AWS SAP Notes 11 - Security and Configuration Management
aws sap

Nguyễn Huy Hoàng viết ngày 22/10/2021

AWS GuardDuty

  • It is a security service used for continuous monitoring of an account
  • It can be integrated with supported data sources, constantly monitoring them
  • It supports AI/ML and thread intelligent feeds for monitoring for suspicious activities
  • Identifies any unexpected and unauthorized activity and it tries to spot odd activities
  • If it finds something, it can be configured to notify somebody or to do event-driven protection/remediation
  • Supports multiple accounts (Master and Member accounts)
  • GuardDuty architecture: alt text

AWS Config

alt text

  • Has 2 main jobs:
    • Primary: record configuration changes over time on AWS resources. Every time a configuration is changed on a resource a configuration item is created which stores the change at that specific point in time
    • Secondary: auditing of changes, compliance with standards
  • Config does not prevent changes from happening! Even if we define standards for resources, Config can check the compliance against those standards, but it does not prevent resources braking those standards
  • Config is a regional service, supports cross-region and cross-account aggregations
  • Changes can generate SNS notifications and near-realtime events via EventBridge and Lambda
  • Config stores changes historically in a consistent format in an S3 product bucket
  • Config recording has to be manually enabled!
  • Config Rules:
    • Can be AWS managed ones or user defined using Lambda
    • Resources are evaluated against these rules determining if there are compliant or non-compliant
    • Custom Rules use Lambda, the function does the evaluation and returns the information back to Config
  • Config can be integration to EventBridge which can be used to invoke Lambda functions for automatic remediation
  • Config can also have integration with SSM to remediate issues

AWS Inspector

  • Is a product designed to check EC2 instances and the operating systems running on those instances for any vulnerabilities or deviations against best practice
  • Inspector can be run for a certain period of time (15 min, 1 hour, 1 day, etc.) to identify any unusual traffic and configurations which can put instances to risk
  • Provides a report of findings ordered by severity
  • Inspector can work with 2 main type of assessment per instances:
    • Network Assessment: can be conducted agentless
    • Network and Host Assessment: requires an agent to be installed
  • Rules packages: determine what is checked on an instance
  • Examples of rule packages:
    • Network Reachability:
      • Can be done with no agent or with an agent providing OS visibility
      • Checks reachability end to end
      • Returns the following findings:
        • RecognizedPortWithListener
        • RecognizedPortNoListener
        • RecognizedPortNoAgent
        • UnrecognizedPortWithListener
    • Host Assessment:
      • Agent is required
      • Checks for Common vulnerabilities and exposures (CVE)
      • Center for Internet Security (CIS) Benchmarks
      • Security best practices for Amazon Inspector

Encryption and KMS

Encryption Approaches

  • Encryption At Rest: designed to protect against physical threat or tempering
    • Data is stored in shared hardware in an encrypted form, even if somebody has access to hardware it can not access the data in a readable format
    • General used when one party is involved
  • Encryption In Transit: aimed to protect data when transferred between 2 places
    • Generally used when multiple individual/systems are involved

Encryption Concepts

  • Plaintext: un-encrypted data, can be text, image, other application, etc.
  • Algorithm: peace of code which takes plaintext and a key and generates encrypted data. Examples of algorithms: Blowfish, AES, RC4, DES, RC5 and RC6
  • Key: is a password
  • Ciphertext: when an algorithm takes the plaintext and the key, the output generated is cyphertext (encrypted data)

Symmetric Encryption

  • Symmetric Keys: the same key can be used for encryption and for decryption as well
  • Symmetric encryption algorithms: AES-256
  • Great for encryption at rest, not recommended for encryption in-transit

Asymmetric Encryption

  • Makes it much easier to exchange keys
  • Asymmetric algorithms: RSA, ElGamal
  • Asymmetric Keys: are formed of 2 parts: public key and private key
  • A public key can be used to generate cyphertext which can only be encrypted by the private key
  • Asymmetric encryption is used by PGP, SSL, SSH, etc.


  • Process used to prove identity of a message
  • A message can be signed with a private key and verified using the public key


  • A process to hide encrypted data in plaintext data

KMS - Key Management Service

  • It is a regional and a public service
  • Let's us create, store and manage cryptographic keys
  • Can handle symmetric and asymmetric keys
  • Can perform cryptographic operations such as encryption and decryption
  • Keys never leave KMS! Keys can be created, imported but they are locked inside KMS
  • Provides FIPS 140-2 (L2) compliance

CMK - Customer Master Keys

  • Main things managed by KMS are CMKs
  • They are used by KMS in cryptographic operations
  • They are logical containing the following things: ID, date, policy, description and state
  • Every CMK is backed by physical key material. This can be generated by KMS or imported by KMS
  • CMKs can be used to encrypt or decrypt data for up to 4KB of data

DEK - Data Encryption Keys

  • Data Encryption Keys are generated from CMKs using GenerateDataKey API
  • These keys can be used to locally encrypt/decrypt data with size larger than 4KB
  • DEK generated is linked to a specific CMK
  • KMS does not store the DEK in any way, it is generated and provided to the user and it is discarded afterwards
  • KMS provides 2 version of the key a plaintext and a ciphertext encrypted with the CMK
  • It is expected from us to discard the plaintext key as soon as we encrypted the data
  • The encrypted data and the encrypted data encryption key should be stored side by side
  • For decryption of the data we pass back to KMS the encrypted DEK to be decrypted and with the decrypted key we decrypt the data itself

Key Concepts

  • CMKs are isolated to a region and never leave KMS
  • There are 2 types of CMKs: AWS managed (created automatically) and customer managed (much more configurable, can be accessed by other AWS accounts)
  • CMKs support rotation. Rotation is optional for customer managed keys
  • CMK contains the current backing key and previous backing keys caused by rotation
  • We can create aliases for CMKs
  • Key policies and security:
    • Key Policies (Resource): similar to an S3 bucket policy
    • Every CMK has a key policy


  • Similar to KSM, it creates, manages and secures cryptographic (mật mã, bằng mật mã) material (vật chất) or keys
  • KMS is a shared service. AWS has a certain level of access to the product, they manage the hardware and the software of the system
  • KMS uses behind the scene HSM devices
  • CloudHSM is true single tenant HSM hosted by AWS
  • AWS provisions the hardware for CloudHSM but they do not have access to it. In case of losing access to a HSM device there is no easy way to re-gain the access to it
  • CloudHSM is fully compliant with FIPS 140-2 Level 3 (KMS is L2 compliant overall)
  • CloudHSM is accessed with industry standards APIs: PKCS#11, Java Cryptography Extensions (JCE), Microsoft CryptoNG (CNG) libraries
  • KMS can use CloudHSM as a custom key store, CloudHSM integration with KMS alt text

CloudHSM Architecture

alt text

  • CloudHSM devices are deployed into a VPC managed by AWS
  • They are injected into customer managed VPCs using ENIs (Elastic Network Interfaces)
  • For HA we need to deploy multiple HSM devices and configure them as a cluster
  • A client needs to be installed on the EC2 instances in order to be able to access HSM modules
  • While AWS do provision the HSM devices, we as customers are responsible for the management of the customer keys
  • AWS can provide software updates on the HSM devices, but these should not affect the encryption storage part

CloudHSM Use Cases

alt text

  • Không có tích hợp gốc (native integration) với dịch vụ AWS, điều này có nghĩa là không thể sử dụng CloudHSM cho S3 SSE
  • CloudHSM có thể được sử dụng để mã hóa phía máy khách trước khi tải dữ liệu lên S3
  • CloudHSM có thể được sử dụng để giảm tải quá trình xử lý SSL / TLS cho các máy chủ web
  • Cơ sở dữ liệu Oracle từ RDS có thể thực hiện Mã hóa dữ liệu minh bạch (Transparent Data Encryption - TDE) bằng cách sử dụng CloudHSM
  • CloudHSM có thể được sử dụng để bảo vệ các khóa riêng tư cho Tổ chức phát hành chứng chỉ (Certificate Authority - CA)


  • KMS FIPS 140-2 Level 2 Validated ; HSM FIPS 140-2 Level 3 Validated
  • KMS Integrates with AWS Services
  • KMS Can access using AWS APIs ; HSM Can access with PKCS#11, JCE, CNG
  • KMS Delivered as a service by AWS ; HSM Delivered as dedicated devices by AWS

AWS Certificate Manager - ACM

alt text

  • HTTPS (SSL/TSL) được thiết kế để giải quyết các vấn đề bảo mật xảy ra với HTTP
  • HTTPS cung cấp mã hóa dữ liệu khi chuyển tiếp (data encryption in-transit) và chứng chỉ (certificates) để chứng minh danh tính
  • ACM có thể hoạt động như một tổ chức phát hành chứng chỉ công cộng hoặc tổ chức phát hành chứng chỉ tư nhân (Certificate Authority - CA)
  • Private CA: Applications need to trust your private CA
  • Public CA: Browsers trust a list of providers, which can trust other providers
  • Với ACM, chúng ta có thể tạo hoặc nhập (import) các chứng chỉ
  • Nếu ACM tạo chứng chỉ, chứng chỉ có thể tự động gia hạn. Nếu chứng chỉ được nhập, người dùng có trách nhiệm gia hạn.
  • ACM chỉ có thể triển khai chứng chỉ cho các dịch vụ được hỗ trợ (các dịch vụ trong AWS được tích hợp với ACM)
  • Không phải tất cả các dịch vụ đều được hỗ trợ, về cơ bản chỉ CloudFront và ALB được hỗ trợ. Ví dụ: EC2 không được hỗ trợ
  • ACM là một dịch vụ khu vực (regional). Để sử dụng chứng chỉ cho ALB ở ap-northeast-1, chứng chỉ phải nằm ở ACM trên ap-northeast-1
  • Chứng chỉ không được rời khỏi khu vực chúng được tạo hoặc nhập vào
  • Đối với các dịch vụ toàn cầu (Global Services), vd như CloudFront, chứng chỉ bắt buộc phải được lưu ở us-east-1 !

AWS Systems Manager Parameter Store

  • Used to store system configurations (documents, configurations, secrets, strings) in a resilient, secure and scalable way
  • Stores data in a key-value format
  • Many AWS services have native integration with Parameter Store
  • Parameter store offers the availability to store 3 different type of values: Strings, StringLists and SecureStrings
  • We can store license codes, database strings, full configs and passwords in Parameter Store
  • Values can be stored in a hierarchical way. Different versions of the values are also stored
  • Parameter Store can store plaintext and ciphertext which can be decrypted using the KMS integration
  • Public Parameters: parameters maintained and provided by AWS, example: latest AMIs per region
  • Parameter Store is public service
  • Parameter Store is tightly integrated with IAM

AWS Secrets Manager

  • It does share functionality with SSM Parameter Store
  • Secrets Manager is designed specifically for secrets, example passwords, API Keys
  • It is usable via Console, CLI, API or SDK's
  • It supports the automatic rotation of secrets using a Lambda functions
  • For certain AWS services, Secrets Manager offers direct integration, such as RDS (automatic synchronization when the secrets are rotated)
  • Secrets are encrypted using KMS

VPC Flow Logs

  • Essential diagnostic tools for complex networks
  • They only capture packet metadata, they do not capture packet content. For packet content a packet sniffer is required to be installed on an instance
  • Metadata can include: source/destination IP, source/destination ports, packet size, other externally visible metadata, etc.
  • Flow logs can capture data at various different points:
    • Applied to a VPC: all interfaces in that VPC
    • Subnet: every network interface in the subnet only
    • Network interface: only monitor traffic at a specific interface
  • VPC Flow Logs are NOT realtime
  • Flow logs can be configured to use S3 or CloudWatch Logs for the destination

VPC Flow Logs Content

  • <version>
  • <account-id>
  • <interface-id>
  • <srcaddr>: source IP address
  • <dstaddr>: destination IP address
  • <srcport>: source port, 0 if no port is used (example in case of ICMP ping)
  • <dscport>: destination port
  • <protocol>: ICMP=1, TPC=6, UDP=17, etc.
  • <packets>
  • <bytes>
  • <start>
  • <end>
  • <action>: traffic is ACCEPTed or REJECTed
  • <log-status>


  • VPC Flow Logs do not log all the traffic, things like the communication with the metadata IP (, AWS time sync server (, DHCP, Amazon DNS server and Amazon Windows license is not recorded

AWS Shield and Web Application Firewall (WAF)

AWS Shield

  • Provides protection against DDoS attacks
  • Provides a custom designed set of protection against DDoS attacks
  • Comes in 2 versions:
    • Shield Standard:
      • Offers protection against Layer 3 and Layer 4 DDoS attacks
      • It is free but for full its full potential with Route53 and CloudFront
    • Shield Advanced:
      • Costs $3000 per months
      • Expands the range of products which can be protected: EC2, ELB, CloudFront, Global Accelerator and Route53
      • Shield Advanced provides access to 24/7 advanced response team
      • Provides financial insurance for any increase of payments in case of DDoS attacks

WAF - Web Application Firewall

  • It is Layer 7 Firewall (understands HTTP/S)
  • Normally firewall operate at Layer 3, 4, 5
  • WAF protects against complex Layer 7 attacks/exploits such as SQL Injection, Cross-Site Scripting, Geo Blocks, Rate Awareness
  • Web Access Control List (WEBACL) integrated with ALB, API Gateway and CloudFront
  • WEBACL has rules and they are evaluated when traffic arrives


Bình luận

{{ }}
Bỏ hay Hay
Male avatar
{{ comment_error }}

Hiển thị thử

Chỉnh sửa


Nguyễn Huy Hoàng

17 bài viết.
10 người follow
{{userFollowed ? 'Following' : 'Follow'}}
Cùng một tác giả
11 4
(Ảnh) Tại hội nghị Build 2016 diễn ra từ ngày 30/3 đến hết ngày 1/4 ở San Francisco, Microsoft đã đưa ra 7 thông báo lớn, quan trọng và mang tầm c...
Nguyễn Huy Hoàng viết hơn 4 năm trước
11 4
7 0
Viết code chạy một cách trơn tru ngay lần đầu tiên là một việc rất khó, thậm chí là bất khả thi. Do đó debug là một kỹ năng vô cùng quan trọng đối ...
Nguyễn Huy Hoàng viết hơn 4 năm trước
7 0
1 0
MultiFactor Authentication (MFA) Factor: different piece of evidence which proves the identity Factors: Knowledge: something we as users know: ...
Nguyễn Huy Hoàng viết 3 tháng trước
1 0
Bài viết liên quan
0 0
FSx FSx For Windows File Servers FSx for Windows are fully managed native Windows file servers/file shares Designed for integration with Wind...
Nguyễn Huy Hoàng viết 3 tháng trước
0 0
0 0
CloudFront It is a content deliver network (CDN) Its job is to improve the delivery of content from its original location to the viewers of the...
Nguyễn Huy Hoàng viết 3 tháng trước
0 0
0 0
Kinesis Is a scalable streaming service, designed to ingest lots of data Producers send data into a Kinesis stream Streams can scale from low...
Nguyễn Huy Hoàng viết 3 tháng trước
0 0


{{ comment_count }}

bình luận

{{liked ? "Đã kipalog" : "Kipalog"}}

{{userFollowed ? 'Following' : 'Follow'}}
17 bài viết.
10 người follow

 Đầu mục bài viết

Vẫn còn nữa! x

Kipalog vẫn còn rất nhiều bài viết hay và chủ đề thú vị chờ bạn khám phá!