AWS Security & Operations¶

AWS Secrets Manager¶

WEBACL default action (Allow or Block) - Non matching
Resource Type - CloudFront or Regional service
Add rule grups or rules, processed in order
Web ACL Capacity Units (WCU) - Default 1500 - Help with complex rules which need to be computed
Can be increased with support ticket
WEBACLs are associated with resource (Eg: Cloudfront distributions)
Adjusting a WEBACL takes less time than associating one

Contain rules
They don't have default actions. It is defined when groups or rules are added to WEBACLs
Managed (AWS or Marketplace), Managed bu customer or service owned (Eg: Shield, Firewall Manager)
Rule groups can be referenced by multiple WEBACL
Have a WCU capacity (defined upfront, default max 1500*)

Type, Statement, Action
Type: Regular or Rate-based
Eg: Allow SSH connection from certain IP address, or if anyone attempted to connect via SSH 5000 times in a minute
Statement: (What to match) or (Count all) or (What & Count)
Match against: Origin country, IP, label, header, cookies, query parameter, URI Path, Query string, body (First 8192 bytes only), HTTP method
Single, AND, OR, NOT can be used
Action: Regular: Allow*, Block, Count, Captcha
Action: Rate Based: Block, Count, Captcha (No allow with rate based rules)
Custom Response (x-amzn-waf-), Label
Labels can be referenced later in the same WEBACL. Use for multi stage flows
Allow & Block stop prcoessing, Count/Captcha actions can continue

WEBACL - Monthly price for every WEBACL (Can be reused)
RULE on WEBACL - Monthly price
REQUESTS per WEBACL - Charged monthly
Intelligent Threat Mitigation:
- Bot control: Charged monthly + request based fee
- Captcha: priced per 1000 login challenge attempts
- Fraud Control/Account Takeover: Charged monthly + 1000 login attempts
- Marketplace rule groups - Extra costs

Costs 3000 per month (per organization), 1 year lock-in + data OUT
Protects CloudFront, R53, Global Accelerator, Anything Associated with EIPs, ALBs, CLBs, NLBs
Not automatic - must be explicitly enabled in shield advanced or AWS firewall manager shield advanced policy
Cost Protection - for unmitigated attacks*
Proactive Engagement & Shield Response Team (SRT)
WAF Integration - includes basic AWS WAF fees for web ACLs, rules, and web requests
Application Layer (L7) DDOS Protection (uses WAF)
Real time visibility of DDOS events and attacks
Health-based detection - application specific health checks using Route 53 health checks. It is a requirement for using proactive engagemnet team
Protection groups (Add resources to a group and protect resources at group level)

KMS is Managed but, KMS is shared across other AWS accounts but, it seperated
HSM is Single Tenant Hardware Security Module (HSM)
AWS provisioned. But, fully customer managed. AWS have no access
HSM is FIPS 140-2 Level 3 compliant, while KMS is FIPS 140-2 Level 2 (Some areas of KMS are L3 compliant)
CloudHSM has industry standard APIs - PKCS#11, Java Cryptography Extensions (JCE), CryptoNG (CNG) libraries
KMS can use CloudHSM as a custom key store, CloudHSM integration with KMS
Deployed into AWS managed CloudHSM VPC
HSM is not HA by default (Runs within 1 AZ by default), for HA, create HSM cluster and have 2 HSMs in the cluster(HSMs replicate within the cluster), in the AZ you use.

Use Cases & Drawbacks

Record configuration changes over time on resources
Used for auditing of changes, compliance with standards
Does not prevent changes happening - no protection
Can check compliance against defined standards
Regional service. Supports cross-region and cross account aggregation
Changes can generate SNS notifications & near realtime events via EventBridge and S3 Lambda
Stores all configuration data & changes in a S3 bucket
Resources are evaluated againts Config Rules - either AWS managed or custom (using Lambda)

Data Security and Data Privacy Service
Discover, Monitor and Protect Data stored in S3 buckets
Automated discovery of PII, PHI, Finance
Managed Data Idenitifiers - Built in - ML patterns
Custom Data Identifiers - Proprietary - Regex based
Integrates with Security Hub & 'finding events' to Events Bridge
Centrally manage either via AWS org or on macie account inviting other accounts
Policy Findings(Eg: encryption turned of on bucket) or Sensitive data findings (Eg: exposed credentials)

Scans EC2 instances, the instance OS & containers for Vulnerabilities and deviations against best practise
Lengths: 15 minutres, 1 our, 8/12 hours or 1 day
Provides a report of findings ordered by priority
Network Assesment (Agentless)
Network & Host Assesment (Agent) - OS level vulnerabilities - Adding agent adds more information to the scan
Rules package determine what is checked
Network Reachability (Agentless)
Check reachability end to end. EC2, ALB, DC, ELB, IGW, ACLs, RTs, SGs, Subnets, VPCs, VGWs, VPC perring
Findings: RecognizedPortWithListener, RecognizedPortNoListerner, RecognizedPortNoAgent
UnrecognizedPortWithListener - offered by the Network Reachability rules (Agentless) package

Agent Required