Fundamentals to manage, monitor and secure AWS Cloud

This blog focuses on maintaining and monitoring AWS applications to ensure they are operating at required utilization thresholds, and are protected from any external threats. I will be covering fundamentals of AWS CloudTrail, AWS Config, AWS Trusted Advisor, AWS CloudWatch, AWS Health Dashboards and AWS Identity and Access Management(IAM).

AWS services used to manage and monitor cloud

1.AWS Config:

The service has been designed to record and capture resource changes within your environment, allowing you to perform a number of actions against the data that helps to find answers to the questions that we highlighted previously.

Credits: https://d1.awsstatic.com/product-marketing/config/how_it_works_diagram_Config_final.d9b4b139e1d207baf585e6ad6245162f565c4dbc.png

Q.What can AWS Config do?

1. It can capture resource changes. So any change to a resource supported by Config can be recorded, which will record what change along with other useful metadata all held within a file known as a configuration item, a CI.
2. It can store configuration history for individual resources.Acting as a resource inventory.
3. The Simple Notification Service(SNS) is used with AWS Config to capture a configuration stream of changes, enabling you to process and analyze the changes to resources. It can provide the information on who made the change and when, through AWS CloudTrail integration.
4. A number of security resources can be recorded and when this is coupled with rules relating to security, such as encryption checks, this can become a powerful analysis tool.

AWS Config is region-specific.

For more information about AWS config,

1. https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html
2. https://aws.amazon.com/blogs/aws/track-aws-with-config/

2.AWS Cloudtrail:

CloudTrail is a service that has a primary function to record and track all AWS API requests made. These API calls can be programmatic requests initiated from a user using an SDK, the AWS Command Line Interface, from within the AWS management console, or even from a request made by another AWS service.

Credits: https://d1.awsstatic.com/products/CloudTrail/Cloudtrail_How-it-works_final.3fa7690040cb1b8fb5fa4f669b8a0148f370a76f.png

Well there are a number of ways you can use the data captured by CloudTrail to help you enhance your AWS environment.

1. It can be used very effectively as a security analysis tool. CloudTrail events provide very specific information about where an API call originated from and who, or what initiated the request.
2. Using built-in filtering mechanisms, it's possible to quickly find who, what and when a particular API was used, which could have potentially caused an outage or service interruption.

For more information about AWS cloudtrail,

1. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html
2. https://aws.amazon.com/blogs/aws/aws-cloudtrail-capture-aws-api-activity/

3. AWS Trusted Advisor:

The main function of Trusted Advisor is to recommend improvements across your AWS account, to help optimize and hone your environment based on AWS Best Practices.

1. Cost Optimization, which helps to identify ways in which you could optimize your resources to save money.
2. Performance, this scans your resources to highlight any potential performance issues across multiple services.
3. Security, this category analyzes your environment for any potential security weaknesses or vulnerabilities.
4. Fault Tolerance, which suggests Best Practices to maintain service operations by increasing resiliency should a fault or incident occur across your resources

Credits: https://www.freecodecamp.org/news/content/images/2020/10/AWS-Trusted-Advisor.png

There are also a number of other features that everyone has access to, including those outside of the Enterprise and Business support plans.

For more information about AWS Trusted Advisor,

1. https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor.html
2. https://aws.amazon.com/blogs/aws/trusted-advisor-console-basic/

4.AWS Cloud Watch:

The primary function of Amazon CloudWatch is to provide a means of monitoring your resources that you're running within AWS via a series of metrics which are individual to each service that you are using. This allows you to quickly react to events, and diagnose, and dynamically adjust any availability or scalability issue that you might be experiencing.

Credits: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/images/CW-Overview.png

Each service and resource sends data to your CloudWatch dashboard as metrics. The metrics are very dependent, as each service is used differently, and as such contains different metric variables. CloudWatch offers you two modes of recording your metric data,

1. Basic monitoring is the default monitoring type when configuring Amazon CloudWatch, which records metrics every five minutes.
2. Detailed monitoring for instance types ensures the metric data is recorded at one minute intervals, as opposed to five minutes with basic monitoring.

It's great that CloudWatch is constantly monitoring the environment, but we need to create alarms to respond to events that occur within your environment and across your resources. Think of alarms as predefined thresholds. An alarm has three possible states,

1. The first one being 'OK'.
2. 'Alarm', this status means that the metric is outside of the threshold level.
3. 'Insufficient data', this indicates that the metric has not collated enough available data to determine the alarm state.

For more information about AWS Cloud Watch,

1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html
2. https://aws.amazon.com/blogs/storage/amazon-cloudwatch-events-and-metrics-for-aws-backup/

5.AWS Personal Dashboard:

AWS offers two dashboards that can help you identify issues that may affect your infrastructure and the resources that you're running within your AWS accounts, these being the AWS Service Health Dashboard and the Personal Health Dashboard.

1. The AWS Service Health Dashboard provides a complete health check of all services in all regions at any one time.
2. The Personal Health Dashboard differs to that of the Service Health Dashboard, in that it will notify you of any services interruptions that may affect the resources and services that you are using within your own AWS account.

Credits: https://media.amazonwebservices.com/blog/2016/phd_scheduled_changes_2.png

For more information about AWS Personal Dashboard,

1. https://docs.aws.amazon.com/health/latest/ug/getting-started-phd.html
2. https://aws.amazon.com/blogs/aws/new-aws-personal-health-dashboard-status-you-can-relate-to/

AWS services used to secure cloud

1.AWS Identity and Access Management(IAM):

AWS IAM service is used to centrally manage and control security permissions for any identity requiring access to your AWS account and its resources.

1. Identity management: Identities such as AWS usernames are required to authenticate to your AWS account. Authorization determines what an identity can access within your AWS account once it's been authenticated to it
2. Access management, relates to authorization and access control. Access control can be classed as a mechanism of accessing a secured resource.

Credits: https://www.msp360.com/resources/wp-content/uploads/2018/10/IAM-Identities-and-permission-1024x541.png

This is achieved by using different features within IAM consisting of:

1.Users are simply objects representing an identity which are used in the authentication process to your AWS account.

Once your user identity is created, you can view a summary of the object by selecting user, from within the user page of the console.

2.IAM Groups they are used to authorize access to AWS resources, through the use of AWS Policies. IAM Groups contain IAM Users, and these groups will have IAM Policies associated that will allow or explicitly deny access to AWS resources.

By applying permissions to the group instead of individual users, it makes it easy to modify permissions for multiple users at once. All you would need to do is modify the permissions of a group, and all users associated with the group would inherit the new access.

3.IAM Roles allow users and other AWS services and applications to adopt a set of temporary IAM permissions to access AWS resources.

IAM roles do not have any access keys or credentials associated to them. Instead, when used, these credentials are dynamically assigned by AWS. There are currently four different types of roles that can be created, all of which serve a different purpose,

1. The AWS Service Role would be used by other services that would assume the role to perform specific functions based on a set of permissions associated with it.
   1. Once you have selected your service role, you would then need to attach a policy with the required permissions, and set a role name to complete its creation.
   2. Examples of AWS Service Role: Amazon EC2, AWS Lambda, etc
2. The AWS Service-Linked Role are very specific roles that are associated to certain AWS services.
   1. They are pre-defined by AWS, and the permissions can't be altered in any way, as they are set to perform a specific function.
   2. Once you have selected your service-linked role, you simply need to assign it a name and complete the creation.
   3. Examples of these AWS Service-Linked Roles: Amazon Lex-Bots, and Amazon Lex-Channels.
3. The Cross-Account Access offers two options. Providing access between AWS accounts that you own, and providing access between an account that you own and a third party AWS account.
   1. This access is managed by policies that establish trusting and trusted accounts that explicitly allow a trusted principal to access specific resources.
4. Role for Identity Provider Access offers three different options.
   1. Grant access to web identity providers. This is used to create a trust for users using Amazon Cognito, Amazon, Facebook, Google, or any other open ID connect provider.
   2. Grant web single sign on to SAML providers. This allows access for users coming from a SAML provider, which stands for Security Assertion Markup Language.
   3. Grant API access to SAML providers.

4.IAM policies are used to assign permissions to users, groups, and roles.

IAM policies are formatted as JSON documents, Javascript objectionable. And each policy will have at least one statement, where the structure may look like this example.

Credits: https://image.slidesharecdn.com/iamcustompolicies-slideshare-170726000003/95/iam-deep-dive-custom-iam-policies-with-conditions-5-638.jpg?cb=1501027261

1. Version: This going to the policy language version.
2. Statement: it defines the main element of the policy, which will also include other sub-elements, including Sid, Action, Effect, Resource, and Condition. These elements will identify the level of access, granted or denied, and to which resource.
   1. The Statement ID(Sid) is simply a unique identifier within the Statement array.
   2. Action is the action that will either be allowed or denied, depending on the value entered for the Effect element.
   3. Effect: it will either grant or restrict access for the previous Actions defined in the statement.By default, access to your resources are denied and, so therefore, if this is set to allow, it replaces the default deny.
   4. Resource: it specifies the actual resource you wish the "Action" and "Effect" to be applied to. AWS uses unique identifiers, known as Amazon Resource Names(ARNs) to specify specific resources.
   5. Partition: it relates to the partition that the resource is found in. For standard AWS regions, this section would be AWS. 
   6. Service: it reflects the specific AWS service. For example, s3 or ec2. 
   7. Region: This is the region that the resource is located.
   8. Account-id: This is your AWS account-id, without hyphens.
   9. Resource: The value of this field will depend on the AWS service you are using.
   10. Condition: This is an option element that allows you to control when the permissions will be effective based upon set criteria.
       1. The element itself is made up of a condition and a key-value pair. And all elements of the condition must be met for the permissions to be effective.

Credits: https://docs.aws.amazon.com/it_it/IAM/latest/UserGuide/images/intro-diagram%20_policies_800.png

Two different types of IAM policies available. These being Managed Policies and In-line Policies,

1.Managed policies come in two different flavors, AWS Managed Policies and Customer Managed Policies.

The AWS Managed policy have been pre-configured by AWS and made available to you to help with some of the most common permissions that you may wish to assign.

The great thing about these AWS Managed policies is that you are able to edit them and make tweaks and changes before saving it as a new policy. This then becomes a Customer Managed policy.

2.An Inline Policy is directly embedded into a specific User, Group, or Role, and as a result, it is not available to be used by multiple identities.

Inline policies are typically used when you don't want to run the risk of the permissions being used in the policy for any other identity.

By default, all access to a resource is denied. Access will only be allowed if an explicit "Allow" has been specified within a policy associated with an identity. If a single "Deny" exists within any policy associated to the same identity against the same resource, then that "Deny" will override any previous "Allow" that may exist for the same resource and action.

The responsibility of implementing secure, robust and tight security within your AWS account using IAM is yours, the owners of the AWS account. The initial dashboard of the IAM console will display,

1. Information relating to the IAM uses sign-in link and this is a URL link that you can send to users who will need to gain access to your AWS management console.
2. IAM Resources, it provides an overview of your IAM resources using a simple count of the number of users, groups, roles, customer manage policies and identity providers you have configured within IAM.
3. Security Status, it is populated with five best practices from a security perspective that AWS IAM recommends you configure when using IAM which may include activate MFA on your root account, create individual IAM users, use groups to assign permissions, apply an IAM password policy and rotate your access keys.

Credits: https://media.amazonwebservices.com/blog/2014/new_iam_console_dash_2.png

IAM covers all regions.

Other features of IAM

1. You can add another layer of security attached to the identity, Multi-Factor Authentication (MFA) is used to create an additional factor for authentication in addition to your existing methods, such as password, therefore, creating a multi-factor level of authentication.
2. Identity federation allows you to access and manage AWS resources even if you don't have a user account within IAM.
   1. Identity federation allows users from identity providers which are external to AWS to access AWS resources securely without having to supply AWS user credentials from a valid IAM user account.

To know more about IAM,

1. https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
2. https://theaws.blog/iam-cheat-sheet/
3. https://aws.amazon.com/blogs/aws/iam-access-analyzer-update-policy-validation/

Let me know where i could improve?

Comments

[Jason Dunn [AWS]]

Very thorough, thanks for sharing!