IAM Security Tools within AWS

Reporting-wise there is the IAM Credentials Report which is based at account level and will display a list of all the account’s users and their various credentials status

IAM Access Advisor which is based at the user level and will show a list of all the service permissions which have been granted to a user and when the services were last accessed.

The IAM Access Advisor can be used to audit and revise use permissions if necessary.

IAM Roles for Services

IAM Roles for Services or running AWS Services under a set of specified permissions

With security, always adhere to the principal of least privilage

Some of the services within AWS will have to have permissions assigned to them in order to perform actions on behalf of a user.

In order to do so, permissions will need to be assigned to the AWS Service with what is known as IAM Roles.

The three most common IAM Roles within AWS are:

  1. Lambda Function Roles
  2. EC2 Instance Roles
  3. Roles for CloudFormation

What is CloudShell?

CloudShell is an alternative to the Terminal CLI and is a way to issue commands against AWS.

Note that CloudShell is not available in all AWS Regions

How to access AWS?

There are three options:

  1. AWS Management Console which is protected by a password and a MFA device
  2. AWS Command Line Interface (CLI) which is protected by Access Keys
  3. AWS Software Developer Kit (SDK) which is used by application developers and is protected by Access keys

Access Keys are generated via the AWS Access Console and it is up to the end users to manage their own keys

Very important – Access Keys are just like a password and should not be shared. Think of the AccessKeyID as a username and the SecretAccessKey as a password

What is Multi-Factor Authentication in AWS

A way to protect your AWS Accounts via Multi-Factor Authentication by way of Password that you know as well as a security device that you own

The number one benefit of MFA is that if your account is hacked or stolen then the account cannot be compromised

Multi-Factor Authentication Devices in AWS

Virtual MFA Devices such as Google Authenticator and Authy
Universal Second Factor (U2F) Security Key which is a physical device (Yubi as an example)
Hardware Key Fob such as Gemalto
AWS GovCloud for US based authentication

Important Ports

The following are the most common ports you may encounter:

  • Port 21 – FTP (File Transfer Protocol) used to connect to file share server
  • Port 22 – SSH (Secure Shell) used to connect to a Linux server
  • Port 22 – SFTP (Secure File Transfer Protocol) used to connect to a secure file share server
  • Port 80 – HTTP used to connect to an unsecured website
  • Port 443 – HTTPS used to connect to a secured website
  • Port 3389 – (RDP) Windows Remote Desktop Protocol and used to connect to a Windows Server

Database Ports

  • Port 5432 – PostgreSQL and Aurora (If Aurora is PostgreS compatible)
  • Port 3306 – MySQL, MariaDB and Aurora (If Aurora is MySQL compatible)
  • Port 1521 – Oracle
  • Port 1433 – Microsoft SQL

AWS Security Groups

Security groups are fundamental to network security in AWS and are used to control the flow of traffic into and out of EC2 instances.

Security groups contain only allow rules and are able to referenced via security group or IP Address
Think of a security group as a firewall on an EC2 instance and they regulate:

Authorised IP ranges both IPv4 and IPv6
What ports are open
Outbound network traffic from the EC2 instance
Inbound network traffic from the outside world to the EC2 instance

A security group rule contains the following:

  • Type – The type of traffic e.g. HTTP / SSH or a Custom TCP Rule
  • Protocol – The protocol pertaining to the rule e.g. TCP / UDP
  • Port Range – The allowed port e.g. 80 / 22 / 443
  • Source – The allowed source IP address / range. Note that the IP address means any IP address

Security groups are able to be attached to more than one EC2 instance and are locked to a specified Virtual Private Cloud / Region

Security groups are outside an EC2 instance and where traffic is blocked by the security group then the traffic will not be passed through to the EC2 instance

Best practice dictates that a single security group should be created for SSH Access

Connection errors such as Timeout indicate that the Security Group is not correct whereas a Connection Refused error is usually because of an application error

The default setting for traffic pertaining to a security group is that all inbound traffic is blocked and all outbound traffic is authorised

What determines the best way to choose an AWS region?

There are a number of factors to consider when choosing an AWS region and these include:

  • How close the region is to your clients or customers. Closer regions mean less latency and therefore a faster experience
  • Services available. Not all AWS services are available in every region
  • Compliance. Sometimes compliance is required such as only hosting data in a specific country
  • Pricing. It is sometimes more cost effective to leverage a specific region