IAM Security Tools within AWS

Reporting-wise there is the IAM Credentials Report which is based at account level and will display a list of all the account’s users and their various credentials status

IAM Access Advisor which is based at the user level and will show a list of all the service permissions which have been granted to a user and when the services were last accessed.

The IAM Access Advisor can be used to audit and revise use permissions if necessary.

IAM Roles for Services

IAM Roles for Services or running AWS Services under a set of specified permissions

With security, always adhere to the principal of least privilage

Some of the services within AWS will have to have permissions assigned to them in order to perform actions on behalf of a user.

In order to do so, permissions will need to be assigned to the AWS Service with what is known as IAM Roles.

The three most common IAM Roles within AWS are:

  1. Lambda Function Roles
  2. EC2 Instance Roles
  3. Roles for CloudFormation

What is CloudShell?

CloudShell is an alternative to the Terminal CLI and is a way to issue commands against AWS.

Note that CloudShell is not available in all AWS Regions

How to access AWS?

There are three options:

  1. AWS Management Console which is protected by a password and a MFA device
  2. AWS Command Line Interface (CLI) which is protected by Access Keys
  3. AWS Software Developer Kit (SDK) which is used by application developers and is protected by Access keys

Access Keys are generated via the AWS Access Console and it is up to the end users to manage their own keys

Very important – Access Keys are just like a password and should not be shared. Think of the AccessKeyID as a username and the SecretAccessKey as a password

What is Multi-Factor Authentication in AWS

A way to protect your AWS Accounts via Multi-Factor Authentication by way of Password that you know as well as a security device that you own

The number one benefit of MFA is that if your account is hacked or stolen then the account cannot be compromised

Multi-Factor Authentication Devices in AWS

Virtual MFA Devices such as Google Authenticator and Authy
Universal Second Factor (U2F) Security Key which is a physical device (Yubi as an example)
Hardware Key Fob such as Gemalto
AWS GovCloud for US based authentication

Important Ports

The following are the most common ports you may encounter:

  • Port 21 – FTP (File Transfer Protocol) used to connect to file share server
  • Port 22 – SSH (Secure Shell) used to connect to a Linux server
  • Port 22 – SFTP (Secure File Transfer Protocol) used to connect to a secure file share server
  • Port 80 – HTTP used to connect to an unsecured website
  • Port 443 – HTTPS used to connect to a secured website
  • Port 3389 – (RDP) Windows Remote Desktop Protocol and used to connect to a Windows Server

Database Ports

  • Port 5432 – PostgreSQL and Aurora (If Aurora is PostgreS compatible)
  • Port 3306 – MySQL, MariaDB and Aurora (If Aurora is MySQL compatible)
  • Port 1521 – Oracle
  • Port 1433 – Microsoft SQL

AWS Security Groups

Security groups are fundamental to network security in AWS and are used to control the flow of traffic into and out of EC2 instances.

Security groups contain only allow rules and are able to referenced via security group or IP Address
Think of a security group as a firewall on an EC2 instance and they regulate:

Authorised IP ranges both IPv4 and IPv6
What ports are open
Outbound network traffic from the EC2 instance
Inbound network traffic from the outside world to the EC2 instance

A security group rule contains the following:

  • Type – The type of traffic e.g. HTTP / SSH or a Custom TCP Rule
  • Protocol – The protocol pertaining to the rule e.g. TCP / UDP
  • Port Range – The allowed port e.g. 80 / 22 / 443
  • Source – The allowed source IP address / range. Note that the IP address means any IP address

Security groups are able to be attached to more than one EC2 instance and are locked to a specified Virtual Private Cloud / Region

Security groups are outside an EC2 instance and where traffic is blocked by the security group then the traffic will not be passed through to the EC2 instance

Best practice dictates that a single security group should be created for SSH Access

Connection errors such as Timeout indicate that the Security Group is not correct whereas a Connection Refused error is usually because of an application error

The default setting for traffic pertaining to a security group is that all inbound traffic is blocked and all outbound traffic is authorised

What determines the best way to choose an AWS region?

There are a number of factors to consider when choosing an AWS region and these include:

  • How close the region is to your clients or customers. Closer regions mean less latency and therefore a faster experience
  • Services available. Not all AWS services are available in every region
  • Compliance. Sometimes compliance is required such as only hosting data in a specific country
  • Pricing. It is sometimes more cost effective to leverage a specific region

Principles of Software Development

When developing Software it is important to:

  • Understand that implementations pertaining to Software Development may differ from company to company
  • Before writing a single line of code, first understand the problem as it pertains to the business. The Software Solution that will be implemented needs to solve the specific problem
  • Create a functional specification which is essentially documenting the solution in a non-technical way
  • Convert the proposed solution to a technical architecture which is a “High level” view of the solution; think diagrams displaying the components which will solve the business problem
  • Pass through the proposed solution documents through to the development team for actual implementation
  • All code should be thoroughly tested in order to meet the quality standards
  • Once tested the code which solves the business problem should be deployed

Architecture Building Blocks

An Architecture Building Block is defined as a package of functionality which is defined to meet the needs of a business.

How the functionality, custom developments and products inside a building block are packaged varies between architectures.

Each business or organisation should decide what arrangement of building blocks works best as a good choice of selecting building blocks can lead to:

  • Interoperability when creating a new system or application
  • Flexibility when creating a new system or application
  • Improvements in legacy system integration

The characteristics of Building Blocks

Generic Building Blocks should have the following generic characteristics:

  • A package of functionality which is defined to meet the needs of the business across an organisation
  • A building block has interfaces associated with it to provide access to functionality
  • The building block may inter-operate with other, interdependent building blocks

A good Building Block should have the following characteristics:

  • The building block considers the implementation and usage and then evolves to exploit standards and technology
  • The building block may be a sub-assembly of other building blocks
  • The building block is both replaceable and reusable and well specified
  • The building block may be implemented multiple times but in association with difference interdependent building blocks

The two types of Building Blocks – ABBs and SBBs

There are two types of Building Blocks:

  • Architecture Building Blocks (ABBs)
  • Solution Building Blocks (SBBs)

Architecture Building Blocks

Architecture Building Blocks (ABBs) relate to the Architecture Continuum and are defined or selected based on the result of the application of the Architecture Development Method (Generally during ADM Phases A, B,C and D).

The main characteristics of Architecture Building Blocks are:

  • Technology-aware
  • Provide direction and guidance for the development of Solution Building Blocks
  • Capture technical and business requirements
  • Define the functionality to be implemented

Solution Building Blocks

Solution Building Blocks (SBBs) relate to the Solutions Continuum and are either developed or procured.

The main characteristics of Solution Building Blocks are:

  • A SBB will define what components and products will implement the required functionality
  • They will define the actual implementation
  • A SBB will ensure that it fulfills the requirements of the business
  • SBBs are vendor or product aware

An easy way to differentiate between the two types of building blocks is to understand the following:

“Architecture Building Blocks are more closely aligned with the design and specification whilst the a Solution Building Block is essentially the implementation of the Architecture Building Block”