AWS Security Best Practices

Questions and Answers

Why is it important to regularly rotate access keys in IAM?

To reduce the risk of compromised credentials being used for malicious purposes.

Besides using bucket policies, what other IAM feature can be used for access control in S3?

IAM roles

Explain the difference between Security Groups and NACLs in a VPC environment.

Security Groups are stateful and act as a virtual firewall for instances, while NACLs are stateless and act as a firewall for subnets.

What is the primary purpose of enabling VPC Flow Logs?

To capture information about the IP traffic going to, from, and within your VPC.

What benefit does CloudTrail provide in terms of security and compliance?

It enables the auditing and logging of API calls made to AWS services, providing a history of actions taken in your AWS environment.

What is the advantage of using KMS for encryption over SSE-S3?

KMS gives you more control over the encryption keys.

What is the purpose of AWS GuardDuty?

Threat Detection.

What kind of information does AWS Config track?

Configuration tracking.

In the provided IAM policy example, what action is being allowed?

s3:GetObject

If you want to enable notifications based on specific metrics, what service would you configure alarms with?

CloudWatch

Why is it recommended to prefer IAM roles over IAM Users?

IAM roles avoid the need to embed long-term credentials (like access keys) directly into EC2 instances or applications.

What does the principle of 'least privilege' mean in the context of IAM permissions?

Granting only the minimum permissions necessary to perform a specific task, and nothing more.

What does MFA add to credentials?

Increased security.

Besides restricting port access, give another reason to use security groups?

To control inbound and outbound traffic for your EC2 instances.

Why is assigning a public IP to an EC2 instance not recommended?

It exposes the instance directly to the internet.

How do you ensure that an EC2 instance can access other AWS services securely?

Attach an IAM Role.

What is the primary difference between a public and a private subnet?

Public subnets have a route to an Internet Gateway, while private subnets do not.

Besides Security Hub and GuardDuty, what tool helps scan for EC2 vulnerabilities?

Inspector

What are two places to store secrets?

Secrets Manager and SSM Parameter Store

What does SSE-KMS mean?

Server-Side Encryption with KMS.

Flashcards

What is IAM?

A web service that helps you securely control access to AWS resources.

What is the principle of least privilege?

Grant only the permissions necessary to perform a task.

What is MFA?

An authentication method that requires more than one verification factor.

What is S3?

Secure, scalable object storage.

How to secure S3?

Block public access to S3 buckets to prevent unauthorized access.

What is EC2?

Virtual servers in the cloud.

What are Security Groups?

Virtual firewalls that control inbound and outbound traffic for EC2 instances.

Should you Assign public IPs?

Avoid assigning public IPs to EC2 instances to reduce the attack surface.

What is a VPC?

A logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define.

What is a public subnet?

A subnet that has a route to an Internet Gateway.

What is a private subnet?

A subnet that does not have a route to an Internet Gateway.

What are Security Groups?

Stateful firewalls that operate at the subnet level.

What are NACLs?

Stateless firewalls that operate at the subnet level.

What are VPC Flow Logs?

Capture information about the IP traffic going to and from network interfaces in your VPC.

What is CloudTrail?

A service that enables you to log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.

What is CloudWatch?

A monitoring and observability service.

What is AWS KMS?

A managed encryption service.

What is GuardDuty?

A threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3.

What is Security Hub?

A service that provides a centralized view of your security posture across your AWS accounts.

Why Rotate Access Keys?

Regularly change access keys to limit the time window in which compromised keys can be used.

Study Notes

Identity & Access Management (IAM)

• IAM roles are preferable
• Apply least privilege by only giving necessary permissions
• Multi-Factor Authentication (MFA) should be enabled
• Access keys need to be rotated regularly
• To access IAM Roles/Users/Policies: AWS Console -> IAM -> Roles/Users/Policies
• To enable MFA: Users -> Security Credentials

S3 Security

• Public access should be blocked by default
• Bucket policies and IAM should be used for permissions
• Encryption should be enabled (SSE-S3, SSE-KMS)
• Monitor with CloudTrail and AWS Config
• Configure and setup Block Public Access through: AWS Console -> S3 -> Select bucket -> Permissions
• Encryption is enabled under Properties

EC2 Basics

• Security Groups should be used to restrict port access
• Public IPs should not be assigned to instances
• IAM roles should be attached to EC2 for service access
• The CloudWatch Agent should be enabled for monitoring
• Security Groups are configured under Networking: AWS Console -> EC2 -> Instances
• Public IPs should not be enabled in Launch Wizard
• IAM roles can be attached: Actions -> Security -> Modify IAM Role

VPC & Network

• Public subnets should be connected to an Internet Gateway
• Private subnets should have no direct internet access
• Security Groups (stateful) and NACLS (stateless) should be used
• VPC Flow Logs should be enabled
• Subnets, Internet Gateways and Route Tables are checked via the VPC Dashboard: AWS Console -> VPC Dashboard
• Security Groups and NACLs should be configured
• VPC Flow Logs are enabled: Your VPC -> Flow Logs

Logs & Monitoring

• CloudTrail should be enabled in all regions
• CloudWatch Logs should be used for application logging
• CloudWatch Alarms should be set up for alerts
• To create CloudTrail: Search -> CloudTrail -> Create trail -> Enable in all regions
• CloudWatch Logs can be accessed: CloudWatch -> Logs
• Alarms are configured: CloudWatch -> Alarms

Encryption & Secrets

• AWS KMS should be used for encryption
• S3, EBS, RDS, and logs should be encrypted
• Secrets should be stored in Secrets Manager or SSM Parameter Store
• Manage encryption keys with KMS
• Secrets can be configured via Secrets Manager or SSM Parameter Store

Security Tools

• Security Hub provides a security findings dashboard
• GuardDuty is for threat detection
• AWS Config is for configuration tracking
• Inspector is for EC2 vulnerability scanning
• Use Security Hub, GuardDuty, Inspector, and AWS Config for security services

Quick Wins

• Public access to S3 buckets should be blocked
• Security groups should be tightened by limiting ports

IAM Policy Example

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*"
        }
    ]
}

Essential AWS Services

• Essential services include: IAM, S3, EC2, VPC, CloudTrail, CloudWatch, GuardDuty, AWS Config