AWS Fundamentals

Important points to remember: 1.VPC allows to provision a logically isolated section of the AWS cloud. 2.VPC endpoints are horizontally scalable and highly available virtual devices. 3.Amazon VPC offers two different types of endpoints: gateway type endpoints and interface type endpoints. 4.VPC supports the creation of an Internet gateway. This gateway enables EC2 instances in the VPC to directly access the Internet. 5. An Internet gateway is horizontally-scaled, redundant & highly available. It imposes no bandwidth constraints. 6. AWS supports Internet Protocol Security (IPSec) VPN connections. 7. An internet gateway is not required to establish an AWS Site-to-Site VPN connection. 8. A VPC can have both IPv4 and IPv6 CIDR blocks associated to it. 1 0 1

Network Access Control List A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. 1 0 2

Basic things about network ACLs: • VPC automatically comes with a modifiable default network ACL. • We can create a custom network ACL and associate it with a subnet. • VPC subnet must be associated with a network ACL. If you don't explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL. • A network ACL must be with multiple subnets. However, a subnet can be associated with only one network ACL at a time. When you associate a network ACL with a subnet, the previous association is removed. • A network ACL contains a numbered list of rules. We evaluate the rules in order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL. • A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic. • Network ACLs are stateless, which means that responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa). 1 0 3

10 4 Dynamic Host Configuration Protocol • AWS automatically creates and associates a DHCP option set for your Amazon VPC upon creation and sets two options: domain-name-servers and domain-name • Dynamic Host Configuration Protocol provides a standard for passing configuration information to hosts on a TCP/IP network. The options field of a DHCP message contains the configuration parameters. • Some of those parameters are the domain name, domain name server, and the netbios-node- type.

Dynamic Host Configuration Protocol(Cont’d) • The DHCP option sets element of an Amazon VPC allows to direct Amazon EC2 host name assignments to your own resources. • A custom DHCP option set can be created and assign it to your Amazon VPC to assign our own domain name to your instances The following values can be configured within a DHCP option set: • domain-name-servers : The IP addresses of up to four domain name servers, separated by commas. The default is AmazonProvidedDNS. • domain-name : Specify the desired domain name here (for example, mycompany.com). • ntp-servers : The IP addresses of up to four Network Time Protocol (NTP) servers, separated by commas • netbios-name-servers : The IP addresses of up to four NetBIOS name servers, separated by commas • netbios-node-type : Set this value to 2 1 0 5

Elastic IP Addresses An Elastic IP Addresses (EIP) is a static, public IP address in the pool for the region that you can allocate to your account (pull from the pool) and release (return to the pool). EIPs allow you to maintain a set of IP addresses that remain fixed while the underlying infrastructure may change over time. Increase Collaboration 1 0 6

Elastic Network Interface(ENIs) • An Elastic Network Interface (ENI) is a virtual network interface that you can attach to an instance in an Amazon VPC. • ENIs are only available within an Amazon VPC, and they are associated with a subnet upon creation. They can have one public IP address and multiple private IP addresses. • ENIs can have one public IP address and multiple private IP addresses. If there are multiple private IP addresses • ENIs allow you to create a management network, use network and security appliances in your Amazon VPC, create dual-homed instances with workloads/roles on distinct subnets, or create a low-budget, high-availability solution. 1 0 7

Following is the diagram of management control network: 1 0 8

Endpoints • An Amazon VPC endpoint enables you to create a private connection between your Amazon VPC and another AWS service without requiring access over the Internet or through a NAT instance, VPN connection, or AWS Direct Connect. • We can create multiple endpoints for a single service, that can use different route tables to enforce different access policies from different subnets to the same service. • Amazon VPC endpoints currently support communication with Amazon Simple Storage Service (Amazon S3), and other services are expected to be added in the future. 1 0 9

Steps to create an Amazon VPC endpoint: 1. Specify the Amazon VPC. 1. Specify the service. A service is identified by a prefix list of the form com.amazonaws. <region>.<service>. 1. Specify the policy. You can allow full access or create a custom policy. This policy can be changed at any time. 1. Specify the route tables. A route will be added to each specified route table, which will state the service as the destination and the endpoint as the target. 1 1 0

VPC peering • Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you've defined. • A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. 1 1 1

Process to setup VPC peering 1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/. 2. In the navigation pane, choose Peering Connections, Create Peering Connection. 3. Configure the following information, and choose Create Peering Connection when you are done: • Peering connection name tag: You can optionally name your VPC peering connection. • VPC (Requester): Select the VPC in your account with which you want to create the VPC peering connection. • Under Select another VPC to peer with: Ensure My account is selected, and select another of your VPCs. • Choose Add tag and do the following: • For Key, enter the key name. • For Value, enter the key value. • [Remove a tag] Choose the Delete button (\"X\") to the right of the tag’s Key and Value. 4. In the confirmation dialog box, choose OK. 5. Select the VPC peering connection that you've created, and choose Actions, Accept Request. 1 1 2

Process to setup VPC peering (Cont’d) 6. In the confirmation dialog, choose Yes, Accept. A second confirmation dialog displays; choose Modify my route tables now to go directly to the route tables page, or choose Close to do this later. To create a VPC peering connection with a VPC in a different Region 1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/. 2. In the navigation pane, choose Peering Connections, Create Peering Connection. 3. Configure the following information, and choose Create Peering Connection when you are done: 4. In the confirmation dialog box, choose OK. 5. In the Region selector, select the Region of the accepter VPC. 6. In the navigation pane, choose Peering Connections. Select the VPC peering connection that you've created, and choose Actions, Accept Request. 7. In the confirmation dialog, choose Yes, Accept. A second confirmation dialog displays; choose Modify my route tables now to go directly to the route tables page, or choose Close to do this later. 1 1 3

114 Differences VPC Peering Connection VPC Endpoint Category All resources in a VPC, such as ECSs and Allows access to a specific Security load balancers, can be accessed. service or application. Only the ECSs and load balancers CIDR overlap in the VPC for which VPC Communication endpoint services are created mode can be accessed. Not supported Supported VPCs connected through a peering Requests can only be initiated connection can communicate with each from a VPC endpoint to a VPC other. endpoint service, but not the other way around.

115 Differences VPC Peering Connection VPC Endpoint Supported Supported Category Not Supported Supported Access using VPN/Direct If a peering connection is established For two VPCs that are Connect between two VPCs, you need to add routes connected through a VPC Cross-region to the VPCs so that they can communicate endpoint, the route has been access with each other. configured, and you do not need to configure it again. Route configuration

Security Groups • Security group is like a virtual firewall • Security rules has inbound and outbound in which all inbound traffic is blocked by default in private on AWS EC2 • Security protocol can stop traffic by using the rule by default everything that is denied • Security groups has multiple EC2 instances • Security block can not block a specific IP address. But it can edit any rule a security group with faster effect 1 1 6

117 VPC Security Group vs. NACL in AWS.

Network Access Control List (Network ACL) : • Network ACL is a modifiable default network. • Network ACL allows all the inbound or outbound IPv4 traffic. • Network ACL is the stateless and separate inbound and outbound rule with a default limit of 20 for both rules and starting with the lowest numbered rule. • All subnet in VPC must be combined with network ACL one subnet -one network ACL at a time. • Network ACL supports rules and deny rules and operate the subnet level. 1 1 8

119 NAT gateways

NAT gateways(Cont’d) • A NAT gateway is a Network Address Translation (NAT) service. • A NAT gateway instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances. • A NAT gateway can specify one of the following connectivity types: Public – (Default) Instances in private subnets can connect to the internet through a public NAT gateway, but cannot receive unsolicited inbound connections from the internet. Private – Instances in private subnets can connect to other VPCs or your on-premises network through a private NAT gateway. You can route traffic from the NAT gateway through a transit gateway or a virtual private gateway. • The NAT gateway replaces the source IP address of the instances with the IP address of the NAT gateway. For a public NAT gateway, this is the elastic IP address of the NAT gateway. For a private NAT gateway, this is the private IP address of the NAT gateway. 1 2 0

VPC Flow Logs • VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC • Flow log data can be published to Amazon CloudWatch Logs or Amazon S3 • After you create a flow log, you can retrieve and view its data in the chosen destination • Flow logs can help you with a number of tasks, such as: o Diagnosing overly restrictive security group rules o Monitoring the traffic that is reaching your instance o Determining the direction of the traffic to and from the network interfaces • Flow log data is collected outside of the path of your network traffic, and therefore does not affect network throughput or latency. You can create or delete flow logs without any risk of impact to network performance 1 2 1

VPC Flow Logs(Cont’d) • You can create a flow log for a VPC, a subnet, or a network interface. If you create a flow log for a subnet or VPC, each network interface in that subnet or VPC is monitored. • Flow log data for a monitored network interface is recorded as flow log records, which are log events consisting of fields that describe the traffic flow. • To create a flow log, you specify: oThe resource for which to create the flow log oThe type of traffic to capture (accepted traffic, rejected traffic, or all traffic) oThe destinations to which you want to publish the flow log data

VPC Flow Logs(Cont’d) • In the following example, you create a flow log (fl-aaa) that captures accepted traffic for the network interface for instance A1 and publishes the flow log records to an Amazon S3 bucket. • You create a second flow log that captures all traffic for subnet B and publishes the flow log records to Amazon CloudWatch Logs. The flow log (fl-bbb) captures traffic for all network interfaces in subnet B. There are no flow logs that capture traffic for instance A2's network interface.

VPC Flow Logs(Cont’d) 1 2 • After you create a flow log, it can take several minutes to begin collecting and publishing data to 4 the chosen destinations • If you launch an instance into your subnet after you create a flow log for your subnet or VPC, we create a log stream (for CloudWatch Logs) or log file object (for Amazon S3) for the new network interface as soon as there is network traffic for the network interface • You can create flow logs for network interfaces that are created by other AWS services, such as: Elastic Load Balancing Amazon RDS Amazon ElastiCache Amazon Redshift Amazon WorkSpaces NAT gateways Transit gateways • Regardless of the type of network interface, you must use the Amazon EC2 console or the Amazon EC2 API to create a flow log for a network interface

125 VPG, CGW, and VPN • VPG are VPN concentrator on AWS side of the VPN connection between the two networks. • CGW represents a physical device or a software application on the customer’s side of the VPN connection. • After these two elements of VPC have been created it is last step to create VPN tunnel • VPN tunnel is established after traffic is generated from customer’s side of VPN connection.

Virtual Private Gateways (VPGs), Customer Gateways(CGWs), and Virtual Private Networks (VPNs) • Required to specify type of routing to use when creating VPN connection. • If CGW supports BGP configure VPN connection for dynamic routing, else configure for static routing. • With static routing, required to enter routes for network that should be communicated to VPG. Routes will be propagated to VPC to allow the resources to route network traffic back to the corporate network through the VGW and across the VPN tunnel. • VPC supports multiple CGWs and each has VPN connection to a single VPG (many-to-one design). • For this topology, the CGW IP addresses must be unique within region. • VPC also supplies information to configure CGW and establish the VPN connection with VPG. • The VPN connection consists of two IPSec tunnels for higher availability to Amazon VPC. 1 2 6

127 Important features about VPGs, CGWs, and VPNs • VPG is the AWS end of the VPN tunnel. • CGW is a hardware or software application on the customer’s side of the VPN tunnel. • We must initiate the VPN tunnel from the CGW to the VPG. • VPGs support both dynamic routing with BGP and static routing. • VPN connection consists of two tunnels for higher availability to the VPC.

VPC Security • Amazon Virtual Private Cloud lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network • Amazon VPC have complete control over your virtual networking environment. • We can use both IPv4 and IPv6 in our VPC for secure and easy access to applications • Amazon VPC is protected by the AWS global network security procedures 1 2 8

Activity: Quiz Choose the correct alternative: 1. In which type of network can we define and launch virtual private Your Scorecard cloud? Total Questions: a. isolated b. connected c. mapped d. All 2. A virtual private cloud is the logical division of a service provider's ____ Points Scored: cloud? a. private b. public c. corporate d. distant Correct Answers: 3. How many types of connectivity do NAT offers? Incorrect Answers: a. One b. Two c. Three d. Four Reset Next

Activity: True or False Choose the correct alternative: True False Your Scorecard 1. Cloud-hosted websites and applications typically perform better. 2. A virtual private network (VPN) uses decryption. Total Questions: Points Scored: 3. VPC Flow Logs is a feature that enables you to Correct Answers: capture information about the IP traffic. Incorrect Answers: 4. A network ACL has single inbound and outbound rules 5. Firewall is used for controlling traffic Reset Next

AWS Security Fundamentals

Learning Objectives By the end of this module, you will be able to: • Define AWS Security • Describe AWS Shared Responsibility Model • Give an explanation on AWS Compliance Program • Describe AWS Global Infrastructure Security • Describe Physical and Environmental Security • Explain Layered Security, Security Groups & Network ACLs • Explain about AWS Reports, Certifications, and Third-Party Attestations • Describe AWS Account Security Features • Explain AWS Credentials, Passwords

133 Glossary This table displays vocabulary of a technical terms TERMINOLOGY MEANING 1. Encryption Amazon Web Services, inc. 2. Configuration 2. Intrusion A shared cloud infrastructure 4. Attestation To compromise a computer system by breaking the security 5. Compliance of such a system 6. Latency A process that documents that an organization or individual has successfully demonstrated meaningful requirements The process of adhering to policies and decisions Measure of the responsiveness of a network

AWS Security • AWS provides services that help you protect your data, accounts, and workloads from unauthorized access • AWS data protection services provide encryption and key management and threat detection that continuously monitors and protects your accounts and workloads • AWS has network and application protection services enable you to enforce fine-grained security policy at network control points across your organization • AWS identifies threats by continuously monitoring the network activity and account behavior within your cloud environment 1 3 4

AWS Security Measures Following are the Best Practices for AWS Security: Enable Multi-factor Lock Down AWS Keep Your AWS Control User Authentication on Security Groups Instances Patched Access Tightly AWS IAM 1 3 5

AWS Shared Responsibility Model Security and compliance are shared responsibilities between AWS and the customer. Shared responsibility provides the flexibility and customer control that permits customers to deploy solutions that meet industry-specific certification requirements. The differentiation of responsibility as Security “of” the Cloud versus Security “in” the Cloud is shown below. Customer (Security in the Cloud) AWS (Security of the Cloud) Customer Data Software Platform, Application, Identity and Compute, Storage, Database, 1 Access Management Networking 3 OS, Network & Firewall Configuration Hardware / AWS Global 6 Infrastructure Encryption and Authentication Regions, Availability, Edge Locations

AWS Shared Responsibility Model (Cont’d) • AWS responsibility “Security of the Cloud” : AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. Click on the VPC service under Networking and Content Delivery. • Customer responsibility “Security in the Cloud” : Customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. • For example, a service such as Amazon Elastic Compute Cloud (Amazon EC2) is categorized as Infrastructure as a Service (IaaS) and, as such, requires the customer to perform all of the necessary security configuration and management tasks. 1 3 7

AWS Shared Responsibility Model (Cont’d) 1 3 Below are examples of controls that are managed by AWS, AWS Customers and/or both. 8 Inherited Controls : Controls which a customer fully inherits from AWS. o Physical and Environmental controls Shared Controls : In a shared control, AWS provides the requirements for the infrastructure and the customer must provide their own control implementation within their use of AWS services. Examples include: o Patch Management : AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications. o Configuration Management : AWS maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications. o Awareness & Training : AWS trains AWS employees, but a customer must train their own employees. Customer Specific : Controls which are solely the responsibility of the customer based on the applicatioInncrtehaesye aCroelladbeopralotiyoinng within AWS services. Examples include: o Service and Communications: Protection or Zone Security which may require a customer to route or zone data within specific security environments.

AWS Compliance Program Compliance means conforming to a rule, such as a specification, policy, standard or law. The AWS Compliance Program helps customers to understand the robust controls in place at AWS to maintain security and compliance in the cloud.AWS and customers share compliance responsibilities. AWS computing environments are continuously audited, with certifications from accreditation bodies across geographies and verticals, including SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70), SOC 2, SOC 3, ISO 9001 / ISO 27001, FedRAMP, DoD SRG, and PCI DSS Level 1. AWS customers remain responsible for complying with applicable compliance laws, regulations and privacy programs. 1 3 9

Global Infrastructure • The AWS Global Cloud Infrastructure is the most secure, extensive, and reliable cloud platform, offering over 200 fully featured services from data centers globally Why Cloud Infrastructure Matters? • The AWS Global Cloud Infrastructure is the most secure, extensive, and reliable cloud platform, offering over 200 fully featured services from data centers globally •AWS provides you the cloud infrastructure where and when you need it • Whether you need to deploy your application workloads across the globe in a single click, or you want to build and deploy specific applications closer to your end-users with single-digit millisecond latency 1 4 0

Physical Security • AWS data center physical security begins at the Perimeter Layer • This Layer includes a number of security features depending on the location, such as security guards, fencing, security feeds, intrusion detection technology, and other security measures • The types of security measures we have in place within the Perimeter Layer of the data centers are as follow: ACCESS IS SCRUTINIZED ENTRY IS CONTROLLED AND MONITORED AWS DATA CENTER WORKERS ARE SCRUTINIZED, TOO MONITORING FOR UNAUTHORIZED ENTRY Increase CollaboratioAnWS SECURITY OPERATIONS CENTERS MONITORS GLOBAL SECURITY 1 4 1

Environmental Security • The Environmental Layer is dedicated to environmental considerations from site selection and construction to operations and sustainability • The Environmental Layer is dedicated to environmental considerations from site selection and construction to operations and sustainability • The types of security measures we have in place within the Environmental Layer PREPARED FOR THE UNEXPECTED HIGH AVAILABILITY THROUGH MULTIPLE AVAILABILITY ZONES SIMULATING DISRUPTIONS & MEASURING OUR RESPONSE GREENER IN THE AWS CLOUD 1 4 2

Layered Security Layered security refers to security systems that use multiple components to protect operations on multiple layers. The purpose of a multi-layered security approach is to ensure that each individual component of your cyber security plan has a backup to counter any flaws or gaps. These layers work together to bolster your defenses and build a solid foundation for your cyber security program. • At its core, AWS implements security at the following layers o Service-level hardening o Identity and access control o Native encryption options for select services o Network security o Auditing and logging o Security “wizards” 1 4 3

AWS Reports • The AWS Cost & Usage Report contains the most comprehensive set of AWS cost and usage data available, including additional metadata about AWS services, pricing, credit, fees, taxes, discounts, cost categories, Reserved Instances, and Savings Plans • The AWS Cost & Usage Report (CUR) itemizes usage at the account or Organization level by product code, usage type and operation • Create your Cost and Usage Report o Navigate to the billing console and create your report o Learn the step-by-step instructions from the given video o Set up CUR using Cloud Formation Template 1 4 4

145 AWS cost management and cloud cost management tools.

AWS Certifications, and Third-Party Attestations AWS engages with external certifying bodies and independent auditors to provide customers with considerable information regarding the policies established operated by AWS. A list of the various AWS reports, certifications, and attestations is provided below. • Criminal Justice Information Services (CJIS) • Cloud Security Alliance (CSA) • Cyber Essentials Plus • Department of Defense (DoD) Cloud Security Model (SRG) • Federal Risk and Authorization Management Program (FedRAMP) • Family Educational Rights and Privacy Act (FERPA) • Federal Information Processing Standard (FIPS) • FISMA and DoD Information Assurance Certification and Accreditation Process (DIACAP) 1 4 6

AWS Certifications, and Third-Party Attestations(Cont’d) • Management Framework (RMF) process defined in NIST 800 • Conformation Security Registered Assessors Program (IRAP) • ISO 9001 • ISO 27001 • ISO 27017 • ISO 27018 • U.S. International Traffic in Arms Regulations (ITAR) • Motion Picture Association of America (MPAA) • Multi-Tier Cloud Security (MTCS) Tier 3 Certification • NIST • PCI DSS Level 1 • SOC 1/International Standards for Assurance Engagements No. 3402 (ISAE 3402) • SOC 2 • SOC 3 1 4 7

AWS Account Security Features • AWS uses a shared responsibility model in terms of security. • AWS is responsible for security “of” the cloud, while you and your development team are responsible for security “in” the cloud. • AWS will protect the infrastructure of the cloud, including hardware, software, and networking that run AWS services. 1 4 8

AWS Account Security Features (Cont’d) Following are the four of the most common AWS security features you’ll need to keep your cloud secure. 1. Identity Access Management (IAM) 2. S3 Security 3. Security Groups 4. CloudTrail 1 4 9

AWS Credentials • AWS requires different types of security credentials depending on how you access AWS. • For example, you need a user name and password to sign in to the AWS Management Console and you need access keys to make programmatic calls to AWS or to use the AWS Command Line Interface or AWS Tools for PowerShell. 1 5 0