So what about Security and Networking?

A writeup summarizing the second session of the BeSA batch 5.

Published Apr 20, 2024
Last Modified May 4, 2024
Lets continue with our role-play in this weeks(week 2) session of BeSA batch 5 .Today we are dealing with a customer migrating their Data Center to AWS to take advantage of the agility and cost-optimization AWS provides. This customer has concerns about security and networking services that AWS can provide.
To start the conversation lets first look at the AWS Shared Responsibility model. Moving to the cloud does not absolve the customer of all of their responsibilities, instead the responsibilities are divided between AWS and the customer. AWS is responsible for “Security of the Cloud” i.e. protecting the infrastructure that runs all of the services offered in the AWS Cloud security, networking , management and maintenance of the hardware and staff in the Data Centers. And the customer is responsible for “Security in the Cloud” ie. data, OS patching and upgrades, who has access to data. In case of Serverless services like AWS Lambda, the customer is responsible for just the code and the configuration, AWS takes care of all the rest. AWS also takes care of all 'fully managed services' that it provides, making sure they are reliable, available and functioning upto the SLAs.
AWS Shared Responsibility Model
Now lets take a look at the services that were mentioned in this session:
AWS IAM will help provide granular permissions using the 'principle of least privilege' Users, Groups and Roles. Staff can have Users created for them, where they can log in and have permissions granted to their user, they can also be grouped together by dept/job roles to have common permissions granted to them. Users can also have temporary permissions granted to via Roles. Users could also use Federated Identities to login. Or have Single Sign On authentication provided to the workforce. AWS Directory Service supports Microsoft Active Directory AWS for customers who want to use existing Microsoft AD.
AWS Organizations is a service that helps with managing multiple AWS accounts. Customers can create Organizational Units to group multiple AWS accounts together and using Service Control Policies set permissions at the Organization level. It also provides a way to consolidate the billing of multiple AWS accounts together and combine the usage across all accounts in the organization to share the volume pricing discounts, Reserved Instance discounts, and Savings Plans.
Now lets look at the Customer need for PCI compliance and compliance reports that are needed by their auditor. AWS Artifact service provides all required compliance reports by the customer. And since AWS is PCI compliant, customer inherits that benefit partially through the Shared Responsibility model.
Customer mentioned facing DDoS attacks, for that AWS Shield and WAF (Web Application Firewall) are two services that can help. AWS WAF is a web application firewall that you can use to monitor web requests that your end users send to your applications and to control access to your content. It helps protect againsts SQL injection, Cross Side Scripting attacks. AWS Shield provides protection against distributed denial of service (DDoS) attacks for AWS resources, at the network and transport layers (layer 3 and 4) and the application layer (layer 7). In case the customer feels the need for a dedicated team they can opt for the AWS Shield Advanced (paid service unlike AWS Shield Standard which is free).
Customer expressed the need of detection of package vulnerabilities. AWS Inspector is a vulnerability management service that continually scans AWS workloads (on EC2, Lambda as well as container images in ECR) for software vulnerabilities and unintended network exposure.
AWS KMS can help the customer encrypt their data at rest on AWS. Along with providing AWS managed Keys (have auto-rotation), KMS also has an option for Customer Managed keys.So Customer can Migrate over their own keys to AWS.
Cutomer also expressed a need for some kind of a script or service to automatically scan logs and act on threats. AWS GuardDuty is an intelligent threat detection service that continuously monitors your AWS accounts, workloads, runtime activity, and data for malicious activity.
AWS VPC arch diag
Let take a brief look at some basic AWS architecture components like VPC, Subnets, Nat Gateway, Internet Gateway, NACL and Security Groups :
  • AWS VPC is region specific private cloud provided to the customer. It spans all AZs in the region. Each VPC has a range of IPs allocated to it represented using Classless Inter-Domain Routing (CIDR) notation.
  • Within each VPC are subnets, Subnets are AZ specific and can be public subnets (open to the internet) or private subnets (can access internet but not the other way around) .
  • Internet Gateway is used by the public subnets to access internet and provide access from the internet and NAT Gatweay is used by private subnets to access internet.
  • NACL are located at subnet level to control traffic to and from the subnet. They are stateless. Security Groups are instance/EC2 level firewall that control inbound and outbound traffic.These are stateful ( whats allowed in is also allowed out ).
Lots of useful info in this session looking forward to next one.
Disclaimer/Clarification : These are just personal notes I have created summarizing the session I attended. All credit and thanks to the speakers and organizers, check out the website and Youtube links below.
BeSA is a volunteer run attempt to teach skills to become a Solutions Architect.
Watch it Live here .Signup for upcoming batches here.