DEV Community: Amruta Pardeshi

AWS Organizations: The Hidden Backbone of Enterprise Security

Amruta Pardeshi — Sat, 22 Nov 2025 11:51:20 +0000

Securing a rapidly expanding AWS environment requires more than just IAM users, roles, and policies. As teams, accounts, and workloads grow, a more foundational approach is necessary — a means to centrally govern, restrict, and secure all resources across accounts.

That “hidden backbone” is AWS Organizations.

In this guide, we clarify how AWS Organizations integrates with IAM, SCPs, ABAC, managed policies, and resource policies, providing practical examples that you can apply in real environments.

🚀 Features for AWS Organizations:
AWS Organizations does more than just create multiple AWS accounts. It serves as the control plane for:

Manage your AWS accounts
Define and manage your organization
Secure and monitor your accounts
Control access and permissions
Share resources across accounts
Audit your environment for compliance
Centrally manage billing and costs

🚀 Use cases for AWS Organizations:
Automate the creation of AWS accounts and categorize workloads
You can automate the creation of AWS accounts to quickly launch new workloads. Add the accounts to user-defined groups for instant security policy application, touchless infrastructure deployments, and auditing.

Define and enforce audit and compliance policies
You can implement service control policies (SCPs) to ensure that your users engage only in actions that align with your security and compliance requirements.

Provide tools and access for your Security teams while encouraging development
Create a security group with read-only access to all resources.

Share common resources across accounts
Organizations makes it easy for you to share critical central resources across your accounts.

It is the foundation of an enterprise-grade AWS security model.

1. How AWS Organizations Works With IAM
AWS Organizations and IAM are often misunderstood. Here’s the simplest mental model:

IAM = What a principal can do inside an account

(Users, roles, groups)

SCP = What is allowed at the organizational level
(Sets the boundary of maximum permissions)

Example of the interaction

IAM says: “You can delete S3 buckets.”

SCP says: “No one is allowed to delete S3 buckets.”

Final result: Bucket deletion is denied.

SCPs never grant access — they only restrict access.

2. Managing Access Permissions in an Organization
AWS Organizations provides multiple tools for governing security.

a) Service Control Policies (SCPs)

SCPs apply at:

the root organization
OU (Organizational Unit)
individual accounts

They define maximum permissions, regardless of IAM.

Useful for enforcing:

mandatory encryption
mandatory logging
region restrictions
disallowing IAM user creation
preventing CloudTrail deletion
protecting guardrails

b) IAM Roles for Cross-Account Access
Instead of creating admin users in each account, you create one central IAM role per use case.

Examples:

SecurityAuditRole for the security team
AutomationRole for CI/CD pipelines
BillingRole for finance
Roles are assumed cross-account using the AWS CLI or AWS SSO.

c) IAM Identity Center (AWS SSO)
The recommended identity solution.
It provides:

Centralized users and groups
MFA enforced everywhere
Fine-grained permission sets
Automatic access provisioning per account

This eliminates IAM users entirely.

3. AWS Managed Policies
AWS provides prebuilt policies so you don’t reinvent the wheel.

Common managed policies:

SecurityAudit → read-only security insights
AdministratorAccess → full control (use carefully)
ViewOnlyAccess → non-intrusive visibility
AmazonS3FullAccess
AWSLambdaExecute

Advantages

✔ Automatically updated by AWS
✔ Quick to apply
✔ Good starting point for least privilege

Caution

Many managed policies are too broad.
Prefer custom policies for production.

4. Attribute-Based Access Control (ABAC) with Tags
Attribute-based access control enables you to use tags attached to AWS resources and identities to manage access. For instance, a user can access a resource only if both share the same tag value.

Perfect for:

multi-team platforms
dynamic environments
large-scale automation

5. Identity-Based IAM Policy
Identity policies attach to:

IAM users
IAM roles
IAM groups

They grant permissions.

Identity policies = grant permissions
SCPs = restrict permissions

6. Resource-Based Policy
Resource policies protect resources like:

S3 buckets
KMS keys
Lambda functions
SQS queues
API Gateway APIs

They allow access from:

other AWS accounts
specific IAM roles or services
external integrations

🔥Final thoughts
AWS Organizations serves as the critical foundation for securing, managing, and scaling large AWS environments.
By integrating IAM, SCPs, resource policies, managed policies, and ABAC, you establish a comprehensive security model that is:

Centralized
Least-privilege by default
Automated
Compliant
Enterprise-ready

Reference: AWS Documentation

AWS Locksmith: Encrypting S3 and EBS with Amazon KMS

Amruta Pardeshi — Mon, 05 Feb 2024 12:29:54 +0000

Introduction:
As businesses and organizations increasingly store sensitive data in the cloud, security becomes a top priority. To address this need, Amazon Web Services (AWS) offers the Amazon Key Management Service (KMS) – a robust encryption solution. In this blog post, we will explore how you can use AWS KMS to enhance the security of your data that is stored in Amazon Simple Storage Service (S3) and Elastic Block Store (EBS).

Understanding AWS Key Management Service:
Amazon KMS is a comprehensive encryption service that manages the creation and control of cryptographic keys used to encrypt data. It streamlines the process of integrating encryption into your applications and workflows by providing a secure and centralized location for managing keys.

Enabling CloudTrail and S3 logging with encryption
AWS CloudTrail is a service that allows you to track and log API events from the AWS console, API, or CLI (command line interface). CloudTrail is compatible with various AWS services, including KMS (Key Management Service). The JSON-formatted log files produced by CloudTrail are delivered to an S3 bucket. Once you enable and configure CloudTrail, the JSON logs will contain KMS events that can be used for monitoring, auditing, governance, and compliance.

Let's see how to activate CloudTrail and create a Customer Master Key (CMK) that will encrypt the data CloudTrail logs in S3.

In the AWS Management Console search bar, enter CloudTrail, and click on CloudTrail result to navigate to AWS Cloudtrail console:

Click on Create Trail.

Fill out the following details:

Trail name: Key-Trail
Enable for all accounts in my organization: Unchecked
Storage location: Create new S3 bucket
Trail log bucket and folder: keytrail-bucket-unique_number
Note: S3 bucket names should be unique. Append a number to "Keytrail-bucket" for a unique bucket name.
Log file SSE-KMS encryption: Checked
AWS KMS Key: New
AWS KMS alias: S3-CloudTrail

Scroll to the bottom, and click on Next and fill out the form:

Event type: Ensure Management events is checked
Click Next

Review and create

In the left-hand menu, click Event history:
After the API activity is completed, it may take up to 15 minutes for the activity to update. The most recent events are located at the top.

Note: If you encounter a significant delay, you can proceed with the following steps. However, make sure to review the Event history later to see important events recorded by CloudTrail.

In the AWS search bar at the top, enter KMS, and under Services, click the KMS result to navigate there:

In the left-hand menu, click Customer managed keys.

Select the key you just created (S3-CloudTrail) when enabling CloudTrail:

In the row of tabs, click Key rotation.
(In this way, you can automate key rotation by enabling a simple checkbox.)

In the AWS search bar at the top, enter S3, and under Services, click the S3 result to navigate there:

Select the unique bucket name you created earlier (keytrail-bucket-#)

To access your data, navigate through the folders and follow the path including your AWS account ID, region, and date.
If you see two folders, click on CloudTrail and not CloudTrail-Digest.

Upon checking, you will find compressed JSON files in the directory. These are the log files sent from CloudTrail to S3:

The Customer Master Key (CMK) has been successfully created and is now available for use in both encrypting and decrypting data that is at rest, whether it's on S3 (as in the example above) or an EBS volume. You can also use a similar process to search for other KMS-related events within a given day's CloudTrail log files, such as EnableKey, DisableKey, and so on.

Create a Customer Master Key (CMK)

In the AWS Management Console search bar, enter KMS, and click on KMS result to navigate there:

Select Customer managed keys in the left side-bar of the KMS console.

Click Create Key

Key type: Symmetric (Symmetric keys are suitable for most data encryption applications. The same key is used for both encrypt and decrypt operations with symmetric key algorithms.)
Key usage: Encrypt and decrypt

scroll down then expand Advanced Options and set the following values:

Key Material Origin: Leave as KMS (default).
Regionality: Single-Region key

Click Next

Set the following values before clicking Next (leave the default values for other fields)

Alias: Test-CMK-key

Click Next to the Define Key Administrative Permissions page and leave the default values.

Click Next to Define Key Usage Permissions page
Click Next to preview the key policy and then click Finish when ready.

The CMK is created ..

Create a simple EC2 with unencrypted EBS volume.

Create an Encrypted EBS Volume
First, check if your running instance uses a non-encrypted EBS-backed root device. Then, create an encrypted EBS volume using a CMK, attach it, and confirm encryption on the volume from the console and CloudTrail.

Click Volumes in the left side-bar below Elastic Block Store in EC2 console.

Click Create Volume and fill out the dialog box

Size: 3 (Since we are not doing anything with a lot of data, it's OK to make this quite small.)
Availability Zone: us-west-2a (Select the same AZ as your running instance.)
Encryption: Check this (Once selected, it will expand to show Key information.)
Master Key: Test-CMK-key (Select the CMK you created earlier.)

Create ..

Select the EBS Volume, and click Actions > Attach Volume. Click in the Instance field and select your running instance

After the Instance is selected, a default Device is set.

Click Attach when ready. The State transitions from available to in-use.

We have encrypted the S3 and EBS data in this manner ..

Securing Your AWS Infrastructure: VPCs, Security Groups, and NACLs

Amruta Pardeshi — Wed, 27 Dec 2023 07:44:22 +0000

When it comes to Amazon Web Services (AWS), the first step towards protecting your applications and data is securing your infrastructure. It is essential to establish strong security measures at the network level, keeping the AWS shared responsibility model in mind. In this blog post, we will discuss the fundamental elements of securing your AWS infrastructure, including Virtual Private Clouds (VPCs), Security Groups, and Network Access Control Lists (NACLs).

Understanding AWS Virtual Private Cloud (VPC)
Amazon Virtual Private Cloud (VPC) is an essential component of your network infrastructure in AWS. It provides you with the ability to create a secure, isolated section of the AWS Cloud where you can deploy your AWS resources. Consider it as your cloud-based virtual data center, allowing you to have complete control over your network environment.

Best Practices for VPC Security:
1. Custom CIDR Blocks:
Define custom CIDR blocks to ensure that your VPC's IP address
space doesn't overlap with on-premises networks.

2. Subnet Design:
Use multiple subnets across Availability Zones for high
availability and fault tolerance.

3. Internet and VPN Gateways:
Securely connect your VPC to the internet using an Internet
Gateway. Use Virtual Private Network (VPN) connections for
secure, private access.

4. VPC Peering:
Implement VPC peering for communication between VPCs. Ensure
that peering connections follow the principle of least
privilege.

Securing with AWS Security Groups
AWS Security Groups act as virtual firewalls for instances. They control inbound and outbound traffic at the instance level. If you allow outbound traffic, the corresponding inbound response traffic is automatically allowed because they are stateful.

Best Practices for Security Groups:
1. Principle of Least Privilege:
Only open the ports and protocols necessary for your
application to function. Follow the principle of least
privilege to minimize attack surfaces.

2. Refined Inbound and Outbound Rules:
Define specific rules for inbound and outbound traffic based on
the type of traffic required. Avoid leaving unnecessary ports
open.

3. Dynamic Port Ranges:
When using applications that require dynamic port ranges, use
security group rules to define these ranges rather than leaving
all ports open.

4. Security Group Logging:
Enable VPC Flow Logs to capture information about the IP
traffic going to and from network interfaces in your VPC.

Utilizing Network Access Control Lists (NACLs)
NACLs are stateless firewalls that control traffic in and out of subnets. They are associated with subnets and have separate inbound and outbound rules.

Best Practices for NACLs:
1. Default Deny Rule:
Start with a default deny rule and only add rules that are
necessary for your application's functionality.

2. Sequential Rule Numbers:
Number your rules sequentially to maintain clarity and make it
easier to add or remove rules in the future.

3. Limited Number of Rules:
Keep the number of rules in NACLs to a minimum. Complicated
rule sets can lead to confusion and potential security
oversights.

4. Regular Auditing:
Regularly audit your NACL rules to ensure they align with your
security policies. Remove any rules that are no longer
necessary.

Conclusion
Securing your AWS infrastructure is a continuous and dynamic process. To implement a robust security framework that protects your applications and data from potential threats, it is crucial to understand the roles of VPCs, Security Groups, and NACLs. It is always recommended to stay informed about AWS security best practices, and regularly review and update your security configurations to adapt to the evolving threat landscape. A secure AWS infrastructure is not only a best practice but also a fundamental requirement for a successful and resilient cloud deployment.

AWS Penetration Testing Insights

Amruta Pardeshi — Mon, 02 Oct 2023 07:33:27 +0000

In today's digital landscape, ensuring security is crucial, and Amazon Web Services (AWS) recognizes this significance by offering robust security measures. To provide the utmost protection, AWS provides a comprehensive guide on penetration testing. In this detailed blog post, we will delve into AWS penetration testing, aligning ourselves with AWS's guidelines, to help you effectively safeguard your AWS infrastructure.

It's important to conduct AWS penetration testing, also known as ethical hacking. This proactive approach helps identify vulnerabilities and security weaknesses in your AWS infrastructure. By resolving these issues before they're exploited, you can significantly reduce the risk of security breaches and data compromises.

I wanted to share some of the important reasons why AWS Penetration Testing is crucial:

Enhancing Security: Identifying vulnerabilities in advance can help you improve your overall security posture proactively.
Regulatory Compliance: It is often required by various industries and regulatory bodies to conduct regular penetration testing as part of compliance efforts.
Protecting Sensitive Data: Since AWS frequently hosts sensitive data, penetration tests can ensure the security of this information.
Building Trust: Regularly conducting penetration testing shows your dedication to security, which can help establish trust with customers and partners.

Customer Service Policy for Penetration Testing
Permitted Services

Amazon EC2 instances, WAF, NAT Gateways, and Elastic Load Balancers
Amazon RDS
Amazon CloudFront
Amazon Aurora
Amazon API Gateways
AWS AppSync
AWS Lambda and Lambda Edge functions
Amazon Lightsail resources
Amazon Elastic Beanstalk environments
Amazon Elastic Container Service
AWS Fargate
Amazon Elasticsearch
Amazon FSx
Amazon Transit Gateway
S3 hosted applications (targeting S3 buckets is strictly prohibited)

Prohibited Activities

DNS zone walking via Amazon Route 53 Hosted Zones
DNS hijacking via Route 53
DNS Pharming via Route 53
Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS (These are subject to the DDoS Simulation Testing policy
Port flooding
Protocol flooding
Request flooding (login request flooding, API request flooding)

Customers seeking to test non approved services will need to work directly with their AWS Support Team.

Please keep in mind that when performing security testing, it is important to follow the AWS Security Testing Terms and Conditions:

Only perform security testing on the agreed-upon services, network bandwidth, requests per minute, and instance type.
Use security assessment tools and services in accordance with AWS's policy.
Security testing is subject to the Amazon Web Services Customer Agreement between you and AWS.
If any vulnerabilities or issues are discovered during the testing that are a direct result of AWS's tools or services, please report them to AWS Security aws-security@amazon.com within 24 hours of completing the testing.

AWS have a policy that outlines how to use security assessment tools and services.

A security tool that remotely queries your AWS asset to determine a software name and version is not a violation. A tool or service that crashes a running process temporarily for remote or local exploitation as part of the security assessment is not in violation.
However, you can't use tools or services that perform DoS attacks or simulations against any AWS asset. You also can't use tools or services that create, determine, or demonstrate a DoS condition in any other manner. Customers wishing to perform a DDoS simulation test should review AWS's DDoS Simulation Testing policy.
It's your responsibility to ensure that the tools and services used for security assessments do not perform DoS attacks or simulations. You should also validate that the tool or service employed does not perform such attacks before performing a security assessment of any AWS assets.

Reference: AWS Security Documentation on Penetration Testing

Simplifying Data Transfer: Methods for Moving Large Amounts of Data with Ease

Amruta Pardeshi — Tue, 08 Aug 2023 12:26:44 +0000

In the ever-evolving world of technology, the need to transfer large amounts of data swiftly and securely has become a crucial aspect of various industries. Whether you're a business dealing with massive datasets or an individual moving precious memories to the cloud, understanding the different data transfer strategies can save you time, effort, and headaches. In this blog, we'll explore some simple methods for transferring large amounts of data in and out of Amazon S3, one of the most popular cloud storage solutions. Let's dive in!

1. AWS DataSync: A Syncing Marvel

Imagine you have a treasure trove of data that needs to be constantly updated between your on-premises storage and Amazon S3. Enter AWS DataSync, a magical tool that synchronizes your data seamlessly. It's like having a data butler, ensuring your files are up-to-date without you lifting a finger. Whether it's a bunch of photos or a database, AWS DataSync efficiently transfers your data over the internet, saving you time and bandwidth. It will easily and efficiently transfer hundreds of terabytes and millions of files into AWS.
Refer to this link to check how AWS DataSync works https://docs.aws.amazon.com/datasync/latest/userguide/getting-started.html

2. Snowball: Your Data's Arctic Expedition

What if your data is so massive that transferring it over the internet seems like waiting for a snail to cross a racetrack? Here's where Snowball comes to the rescue. Snowball is like a rugged storage box that you fill with your data. Amazon sends you this box, and you transfer your data into it. Once your data is snugly inside, you send the Snowball back to Amazon. They'll plug it into their massive servers, and voilà! Your data is transferred much faster than if you had tried to send it through the internet. You can transfer hundreds of terabytes or petabytes of data between your on-premises data centers and Amazon Simple Storage Service (Amazon S3).
To read more about it check out this link https://docs.aws.amazon.com/snowball/latest/developer-guide/whatisedge.html

3. Direct Data Transfers: The Straightforward Route

Sometimes, you might prefer the simplicity of transferring data directly without any third-party tools. This is where direct data transfers come into play. It's like sending an email attachment, but on a much larger scale. You can use tools like AWS Command Line Interface (CLI) or even scripting languages to move your data from your computer to Amazon S3. While this method might require a bit more technical know-how, it gives you fine-grained control over the transfer process.

In Conclusion: Finding Your Data's Path

When it comes to transferring large amounts of data in and out of Amazon S3, you have a variety of strategies at your disposal. Choosing the right method depends on factors such as the volume of data, your technical expertise, and your timeline. AWS DataSync is perfect for keeping your data in sync effortlessly, while Snowball offers a robust solution for huge datasets. If you're comfortable with a bit more technical involvement, direct data transfers provide a straightforward route.

As technology continues to advance, these methods might evolve too. However, for now, you have these powerful tools to make your data transfer journey smoother. Whether you're a business striving for efficiency or an individual safeguarding precious memories, exploring these strategies can help you find the perfect path for your data's journey to and from Amazon S3.

Leveraging S3 Lifecycle Policies for Data Tiering and Cost Reduction

Amruta Pardeshi — Tue, 04 Jul 2023 06:46:35 +0000

Introduction
Organizations are creating and storing enormous volumes of data in the data-driven world of today. Keeping track of storage expenses becomes more crucial as data volumes increase. Amazon Web Services (AWS) provides the highly scalable and economical Amazon Simple Storage Service (S3) as a cloud storage option. Lifecycle policies, a potent feature of S3, let you automatically move data across various storage classes in accordance with established conditions. Organizations can save storage expenses while assuring data availability and durability by utilizing S3 lifecycle policies for data tiering. The advantages and best practices of using S3 lifecycle policies to cut expenses and enhance data management will be covered in this blog.

Understanding S3 Storage Classes
Let's quickly cover the various S3 storage classes before getting into lifespan policies. S3 provides a variety of storage classes, each of which is created to satisfy particular demands for performance, cost, and durability:

S3 Standard: It offers high durability, availability, and low latency and is the default storage class. For regularly accessible data, it is appropriate.
S3 Intelligent-Tiering: This storage type use machine learning to shift things between the frequent and infrequent access tiers automatically. For data with erratic access patterns, it is perfect.
The S3 Standard-IA (Infrequent Access) storage class is intended for less often accessed data that nonetheless needs to be immediately available when needed. Compared to S3 Standard, it provides cheaper storage.
S3 One Zone-IA: Similar to S3 Standard-IA, S3 One Zone-IA stores data in a single availability zone. Compared to S3 Standard-IA, it is significantly less durable but offers cost benefits.
S3 Glacier: This storage class is safe, dependable, and reasonably priced for archiving data that is infrequently accessed. Retrieval timeframes can be customized and range from minutes to hours.
S3 Glacier Deep Archive: The most economical storage class for storing data that is accessed just once or twice a year is S3 Glacier Deep Archive. It may take many hours to retrieve data.

Using S3 Lifecycle Policies for Data Tiering
You can specify rules to automatically switch items between different storage classes as they get older using S3 lifecycle policies. Effectively utilizing lifecycle strategies can enable you to reduce storage expenses while preserving data availability. This is how it goes:

Rule-setting for transitions: Establish the guidelines for when objects should be transferred to a different storage class first. Objects older than 30 days, for instance, can be migrated from S3 Standard to S3 Intelligent-Tiering or S3 Standard-IA, per your specifications. For data moving from S3 Intelligent-Tiering to S3 Standard-IA or Glacier, similar rules can be established.
Configure expiration actions: You can provide rules to automatically delete or archive things after a certain amount of time, in addition to migrating objects between storage classes. For the reasons of compliance or data retention, this is especially useful. For instance, you can archive things to S3 Glacier Deep Archive or remove those older than seven years.
Think about access patterns: It's crucial to take your data's access patterns into account when developing transition rules. While less often accessed data can be shifted to cheaper storage classes, frequently used objects should be preserved in performance-optimized storage classes.
Review and improve: Be careful to regularly check your lifecycle policies to make sure they still meet your evolving data management needs. To reduce expenses and ensure data availability, modify the transition and expiration rules as necessary.

Benefits of Using S3 Lifecycle Policies

Cost optimization: You can drastically minimize storage costs by automatically transferring data to less expensive storage classes as it receives fewer accesses. You may balance cost reductions with the demands of data availability and performance with S3 lifecycle policies.
Data administration is made easier because to lifecycle policies, which automate data tiering and do away with the need for manual intervention. By defining the rules only once and letting S3 manage the rest, you can save time and money.
Compliance and data retention: By automatically removing or archiving data after a predetermined amount of time, lifecycle rules aid in the enforcement of compliance and data retention standards. By doing this, it is made sure that data is managed consistently and in line with legal standards.
Performance improvement: You can enhance the performance of often used data by migrating less frequently used data to less expensive storage classes. Fast retrieval times are maintained, and system performance is improved as a result.

Best Practices for Using S3 Lifecycle Policies
To make the most of S3 lifecycle policies, consider the following best practices:

Create a data lifecycle plan: Recognize the data's lifecycle and establish suitable transition and expiration policies. Take into account elements including access patterns, retention needs, and compliance duties.
Test and validate: Conduct testing and validation in a non-production environment before introducing lifecycle policies there. This makes it easier to make sure the policies are set up properly and produce the results you want.
Monitor and improve: Consistently keep an eye on the effectiveness and financial effects of your lifecycle policies. To maximize expenses and data availability, analyze the access patterns and make necessary rule adjustments.
Leverage analytics: Make the most of AWS resources like Amazon S3 Storage Lens and Amazon S3 Analytics to acquire understanding of your data and decide on the best storage class and lifecycle policy.

Conclusion
A potent method for reducing storage costs while preserving data availability is to use S3 lifecycle policies for data tiering. Organizations may efficiently manage their data lifecycle and guarantee that data is stored in the most cost-effective way by automating the flow of objects between various storage classes based on preset rules. Businesses may achieve the ideal mix between cost savings, data availability, and performance in their AWS S3 storage system by adhering to best practices and routinely assessing and improving lifecycle policies.

Guarding Your AWS Credentials: Identifying Compromises and Mitigating Damage

Amruta Pardeshi — Fri, 24 Mar 2023 10:11:09 +0000

As more businesses move their infrastructure to the cloud, security becomes a critical issue. One of the significant security risks for cloud infrastructure is the compromise of AWS (Amazon Web Services) credentials. AWS credentials are used to access and manage AWS resources, and if they fall into the wrong hands, an attacker can cause significant damage to your organization. In this blog post, we'll explore how to identify compromised AWS credentials using GuardDuty and the steps you can take to mitigate the damage.

Identifying the AWS credentials compromised using GuardDuty

GuardDuty is a threat detection service provided by AWS that continuously monitors your AWS environment for malicious activity and unauthorized behavior. GuardDuty analyzes event logs and network traffic to detect potential security threats in real-time. Here are some ways GuardDuty can help you identify compromised AWS credentials:

Unusual API calls: GuardDuty can detect unusual API calls made using AWS credentials, such as calls from an unusual location or an unusual time of day.
Credential stuffing: GuardDuty can detect credential stuffing attacks, where an attacker uses a list of stolen credentials to try to gain access to an AWS account.
Brute-force attacks: GuardDuty can detect brute-force attacks, where an attacker tries to guess an AWS account password or access key.
Password spraying: GuardDuty can detect password spraying attacks, where an attacker tries a small number of common passwords against many AWS accounts.
Reconnaissance activities: GuardDuty can detect reconnaissance activities, where an attacker tries to gather information about an AWS environment, such as by running port scans or making DNS queries.

Taking Steps to Mitigate the Damage of Compromised AWS Credentials

If GuardDuty detects that your AWS credentials have been compromised, you should take the following steps to mitigate the damage:

Revoke the compromised credentials immediately: Go to the AWS Management Console, navigate to the IAM (Identity and Access Management) service, and revoke the compromised credentials.
Change all related credentials: Change all related credentials, including access keys, secret keys, and passwords.
Check for any unauthorized changes: Check for any unauthorized changes that may have been made to your AWS resources, such as new EC2 instances, S3 buckets, or other resources created by the attacker.
Enable Multi-Factor Authentication (MFA): Enabling Multi-Factor Authentication (MFA) is an effective way to prevent unauthorized access to your AWS resources.
Review your security policies and procedures: Review your security policies and procedures to ensure that they are robust enough to prevent similar attacks in the future. This includes reviewing your access control policies, monitoring your logs regularly, and providing regular security awareness training to your employees.

In addition to the steps mentioned above, it is essential to verify your AWS account information to ensure that the attacker has not made any unauthorized changes or accessed any sensitive data. Here are the steps you should take to verify your account information:

Check your billing information: Verify that your billing information is correct and that there are no unexpected charges or unusual activity.
Check your CloudTrail logs: CloudTrail is a service that provides event history of your AWS account activity. Review your CloudTrail logs to ensure that there are no unauthorized activities or unusual patterns of activity.
Review your security groups: Security groups control inbound and outbound traffic to your AWS resources. Check your security groups to ensure that there are no unauthorized changes or unusual traffic patterns.
Check your S3 buckets: Amazon S3 (Simple Storage Service) is a scalable and secure object storage service. Verify that there are no unauthorized changes or unusual activity in your S3 buckets.
Review your IAM policies: IAM (Identity and Access Management) policies control access to your AWS resources. Check your IAM policies to ensure that there are no unauthorized changes or unusual activity.
Verify your contact information: Make sure that your contact information, such as email addresses and phone numbers, is up to date and that you can receive notifications about any suspicious activity.

By verifying your AWS account information, you can ensure that there are no unauthorized changes or activities and that your account is secure. If you notice any suspicious activity or unauthorized changes, you should report them immediately to AWS support and take appropriate steps to mitigate the damage.

In conclusion, GuardDuty is an essential tool for monitoring the security of your AWS environment, and it can help you detect compromised AWS credentials. If GuardDuty detects that your AWS credentials have been compromised, it is crucial to take immediate action to revoke the credentials, change related credentials, check for unauthorized changes, enable MFA, and review your security policies and procedures to prevent similar attacks in the future.

Detecting Security Threats in Real-time with AWS GuardDuty

Amruta Pardeshi — Mon, 06 Mar 2023 12:28:02 +0000

AWS GuardDuty is a threat detection service offered by Amazon Web Services (AWS) that helps you monitor your AWS environment for malicious activity and unauthorized behavior. With GuardDuty, you can continuously monitor and analyze logs and events from various sources such as AWS CloudTrail logs, Amazon VPC Flow Logs, and DNS logs to detect potential security threats.

Benefits of AWS GuardDuty

Improved security: GuardDuty helps you improve the security of your AWS environment by detecting potential security threats in real-time and providing actionable insights that can help you remediate any security issues.
Cost-effective: GuardDuty is a cost-effective solution for threat detection as it does not require any additional hardware or software, and you only pay for the data that is analyzed.
Easy integration with other AWS services: GuardDuty integrates seamlessly with other AWS services such as AWS CloudTrail, Amazon VPC Flow Logs, and AWS Lambda, making it easy to incorporate into your existing security workflow.
Scalable: GuardDuty is designed to scale with your AWS environment, and it can handle large amounts of data and traffic.
Compliance: GuardDuty helps you meet compliance requirements by providing continuous monitoring and alerting for potential security threats.

Ways of Accessing GuardDuty
There are several ways to access AWS GuardDuty, depending on your preferences and needs. Here are some of the most common ways:

AWS Management Console: The AWS Management Console is a web-based interface that you can use to access and manage GuardDuty. You can view and analyze findings, configure settings, and take action on potential security threats. https://console.aws.amazon.com/guardduty
AWS CLI: The AWS Command Line Interface (CLI) is a tool that allows you to interact with AWS services using command-line commands. You can use the AWS CLI to manage GuardDuty, including enabling and disabling the service, retrieving findings, and updating settings.
AWS SDKs: AWS provides software development kits (SDKs) for various programming languages, such as Python, Java, and Ruby. You can use the SDKs to integrate GuardDuty into your applications and automate GuardDuty-related tasks.

How to enable AWS GuardDuty
Enabling GuardDuty is a simple process. Here are the steps to enable AWS GuardDuty:

Log in to the AWS Management Console and navigate to the GuardDuty console.
If this is your first time using GuardDuty, you will see a welcome screen. Click on the "Get started" button to begin.
At the top left corner select the region you want to enable GuardDuty for.
Click the "Enable GuardDuty" button.

Once GuardDuty is enabled, it will begin analyzing logs and events from various sources, such as CloudTrail logs, VPC Flow Logs, and DNS logs. GuardDuty will generate findings based on the analysis of the data and will alert you in real-time if it detects any potential security threats.

Finding types
GuardDuty generates a finding whenever it detects unexpected and potentially malicious activity in your AWS environment. AWS GuardDuty currently generates findings for

EC2
IAM
Kubernetes audit logs
Malware Protection
RDS Protection
S3

Amazon GuardDuty pricing
AWS GuardDuty service is free for 30 days trial and you can gain access to all features and detection findings. During the preview period, GuardDuty RDS Protection for Amazon Aurora databases is available to GuardDuty customers at no additional cost for some AWS supported region. For more information on pricing you can check out this link https://aws.amazon.com/guardduty/pricing/

Conclusion
AWS GuardDuty is an excellent solution for threat detection in your AWS environment. It is easy to set up and manage, and it provides continuous monitoring and alerting for potential security threats. With GuardDuty, you can improve the security of your AWS environment, reduce the risk of security breaches, and meet compliance requirements.

Protecting Your Sensitive Data in the Cloud with Amazon S3 Encryption

Amruta Pardeshi — Sat, 25 Feb 2023 12:46:35 +0000

Amazon Web Services (AWS) provides a wide range of services to help you securely store, manage, and access your data in the cloud. One such service is Amazon S3, which is a highly scalable, durable, and secure object storage service. In addition to providing robust data protection mechanisms, S3 also allows you to encrypt your data at rest and in transit. In this blog post, we will discuss S3 encryption, its benefits, and how to use it.

Benefits of S3 Encryption
The benefits of S3 encryption include:

Increased Data Security: Encryption adds a layer of security that protects your data from unauthorized access and malicious activities.
Compliance with Industry Regulations: S3 encryption can help you comply with regulations that require encryption for sensitive data.
Protection Against Internal Threats: Encryption safeguards your data from internal threats such as data breaches or rogue employees.
Ease of Use: AWS offers simple options for encrypting your S3 data, making it easy to secure your sensitive information in the cloud.

S3 Encryption Options
Objects in the S3 bucket can be encrypted using one of the following methods:

Server-side encryption with Amazon S3 managed keys (SSE-S3)
Server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS)
Server-side encryption with customer-provided keys (SSE-C)
Client-side encryption

Server-Side Encryption (SSE)
SSE is a built-in S3 encryption feature that encrypts your data at rest using either AWS-managed keys or customer-managed keys. It is easy to use.

Server-side encryption with Amazon S3 managed keys (SSE-S3):

All Amazon S3 buckets have encryption configured by default. Each object is encrypted with a unique key. As an additional safeguard, SSE-S3 encrypts the key itself with a root key that it regularly rotates. SSE-S3 is ideal for most use cases and provides strong encryption at no additional cost.

Server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS):

SSE-KMS is done using the integration of AWS KMS with Amazon S3. When you use SSE-KMS encryption with an S3 bucket, the AWS KMS keys must be in the same Region as the bucket. And there are additional charges for using AWS KMS keys.

Server-side encryption with customer-provided keys (SSE-C):

By using SSE-C, you generate and manage your encryption keys and provide them to AWS when you upload your data to S3. When you request access to your data, you provide your encryption keys to AWS to decrypt your data. AWS does not store your encryption keys, ensuring that only you have access to your data.

Client-side encryption:

Client-side encryption is a method of encrypting your data before it is uploaded to S3. With client-side encryption, you manage your own encryption keys, and AWS does not play a role in encrypting or decrypting it.

How to Use S3 Encryption
Encrypting your S3 data is easy. You can enable server-side encryption when you create a new S3 bucket or apply it to an existing bucket. To use SSE-S3 or SSE-KMS, simply select the appropriate option when you create or modify your S3 bucket.
To use client-side encryption, you will need to use an encryption library or tool to encrypt your data before uploading it to S3. There are several open-source and commercial encryption tools available.

Conclusion
In conclusion, securing your data is a critical aspect of managing your data in the cloud, and Amazon S3 encryption provides a reliable and straightforward solution. AWS offers several options for encrypting your data, including server-side encryption and client-side encryption. By taking advantage of AWS S3 encryption, you can confidently store, manage, and access your sensitive data in the cloud.

Install Docker on Ubuntu 22.04

Amruta Pardeshi — Tue, 10 Jan 2023 13:33:05 +0000

Docker is a software platform that simplifies the process of building, running, managing and distributing applications. It does this by virtualizing the operating system of the computer on which it is installed and running.

Prerequisites:
Ubuntu 20.04 or higher
A non-root user with sudo privileges

Step 1: Update package list
The first step is to update the package list on the Ubuntu machine. This is done by running the following command in the terminal:
$ sudo apt update

Step 2: Install packages to allow apt to use a repository over HTTPS
Next, we will install the necessary packages to allow apt to use a repository over HTTPS:
$ sudo apt install apt-transport-https ca-certificates curl software-properties-common

Step 3: Add Docker's official GPG key
To add Docker's official GPG key, run the following command in the terminal:
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

Step 4: Add the stable Docker repository to the system
To add the stable Docker repository to the system, run the following command:
$ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Step 5: Update package list again and install Docker CE
$ sudo apt update
$ apt-cache policy docker-ce

Step 6: Finally install Docker
$ sudo apt install docker-ce

Install SSM-Agent on AWS EC2 Instance

Amruta Pardeshi — Tue, 29 Nov 2022 08:11:22 +0000

Create an AWS EC2 Instance
Create IAM Role with AmazonEc2RoleforSSM permission
Attach this IAM Role to your EC2 Instance
Now SSH into the EC2
Check status if SSM-Agent is installed using this command,
$ sudo systemctl status amazon-ssm-agent

$ yum info amazon-ssm-agent

Command to install SSM-Agent
$ sudo yum install -y https://s3.region.amazonaws.com/amazon-ssm-region/latest/linux_amd64/amazon-ssm-agent.rpm

Add preferred region in command and run to install ssm agent
$ sudo yum install -y https://s3.us-east-1.amazonaws.com/amazon-ssm-us-east-1/latest/linux_amd64/amazon-ssm-agent.rpm

Now you can open the instance on console and login using session manager

Install Mongodb in AWS Ubuntu Server 22.04

Amruta Pardeshi — Sat, 26 Nov 2022 09:35:19 +0000

Login to your AWS Ubuntu Server
Install the dependencies
$ sudo apt update
$ sudo apt install dirmngr gnupg apt-transport-https ca-certificates software-properties-common

Download and add the MongoDB GPG key with the following command
$ sudo wget -qO - https://www.mongodb.org/static/pgp/server-5.0.asc | sudo apt-key add -

Create a list for MongoDB
$ echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/5.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-5.0.list

Update the local package database
$ sudo apt-get update

$ echo "deb http://security.ubuntu.com/ubuntu focal-security main" | sudo tee /etc/apt/sources.list.d/focal-security.list
$ sudo apt-get update
$ sudo apt-get install libssl1.1

Now Install the MongoDB with the following command
$ sudo apt-get install -y mongodb-org

Start the MongoDB service and enable it to start automatically after rebooting the system.
$ sudo systemctl start mongod
$ sudo systemctl enable mongod

Now, check the status of the MongoDB service
$ sudo systemctl status mongod

To verify whether the installation has completed successfully by running the following command.
$ mongo --eval 'db.runCommand({ connectionStatus: 1 })'

Output:
ubuntu@ip-172-31-7-45:~$ mongo --eval 'db.runCommand({ connectionStatus: 1 })'
MongoDB shell version v5.0.13
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("66cf060a-dbd1-419f-9317-980163b0b34f") }
MongoDB server version: 5.0.13
{
"authInfo" : {
"authenticatedUsers" : [ ],
"authenticatedUserRoles" : [ ]
},
"ok" : 1
}

Use this command, to access the MongoDB shell.
$ mongo

Output:
ubuntu@ip-172-31-7-45:~$ mongo
MongoDB shell version v5.0.13
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("61a1f8c5-2e86-449a-a7ec-792bcd1d5b93") }

MongoDB server version: 5.0.13

Warning: the "mongo" shell has been superseded by "mongosh",
which delivers improved usability and compatibility.The "mongo" shell has been deprecated and will be removed in
an upcoming release.
For installation instructions, see

https://docs.mongodb.com/mongodb-shell/install/

Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
https://docs.mongodb.com/
Questions? Try the MongoDB Developer Community Forums

https://community.mongodb.com

The server generated these startup warnings when booting:
2022-11-15T08:01:08.164+00:00: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine. See http://dochub.mongodb.org/core/prodnotes-filesystem

2022-11-15T08:01:08.921+00:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted

    Enable MongoDB's free cloud-based monitoring service, which will then receive and display
    metrics about your deployment (disk utilization, CPU, operation statistics, etc).

    The monitoring data will be available on a MongoDB website with a unique URL accessible to you
    and anyone you share the URL with. MongoDB may use this information to make product
    improvements and to suggest MongoDB products and deployment options to you.

    To enable free monitoring, run the following command: db.enableFreeMonitoring()
    To permanently disable this reminder, run the following command: db.disableFreeMonitoring()

Connect to the admin database.
$ use admin

Output:
switched to db admin

Run the following command to create a new user and set the password for the user.
$ db.createUser(
{
user: "mongoAdmin",
pwd: "KAb3747d",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)

Output:
Successfully added user: {
"user" : "mongoAdmin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}

Exit the mongo shell.
$ quit()

To test the changes, access the mongo shell using the created administrative user.
$ mongo -u mongoAdmin -p --authenticationDatabase admin

_Output: _

ubuntu@ip-172-31-7-45:~$ mongo -u mongoAdmin -p --authenticationDatabase admin
MongoDB shell version v5.0.13
Enter password:

Switch to the admin database.
$ use admin

List the users and see if you can list the created user.
$ show users

Output:
{
"_id" : "admin.mongoAdmin",
"userId" : UUID("ef767177-be14-488f-8eb9-947941a16d0f"),
"user" : "mongoAdmin",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}