The Security Onion of AWS
syn-Propanethial-S-oxide (yes, I have copied that from Wikipedia) that affects the ability of bad actors
I could have said layered security or defense in depth or blast radius containment, but I am fancy — and I like making things sound different. Hence this title. And a very subtle subtitle.
An application without a use case
Please note that the example application stack used in this write up, is exactly that — an example. This application stack was not built working backwards from an actual requirement. Accordingly, insanity in the blog is to be overlooked.
An internet facing web application deployed on AWS
Looking at an internet facing web application hosted on EC2 on AWS, with the application and infrastructure layers, the major components may look like this below. I strongly use the word “may”, as the deployment architecture is your prerogative, and below is only one way to do it. I am not including peripheral items e.g. a CI/CD stack as that is not relevant for this topic or not going to discuss options like caching, multi-region deployment, and others.
- The application uses Route53 as the DNS service for register and expose a DNS name.
- It uses CloudFront distribution to make the application available to users over a diverse geography. It also utilizes the Edge caches to cache static content.
- The application only allows HTTPS traffic between the app and its clients/viewers and uses a certificate to do ensure that.
- Web traffic from CloudFront is routed to the load balancer which then in turn routes traffic to the web and then to the app tier.
- The application uses RDS database and utilizes Multi-AZ replication for high availability and durability.
Security layers protecting the stack
Starting from the perimeter of this web application down to the database level, there are a number of security constructs that may protect this application. For simplicity, not all of the security services were shown in the above picture. In the below picture, a security view of the stack is shown. Once again, this is a potential deployment, and not meant to be an ideal stack.
- Various attack vectors define the level of perimeter security needed. Typical vectors include a variety of distributed denial of service (DDoS) spectrum including but not limited to reflection and amplification, SSL abuse etc. These vectors are typically thwarted using a combination of AWS Shield, Route53, and CloudFront.
- Depending on the CloudFront distribution configuration, traffic between client and the distribution end point can be encrypted in transit using SSL/TLS and by deploying certificates to CloudFront or Load balancers. These certificates are managed by AWS Certificate Manager or a 3rd party certificate authority (CA).
- HTTP flood, SQL injection, cross site scripting attacks are thwarted by AWS Web Application Firewall (WAF) using IP blocking, URL filtering techniques.
- The listener rules of load balancers provide security from invalid routing, traffic management within the stack.
- The Virtual Private Cloud (VPCs) default network access control list (NACL) and security group provide further control over network traffic.
- All traffic between the layers are encrypted in transit using SSL/TLS.
- Database instances and database snapshots are encrypted using RDS encryption of the database engine in question.
- AWS Secrets Manager provide secure and encrypted storage of database credentials and other types of secrets (API keys for example).
- Isolation on physical hosts of EC2 instances are provided by the hypervisor to isolate CPU, memory, and disk. For more on this read here.
- All resources of entities comply with identity based policies and some of the resources in the stack also comply with resource-based policies for access control.
- Finally, the overall infrastructure security of AWS is protected through fault tolerant designs, network segregation, transmission protection, access control etc. Details can be found here.
Other services not covered here
There are a number of other AWS services which provide security by an organization’s posture of prevention (covered here to some extent), detection, respond, and remediate.
These include services like AWS Security Hub, Amazon GuardDuty, Amazon Macie, Amazon Inspector.
None of anything mentioned in this blog represents official AWS guidance and may have quality issues.