Compliance on AWS
DDOS
AWS marketplace security products
IAM Custom Policies
IAM - Policies - create policy - visual editor - choose a service - S3 - In access level list,read - click on Resources - Enable All resources - Review Policy - Add name - create policy
IAM - Roles - create role - select EC2 - Next Permission - select the created policy - Next - Add role name - create role
Go to S3(create 2 buckets in different region) - create bucket - Add name,region - create
Go to EC2 - Launch Instance - Then access Instance from putty or terminal - switch to root(sudo su) - aws s3 ls - unable to locate credentials
Go to IAM - users - add user - add a username - enable Programatic access - Next - Enable Group Administrator - Next - create user - Now you will get access keyid,secret access key - Go to EC2 Instance - Actions Instance settings - Attach Replace IAM Role - select the created role - Apply - Now type the command 'aws s3 ls' inside the Instance - Now it will show the S3 bucket we created earlier
create a testfile and copy to S3 bucket
echo "Hello World" > test.txt
ls
test.txt
aws s3 cp /home/ec2-user/test.txt s3://bucketname
It will show upload failed since we didnt give write access.
Go to IAM - policies - select the policy that we created - Edit policy - Enable write in Access level - Review policy - save changes - Now you can upload file using above command
aws s3 cp /home/ec2-user/test.txt s3://bucketname
aws s3 ls s3://bucketname
Same you can do in second bucket in other region
MFA AND REPORTING WITH IAM
Go to IAM - Activate MFA on your root account - manage MFA - Enable virtual MFA device - Next step - Next step - scan the barcode using Google authenticator in mobile - add the generated authentication codes - Activate virtual MFA
This for root account.Now we can do for user account.
IAM - users - Add user - Add username,Enable programmatic Access - Next - create group - select AdminstrationAccess,give groupname - create group - select the created group - create user(Now you will get access keyid,secret access key) - Download.csv - Go to users - select the created user - security credentials - click on Assigned MFA device - Enable virtual MFA device - Next step - Next step - scan the barcode using Google authenticator in mobile - add the generated authentication codes - Activate virtual MFA
Go to Instance and remove the role that we created early - select Instance - Actions - Instance settings - Attach Replace IAM Role - No role - Apply - yes,detach - Login using putty or terminal - switch to root(sudo su) - aws s3 ls - unable to locate credentials
configure user using access keyid,secret access key
aws configure
Add access keyid
Add secret access key
Add region name
ENTER
ENTER
aws s3 ls
Now you can see the bucket created.Now use the command below for MFA
aws iam create-virtual-mfa-device --virtual-mfa-device-name EC2-User --outfile /home/ec2-user/QRCode.png --bootstrap-method QRCodePNG
Now using 'ls' command you can see QRCode.png and copy the file to s3 bucket
aws s3 cp /home/ec2-user/QRCode.png s3://bucketname
Go to s3 in amazon service - select the QRCode.png - Actions - make public - make public - click on QRCode.png - click on Link - Now you get the QRCode - scan the barcode using Google authenticator in mobile
Login to EC2-Instance and use the command shown below for MFA
aws iam enable-mfa-device --user-name EC2-User --serial-number arn:aws:iam::"USERNUMBERHERE":mfa/EC2-User --authentication-code-1 "CODE1HERE" --authentication-code-2 "CODE2HERE"
"USERNUMBERHERE" = we get from IAM - users - select user - user ARN(copy the numbers)
"CODE1HERE" and "CODE2HERE" = we get from google authenticator
Go to IAM - users - select user - security credential - you can see Assigned MFA device
Go to IAM - credential report - Download Report - Give details of
users credential
Security Token Service
Security and Logging
AWS WAF
AWS Hypervisors
Dedicated Instances vs Dedicated Hosts
EC2 - Instances - Dedicated Hosts - Allocate a Host - Add Instance type,availability zone - Allocate host
OR
EC2 - Launch Instance - configure Instance(Tenancy = Dedicated Instance or Dedicated Host) - Launch
AWS system manager EC2 Run Command
Go to IAM - Roles - create role - EC2 - EC2 Role for Simple Systems Manager - Next - Next - Add role name - EC2 - Launch Instance - configure Instance(Add created role) - Launch
Go to System Manager - Run command - select Aws configure Cloudwatch - select created Instance in Target Instance - Run
AWS system manager Parameter store
EC2 - system manager shared resources(bottom of the page) - parameter store - Get started now - Add name,Enable secure string - create parameter - we can pass this to cloud formation,lamda etc
AWS config with s3
Management tools - config - Rules - Add rule - select s3 - you can see rules related to s3 like s3-bucket-public-read-prohibited,s3-bucket-public-write-prohibited etc..
Presigned URLs
Go to IAM - Roles - create role - EC2 - Next - select Amazons3FullAccess - Next - Add rolename - create role - Launch Instance - Add created role in configure Instance - Launch - Login to created Instance
make new s3 bucket and copy a testfile to it using the command shown below
aws s3 ls
aws s3 mb s3://bucketname
echo "Hello World" > test.txt
aws s3 cp test.txt s3://bucketname
aws s3 ls s3://bucketname
If we go to S3(management console) and access the test.txt by clicking on link we cannot open it.
To access the file for 300 seconds we need to use the command shown below
aws s3 presign s3://bucketname/test.txt --expires-in 300
This generate a https link.copy and paste this link in browser to access the file for 300 seconds.
Inspector vs Trusted Advicer
Ec2 - Launch an Instance
Security,Identity and Compliance - Inspector - Get started - choose or create role - view details - IAM role = create a new IAM role - Add role name - Allow - Tag your Ec2 Instance - Manage Tags - select Instance and add key and tag - Go back - Install AWS agent - open the link 'To install the Amazon Inspector Agent on a Linux based EC2 Instance' - Login to EC2 instance and run the commands to install AWS agent
sudo su
wget https://inspector-agent.amazonaws.com/linux/latest/install
curl -O https://inspector-agent.amazonaws.com/linux/latest/install
Now go to Inspector window - Next - add name,key,value created earlier - Next - Add name,Rule packages = common vulnerabilities and exposures1.1,Duration = 1hr - Next - create - select the created Inspector - Run - After 1 hr it will give the result - Assesment runs - Download Report - Full Report - Generate Report
Go to Assessment Templates - create - add name = master template,target name, rule packages(add all the rules),duration=24hr - create and run - After 24 hrs we can download the report
Go to Management Tools - Trusted Advisor - Give details of Cost optimization,performance,security,Fault Tolerance - we need business or enterprise subscription to unlock these.
Shared Responsibility
Other Security Aspects
CloudTrail - Turning It On and Validating Logs
IAM - Groups - create New Group - Add Group name - Next - AWS CloudTrailFullAccess -
Go to S3 - select a created bucket - Management - Add Lifecycle rule - Add Rule name - Next - Current Version - Next - click current version - Add expire days - Next - save
Top comments (0)