Aws Security Speciality

9-minute read

The AWS Security Speciality Certification

It’s been a while since this blog got an update. An pandemic, winter and new adventures have taken priority lately. And, I was also studying like crazy for a certification of AWS. Specifically, the AWS Security Speciality. And with a score of 92%, I think the preparations for it didn’t disappoint. Even though this blog suggests that it is about threat hunting all the time I think it’s also good to have a write up on the prep journey towards the certification.

Most of the content here is either around automation in AWS with the purpose to make hunting more efficient/easier. Because this certification is specifically around the Security of the AWS Cloud, this can also be of use for threat hunters to learn more about how some platforms are built and what you can hunt for.

In this post you will find the resources I’ve used to prepare for the exam. In a lab account, all the services have been tested, played around with and clicked on. I recommend you do the same.

KEEP IN MIND TO CLEAN UP OR YOU END UP WITH A HIGH BILL

Resources to prep

Overview

Below are the resources exported to markdown from the mindmap created in Mindnode. While studying these is gonna help you a lot, it’s important that you don’t see it as individual resources but also know how the services can be tied together. The questions on the exam won’t ask you stuff on services specifically very often. The lion’s share of questions is scenario based with questions being a big paragraph long. There is usually at least 2 different services involved, sometimes more. You’ll have to make the right balance between security, costs and reliability.

This is why I recommend (again) you setup a lab account where you can test out a bunch of services. At least enable CloudTrail, Config and Guardduty for a few days to see what is happening when you spin up an EC2 instance and do some stuff on it. Then analyze the logs, see if you can trace back your actions.

FAQs

The FAQ below are one of the best resources you’ll find for the exam. Packed with lots of know how on the services. Know them, study them, dream about them.

Videos

Lots of re:invent and re:inforce. Popcorn and a notebook is all you need!

Papers

This is quite some reading, so if you are pressed for time, focus on the logging in AWS and AWS Key Management best practices.

  • Security Pillar – AWS Well Architected Framework
  • Amazon Web Services: Overview of Security Processes
  • AWS Security Best Practices
  • Security at Scale: Logging in AWS
  • AWS Key Management Best Practices
  • AWS Security Incident Response Guide
  • AWS Best Practices for DDoS Resiliency
  • Building a Scalable and Secure Multi-VPC AWS Network Infrastructure

Resource based policies supported services

Resource based policies can be applied to a number of services. Below is the list of services I recommend having some experience with in your lab account. Try them out, attach them to the resource and see how it impacts your access before and after.

  • KMS
  • S3 (glacier, vault)
  • Backup
  • SQS
  • SNS
  • Lambda
  • EFS
  • Secrets manager
  • Cloudwatch logs
  • API GW
  • network manager
  • event bridge
  • SES
  • SAR

Services in scope with raw notes

  • ACM
  • Catalog
  • CloudFront
    • Secure, fast content delivery
    • Caches all content
    • Signed URLs
      • URL changes
    • Signed Cookies
      • No URL changes
    • Geo restrictions
    • S3 orgin access ID
      • Only cloudfront allowed
    • Sec group only for ELB
      • Allow only IP ranges of CloudFront on the sec group of the ELB in front of ec2
  • CloudHSM
    • Other services are build on cloudHSM
    • FIPS 140-2 level 2 HSM for KMS
    • FIPS 140-2 level 3 for CMA CA
    • CloudHSM have limited cloudtrail activity (created, deleted, copied) - management calls
    • Don’t see what transactions are going on in CloudTrail, logs can be exported to cloudwatch
    • CloudHSM is spun up, the EC2 is spun up in your account and a tunnel is created for you between the two
    • Creating cluster is manually
    • Then backups can be done automatically
    • Use cases
      • ssl ofloading
      • store master key encr keys
      • sign certificates
      • sign documents and code
      • secure key exchange
      • blockchain
    • 15 minute timeout after 5 wrong passwords
  • CloudTrail
  • CloudWatch
  • Cognito
    • User pools
      • User logs in, gets a JWT token
      • user directory
      • Allows sign up, sign in functionality
      • identity pool allows to setup authentication provider (cognito, google, facebook etc.)
    • Federated identities
      • Uses the JWT token to get access key id/secret to AWS services like s3
      • Assign values from the user pool, like department, to a IAM role of what is allowed
      • Safest with IAM request signing
    • Cognito groups
    • custom authorizers
      • Use the external idP and Lambda to see what access the user has
      • Caches policy
    • Allows modifying UI (error code, log in, log out)
    • Migration via CSV bulk export
  • Config
    • Allows custom rules to be executed with Lambda
    • The custom lambda receives “parameters” in key:value format
    • Lambda code returns “COMPLIANT” or “NON COMPLIANT”
    • SSM Automation needs IAM role to be defined
  • Control Tower
    • Best if you want to deploy a multi-account with best practices of AWS automatically
    • Cannot be used in an account that already has organisations enabled
    • Default guardrails
      • Root MFA enabled
      • Disallow public S3 buckets
      • Disallow internet for RDP ports
      • Enable CT and Config
      • Encrypt EBS vols
      • Dont’c hange rules
    • Guardrails exist of Config rules
  • Detective
  • EC2
    • Metadata service
      • ec2:metadatanotoken
      • v2 allows IAM string conditionals
      • limit it to one service
      • V2 allows listing of status of ec2 instances
      • Can be disabled
      • Can be a conditional to start instances in IAM role
  • Firewall Manager
  • Guardduty
  • IAM
    • Federation identities
      • Active directory
      • Web identity
      • Cross account access
    • Third party access
      • Role in your aws account
      • Referencing a external ID third party provides
      • principal: “AWS”: “Example of corps aws account id”
      • “Condition”: “StringEquals”:”STS:ExternalId”:” Unique ID assigned by third party
  • IAM access analyzer
  • Inspector
  • KMS
    • allows anual key rotation of own keys
    • you can specify who has access to the CMK
    • import own key material
    • supports key aliassen (like dns)
    • Grants allow AWS some permissions to rebuild in the case of e.g. an outage
      • kms:ListGrants
      • kms:CreateGrants
    • viaService: Allows specific API calls to aws services
      • kms:viaService
      • Can be on service and region
    • Encryption context is logged plaintext in cloudtrail
    • Symmetric key
      • Used for encryption and decryption
      • Can be automatically rotated (once a year)
    • CMKs cannot be exported
    • Multi-tenant
    • Envelope encryption
      • encrypt a key with the master key
      • the data key is stored with the data in metadata
      • master key never leaves the kms service
    • AWS managed keys
      • Rotated every 3 years
  • Macie
  • Organisations
    • Best if you want to define a custom multi-account environment
    • Create accounts via the API (needs email)
    • Provision via StackSets with security requirements
    • Set quotas, for example to increase the limits for AWS services (more IAM roles)
    • Centralized billing
    • Integrate with SSO and allow which accounts people can login to
    • aws:PrincipalOrgID allows to only allow certain roles to do actions based on organisation
    • SCP whitelist: does not support resource/conditionals
    • SCP blacklist: Requires an allow:* to avoid denial of all services
    • Enable cloudtrail
        1. enable full features
        1. enable service access for cloudtrail
        1. Create a trail (cloudtrail api) specifying its a org trail and multi region
        1. Start the logging trail
      • Created in the management account
    • consolidate billing and see spend per OU
  • Resource Access Manager (RAM)
    • Create resource share
    • Add license configuraiton
    • Can choose which OU to share with
    • shares OU, Licenses, VPC subnets
  • S3
    • Bucket policies
      • Use cases
        • Easy cross account access without IAM
        • IAM policies hit their limits. S3 bucket policies can be 20 kb
        • Preference to keep access control in s3 environment
      • Groups ARN are not allowed in the policy
    • ACL
      • Adding single owners must be done over CLI
    • CRR
      • object owner must allow bucket owner to read
        • read and read access policies required
      • objects cant be replicated more than once
        • bucket to bucket to bucket is not possible
      • If you delete an object in the source bucket, it is NOT deleted in the replication bucket
      • Only new objects are replicated
      • Server side managed keys and KMS keys are replicated
      • customer provided keys are NOT replicated
      • lifecycle rules are NOT replicated
      • Bucket life configuration is NOT replicated
  • S3 Access Analyzer
  • Secrets Manager
    • Rotate secrets through a lifecycle
    • Integrate with Cloudformation and VPC endpoints with private links
    • HIPAA, PCI, ISO compliant
    • IAM API call example: secretsmanager:GetSecretValue
    • Use unique secrets per region and account
  • Security Hub
    • Custom actions allow to send specific alerts to CW events
    • Have a few standard alerts
    • integrates with Inspector, GuardDuty, Detective, CloudTrail
  • Shield
    • Shield basic
      • Protects against DDOS
      • Layer 3/4
      • Baselining
    • Shield advanced
      • Baselining for customer resources
      • Layer 7
      • SYN throttling
      • 24x7 incident response
      • CW metrics
      • Global threat env dashboard
      • No cost for WAF, firewall manager
      • Cost protection for scaling
    • Custom apps
      • Shield in front of the Global accelerator (global loadbalancer)
      • When using UDP games e.g.
  • Single Sign On
    • Allows single sign on with AD integration
    • Gives access to a list of other accounts in a organisations
  • STS
  • Systems Manager
  • Trusted Advisor
  • VPC flow logs
    • Can be send to Cloudwatch or S3
  • WAF
    • Protects against web exploits
    • Set rules on the traffic URI
    • Works on
      • ALB
      • API GW
      • CloudFront
    • rate rules and regular rules
  • ADFS
    • SAML
      • Exchange Identity information between systems
      • SSO from AD to AWS
    • Steps to create for SSO
      • Setup identity provider
      • Create a ROLE
      • Associate role with identity provider
      • Roles and AD groups are mapped with regex
  • VPC
    • VPC endpoint
      • Gateway
        • Creates a record in the route table
        • An EC2 instance will go over the AWS internal network to S3 or Dynamo
        • destination pl- : target vpce-
      • Interface type
        • Allows internal connection over direct connect
        • private link
        • Not important for exam
      • Specific to one region and vpc
      • can have multiple endpoints in route table
      • can be limited with IAM policies
        • which s3 bucket
        • which endpoint should be allowed to an s3
        • Conditions of a certain vpe
  • Athena
    • query language for s3 bucket data like json (cloudtrail)
  • Macie
    • Identify protect sensitive information automatically
  • Artifact
    • Shows you comply to standards\
    • Downloadable reports

Other material

Happy studying!

Enjoy the ride :)