Compliance on AWS

DDOS

AWS marketplace security products

IAM Custom Policies

IAM - Policies - create policy - visual editor - choose a service - S3 - In access level list,read - click on Resources - Enable All resources - Review Policy - Add name - create policy

IAM - Roles - create role - select EC2 - Next Permission - select the created policy - Next - Add role name - create role

Go to S3(create 2 buckets in different region) - create bucket - Add name,region - create

Go to EC2 - Launch Instance - Then access Instance from putty or terminal - switch to root(sudo su) - aws s3 ls - unable to locate credentials

Go to IAM - users - add user - add a username - enable Programatic access - Next - Enable Group Administrator - Next - create user - Now you will get access keyid,secret access key - Go to EC2 Instance - Actions Instance settings - Attach Replace IAM Role - select the created role - Apply - Now type the command 'aws s3 ls' inside the Instance - Now it will show the S3 bucket we created earlier

create a testfile and copy to S3 bucket

echo "Hello World" > test.txt
ls
test.txt
aws s3 cp /home/ec2-user/test.txt s3://bucketname

It will show upload failed since we didnt give write access.
Go to IAM - policies - select the policy that we created - Edit policy - Enable write in Access level - Review policy - save changes - Now you can upload file using above command

aws s3 cp /home/ec2-user/test.txt s3://bucketname
aws s3 ls s3://bucketname

Same you can do in second bucket in other region

MFA AND REPORTING WITH IAM

Go to IAM - Activate MFA on your root account - manage MFA - Enable virtual MFA device - Next step - Next step - scan the barcode using Google authenticator in mobile - add the generated authentication codes - Activate virtual MFA

This for root account.Now we can do for user account.

IAM - users - Add user - Add username,Enable programmatic Access - Next - create group - select AdminstrationAccess,give groupname - create group - select the created group - create user(Now you will get access keyid,secret access key) - Download.csv - Go to users - select the created user - security credentials - click on Assigned MFA device - Enable virtual MFA device - Next step - Next step - scan the barcode using Google authenticator in mobile - add the generated authentication codes - Activate virtual MFA

Go to Instance and remove the role that we created early - select Instance - Actions - Instance settings - Attach Replace IAM Role - No role - Apply - yes,detach - Login using putty or terminal - switch to root(sudo su) - aws s3 ls - unable to locate credentials

configure user using access keyid,secret access key

aws configure
Add access keyid
Add secret access key
Add region name
ENTER
ENTER
aws s3 ls

Now you can see the bucket created.Now use the command below for MFA

aws iam create-virtual-mfa-device --virtual-mfa-device-name EC2-User --outfile /home/ec2-user/QRCode.png --bootstrap-method QRCodePNG

Now using 'ls' command you can see QRCode.png and copy the file to s3 bucket

aws s3 cp /home/ec2-user/QRCode.png s3://bucketname

Go to s3 in amazon service - select the QRCode.png - Actions - make public - make public - click on QRCode.png - click on Link - Now you get the QRCode - scan the barcode using Google authenticator in mobile

Login to EC2-Instance and use the command shown below for MFA

aws iam enable-mfa-device --user-name EC2-User --serial-number arn:aws:iam::"USERNUMBERHERE":mfa/EC2-User --authentication-code-1 "CODE1HERE" --authentication-code-2 "CODE2HERE"

"USERNUMBERHERE" = we get from IAM - users - select user - user ARN(copy the numbers)

"CODE1HERE" and "CODE2HERE" = we get from google authenticator

Go to IAM - users - select user - security credential - you can see Assigned MFA device

Go to IAM - credential report - Download Report - Give details of
users credential

Security Token Service

Security and Logging

AWS WAF

AWS Hypervisors

Dedicated Instances vs Dedicated Hosts

EC2 - Instances - Dedicated Hosts - Allocate a Host - Add Instance type,availability zone - Allocate host
OR
EC2 - Launch Instance - configure Instance(Tenancy = Dedicated Instance or Dedicated Host) - Launch

AWS system manager EC2 Run Command

Go to IAM - Roles - create role - EC2 - EC2 Role for Simple Systems Manager - Next - Next - Add role name - EC2 - Launch Instance - configure Instance(Add created role) - Launch

Go to System Manager - Run command - select Aws configure Cloudwatch - select created Instance in Target Instance - Run

AWS system manager Parameter store

EC2 - system manager shared resources(bottom of the page) - parameter store - Get started now - Add name,Enable secure string - create parameter - we can pass this to cloud formation,lamda etc

AWS config with s3

Management tools - config - Rules - Add rule - select s3 - you can see rules related to s3 like s3-bucket-public-read-prohibited,s3-bucket-public-write-prohibited etc..

Presigned URLs

Go to IAM - Roles - create role - EC2 - Next - select Amazons3FullAccess - Next - Add rolename - create role - Launch Instance - Add created role in configure Instance - Launch - Login to created Instance

make new s3 bucket and copy a testfile to it using the command shown below

aws s3 ls
aws s3 mb s3://bucketname
echo "Hello World" > test.txt
aws s3 cp test.txt s3://bucketname
aws s3 ls s3://bucketname

If we go to S3(management console) and access the test.txt by clicking on link we cannot open it.
To access the file for 300 seconds we need to use the command shown below

aws s3 presign s3://bucketname/test.txt --expires-in 300 

This generate a https link.copy and paste this link in browser to access the file for 300 seconds.

Inspector vs Trusted Advicer

Ec2 - Launch an Instance
Security,Identity and Compliance - Inspector - Get started - choose or create role - view details - IAM role = create a new IAM role - Add role name - Allow - Tag your Ec2 Instance - Manage Tags - select Instance and add key and tag - Go back - Install AWS agent - open the link 'To install the Amazon Inspector Agent on a Linux based EC2 Instance' - Login to EC2 instance and run the commands to install AWS agent

sudo su 
wget https://inspector-agent.amazonaws.com/linux/latest/install
curl -O https://inspector-agent.amazonaws.com/linux/latest/install

Now go to Inspector window - Next - add name,key,value created earlier - Next - Add name,Rule packages = common vulnerabilities and exposures1.1,Duration = 1hr - Next - create - select the created Inspector - Run - After 1 hr it will give the result - Assesment runs - Download Report - Full Report - Generate Report

Go to Assessment Templates - create - add name = master template,target name, rule packages(add all the rules),duration=24hr - create and run - After 24 hrs we can download the report

Go to Management Tools - Trusted Advisor - Give details of Cost optimization,performance,security,Fault Tolerance - we need business or enterprise subscription to unlock these.

Shared Responsibility

Other Security Aspects

CloudTrail - Turning It On and Validating Logs

IAM - Groups - create New Group - Add Group name - Next - AWS CloudTrailFullAccess -

Go to S3 - select a created bucket - Management - Add Lifecycle rule - Add Rule name - Next - Current Version - Next - click current version - Add expire days - Next - save