法流量无法到达目的地。

DDoS 和 DoS 攻击都会造成类似流量堵塞的效果。

Solution Architect

AWS Best Practices for DDOS Resiliency

  • AWS Shield:保护网络层和应用层
  • AWS WAF(Web Application Firewall):过滤基于规则的特殊请求
  • CloudFront(AWS CDN) and Route 53(AWS DNS):基于边缘网络,结合AWS Shield,在边缘提供攻击缓解

WAF - Web Application Firewall

  • 保护网络应用程序免受常见网络攻击(layer 7)
  • 7层指HTTP / HTTPS (vs 4层 TCP)
  • 可以部署在Application Load Balancer, API Gateway,CloudFront
  • 定义Web ACL(Web Access Control List)
    • 规则可以包含IP地址,HTTP headers, HTTP body, URI strings
    • Rate-based rules(每个用户的请求有5秒间距) for DDos protection
    • 防止SQL injectionCross-Site Scripting

Network Firewall-VPC level

  • 保护整个VPC(Virtual Private Cloud): layer 3 ~ layer 7

Firewall Manager

  • 管理VPC Security Group
  • 管理 WAF rules
  • 管理Shield Advanced(Shield的高级版本,每月3000$)
  • 管理Network Firewall

Penetration Testing

渗透测试:攻击自己的基础设施来确保安全性(不能使用DDos, Port flooding, Protocol flooding, Request flooding)

Encryption with KMS & CloudHSM

Data at rest vs. Data in transit

在设备中的静态数据与传输中的数据都需要被加密!

KMS - Key Management Service

  • 与encryption相关的AWS服务,大概率与KMS相关
  • AWS为用户管理加密的key

CloudHSM - Cloud Hardware Security Management

  • AWS提供专用加密硬件
  • 完全由自己管理加密的key(硬件由AWS管理)
  • FIPS 140-2 Level 3 compliance

ACM - AWS Certificate Manager

  • 管理、部署SSL/TLS证书
  • in-flight encryption - 传输过程中加密

Secrets Manager

  • Secrets Manager管理、修改(定时)secret
  • secrets被KMS加密
  • 与RDS集成

Artifact

下载、查看compliance, agreement

GuardDuty

  • 使用基于机器学习的算法来保护AWS账号
  • 输入数据是一系列logs
  • 最佳实践是配合EventBridge使用,当检测出异常,通过EventBridge发送消息给Lambda或者SNS

Inspector

  • 主要用于检测正在运行实例的脆弱性网络可达性
  • 在将镜像推送至ECR之前,先通过Inspector检查(绿:没问题,黄:脆弱,红:严重错误)
  • 检查Lambda Function代码与依赖的脆弱性
  • 将结果发送给Security Hub或者EventBridge

Config

Macie

  • 基于机器学习与模式识别来发现并保护AWS中的敏感数据
  • Macie会检测敏感数据,比如PII(Personally identifiable Information),通过EventBridge告警
  • pronuciation:Macy

Security Hub

  • Security Dashboard
  • 多个 AWS 账户中集中自动进行安全检查

Amazon GuardDuty - Amazon GuardDuty is a threat detection service that monitors malicious activity and unauthorized behavior to protect your AWS account. Amazon GuardDuty analyzes billions of events across your AWS accounts from AWS CloudTrail (AWS user and API activity in your accounts), Amazon VPC Flow Logs (network traffic data), and DNS Logs (name query patterns).

AWS Trusted Advisor - AWS Trusted Advisor is an online tool that provides real-time guidance to help you provision your resources following AWS best practices. Whether establishing new workflows, developing applications, or as part of ongoing improvement, recommendations provided by AWS Trusted Advisor on a regular basis help keep your solutions provisioned optimally.

The AWS Cloud Adoption Framework (AWS CAF) leverages AWS experience and best practices to help you digitally transform and accelerate your business outcomes through innovative use of AWS. AWS CAF identifies specific organizational capabilities that underpin successful cloud transformations.

AWS CAF groups its capabilities in six perspectives: Business, People, Governance, Platform, Security, and Operations.

Amazon Machine Image (AMI)

An Amazon Machine Image (AMI) provides the information required to launch an instance. You must specify an Amazon Machine Image (AMI) when you launch an instance.

Cloud Foundations

Cloud Foundations provides a guided path to help customers deploy, configure, and secure their new workloads while ensuring they are ready for on-going operations in the cloud. Cloud Foundations helps customers navigate through the decisions they need to make through curated AWS Services, AWS Solutions, Partner Solutions, and Guidance.

Amazon Rekognition

With Amazon Rekognition, you can identify objects, people, text, scenes, and activities in images and videos, as well as detect any inappropriate content. Amazon Rekognition also provides highly accurate facial analysis and facial search capabilities that you can use to detect, analyze, and compare faces for a wide variety of user verification, people counting, and public safety use cases. Amazon Rekognition is a regional service.

EC2 instances can access files on an Amazon Elastic File System (Amazon EFS) file system across many Availability Zones (AZ), Regions and VPCs

Amazon EFS is a regional service storing data within and across multiple Availability Zones (AZs) for high availability and durability. Amazon EC2 instances can access your file system across AZs, regions, and VPCs, while on-premises servers can access using AWS Direct Connect or AWS VPN.

Amazon CloudWatch - Amazon CloudWatch can be used to create alarm to monitor your estimated charges. When you enable the monitoring of estimated charges for your AWS account, the estimated charges are calculated and sent several times daily to CloudWatch as metric data. You can choose to receive alerts by email when charges have exceeded a certain threshold. Think resource performance monitoring, events, and alerts; think CloudWatch. Amazon CloudWatch cannot be used to identify under-utilized Amazon EC2 instances without manually configuring an alarm with the appropriate threshold to track the Amazon EC2 utilization, so this option is incorrect.