Let’s look at some of the AWS definitions below. Some of the definitions are from AWS website directly.
From AWS website:
An Availability Zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region. AZs give customers the ability to operate production applications and databases that are more highly available, fault tolerant, and scalable than would be possible from a single data center. All AZs in an AWS Region are interconnected with high-bandwidth, low-latency networking, over fully redundant, dedicated metro fiber providing high-throughput, low-latency networking between AZs. All traffic between AZs is encrypted. The network performance is sufficient to accomplish synchronous replication between AZs. AZs make partitioning applications for high availability easy. If an application is partitioned across AZs, companies are better isolated and protected from issues such as power outages, lightning strikes, tornadoes, earthquakes, and more. AZs are physically separated by a meaningful distance, many kilometers, from any other AZ, although all are within 100 km (60 miles) of each other.
From AWS website:
AWS has the concept of a Region, which is a physical location around the world where we cluster data centers. We call each group of logical data centers an Availability Zone. Each AWS Region consists of multiple, isolated, and physically separate AZs within a geographic area. Normally a region has 3 AZs, min 2 and a maximum of 6.
More information here: Global Infrastructure Regions & AZs (amazon.com)
IAM – Identity and Access Management
AWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure least-privilege permissions.
IAM is an AWS service that is offered at no additional charge. IAM groups cannot contain other groups. Users can be part of multiple groups or no groups at all.
Permissions are set to users via a Policy. All policies in AWS are written in JSON format.
In IMA you can add MFA to users. Valid MFA types are using a virtual MFA device like google authenticator or lastpass software, universal 2nd factor (u2f) device (this will support multiple root and IAM users with single key), Hardware key (something like RSA token device provided by companies years ago), Hardware Key Fob MFA Device for AWS GovCloud (US). More information about MFA can be found here: https://aws.amazon.com/iam/features/mfa/?audit=2019q1
AWS Secret keys:
Using security keys, you can login to your AWS account through CLI and SDK. In your AWS account, generate security keys from “security credentials” page. Once you generate it, save them somewhere. Once you close the dialog box, you cannot retrieve the same security key again in case if you lost it. However, you can regenerate new one if needed.
Install AWS CLI software in your machine and open it. Once opened, run the command, “aws configure” to configure your security keys in the CLI.
From AWS website:
AWS CloudShell is a browser-based, pre-authenticated shell that you can launch directly from the AWS Management Console. You can run AWS CLI commands against AWS services using your preferred shell (Bash, PowerShell, or Z shell). And you can do this without needing to download or install command line tools.
AWS CloudShell is not available in all regions. Make sure to change to a region that has cloudshell available. List of all regions that support cloudshell are given here: AWS CloudShell endpoints and quotas – AWS General Reference (amazon.com) It is free to use. You can use the icon in your AWS console after logging in, or go to AWS CloudShell url to get started.
All the files that you create in cloudshell will not be deleted. They will be stored in your account. You can download and upload files from cloudshell.
IAM Security Tools
You can generate a report on all the user’s details like when their account was created, whether MFA was enabled or not, when was access key last used, access key was used on which region, and lot more using the credential report. It is available in the IAM console.
Access advisor shows the permissions that your IAM users has and when they are last accessed. You need to go to every user’s summary page to view the access advisor. Goto users tab in IAM console and click on any user. Next click on access advisor on the page. You can see what AWS services user has access to, and when they are last accessed. Based on the last accessed date, you can remove the unnecessary permissions for that user.
Enable IAM access to billing dashboard
Billing dashboard is available in the dropdown in your name detail to the top right. Even though you grant admin permissions to a user, that admin user cannot see the billing dashboard. In AWS console, login as root user, under my account scroll down to billing section. Under IAM User and Role Access to Billing Information section, edit it and enable the check box which says Active IAM access. With this, your admin IAM users can see the billing details in their login.
You can create budget alerts to send an email when a threshold is reached. You can create alerts when the actual budget is reached or you can set a forecast amount and email when that forecast amount is reached.
Elastic Compute Cloud (EC2)
Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. Using Amazon EC2 eliminates your need to invest in hardware up front, so you can develop and deploy applications faster. You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage. Amazon EC2 enables you to scale up or down to handle changes in requirements or spikes in popularity, reducing your need to forecast traffic.
EC2 is not limited to instances alone. EC2 includes instances, AMIs, different instance types, key pairs, temporary storage volumes, persistent storage volumes (EBS), regions and AZs, security groups, elastic ip addresses, tags and VPCs.
All the AWS instances are named in the format, m4.2xlarge. Here
- m represents the instance class
- 4 represents the generation
- 2xlarge represents the size within that instance class.
A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance. When you launch an instance, you can specify one or more security groups. If you don’t specify a security group, Amazon EC2 uses the default security group. You can add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time. New and modified rules are automatically applied to all instances that are associated with the security group. When Amazon EC2 decides whether to allow traffic to reach an instance, it evaluates all of the rules from all of the security groups that are associated with the instance.
When you launch an instance in a VPC, you must specify a security group that’s created for that VPC. After you launch an instance, you can change its security groups. Security groups are associated with network interfaces. Changing an instance’s security groups changes the security groups associated with the primary network interface (eth0). You can also change the security groups associated with any other network interface.
Security is a shared responsibility between AWS and you. AWS provides security groups as one of the tools for securing your instances, and you need to configure them to meet your security needs. If you have requirements that aren’t fully met by security groups, you can maintain your own firewall on any of your instances in addition to using security groups.
To allow traffic to a Linux instance, see Amazon EC2 security groups for Linux instances in the Amazon EC2 User Guide for Linux Instances.
When restricting, you can specify the source ip address or ip address range so that someone who is connecting from that ip address range can connect. Others cannot connect to the instance. If you set source as 0.0.0.0/0 it means you are allowing or denying a port access to the instance on all the networks. For outbound, by default all ports are allowed so that you can access everything from your instance.
- A single SG can be attached to multiple instances. You can also attach multiple SG to a single EC2 instance.
- They are restricted to a region or VPC.
- They are present outside your EC2 instance. So, if something is blocked, your instance might not record anything in the logs.
- If there is a timeout when accessing the application then it might be a security group issue but if you get a connection refused error, then it might be application issue.
- All inbound traffic is blocked in SG by default and all outbound traffic is allowed.
- In the SGs, you can allow or deny ports from different networks and also allow or block ports to other security groups.
An Elastic IP address is a static public IPv4 address associated with your AWS account in a specific Region. Unlike an auto-assigned public IP address, an Elastic IP address is preserved after you stop and start your instance in a virtual private cloud (VPC).
An Elastic IP address is a public IPv4 address, which is reachable from the internet. If your instance does not have a public IPv4 address, you can associate an Elastic IP address with your instance to enable communication with the internet. An Elastic IP address is allocated to your AWS account, and is yours until you release it.
A security group acts as a virtual firewall, controlling the traffic that is allowed to reach and leave the resources that it is associated with. For example, after you associate a security group with an EC2 instance, it controls the inbound and outbound traffic for the instance.
When you create a VPC, it comes with a default security group. You can create additional security groups for each VPC. You can associate a security group only with resources in the VPC for which it is created.
For each security group, you add rules that control the traffic based on protocols and port numbers. There are separate sets of rules for inbound traffic and outbound traffic. By default all outbound traffic is allowed on security groups.
Security groups are associated to network interfaces, and not to instances. There is no specific deny rule in security groups. If you need to open a port on an instance, you should allow that port in the security group. If a port is not allowed on the SG, it is denied by default automatically. Anything that is not explicitly allowed is denied.