Top Best 26 Practical Tips on Amazon Web Services Security Groups
AWS security groups are one of the most widely used and abused configurations within an AWS environment if you use them in the cloud over a long period of time. Because AWS security groups are simple to configure, users often ignore their importance and do not follow best practices related to it. Actually, operating in AWS security groups every day is much more intense and complex than configuring them once. Actually, nobody talks about that.
Therefore, in this article, I share our experience in dealing with AWS security groups since 2008 as a set of best practice indicators related to the configuration and perspective of daily operations. In the world of security, the proactive and reactive speed determines the winner. So, many of these best practices must be automated in reality. If the Dev / Ops / Devops teams in your organizations need help with automating the security group's best practices, feel comfortable to contact me. AWS has released so many resources in recent years related to security, we should not see security groups separately. This simply does not make more sense. The security group should always be seen in the general security context, thus starting the pointers.
Practice 1: Activate AWS VPC flow records for your VPC, subnet or ENI level. The AWS VPC flow records can be configured to capture acceptable and rejected entries that flow through the ENI and Security groups of EC2, ELB + plus some services. These VPC flow record entries can be checked to detect attack patterns, alert abnormal activities and information flow within the VPC, and provide valuable information for SOC / MS team operations.
Practice 2: Use Identity Management and AWS access (IAM) to control who in your organization has permission to create and manage security groups and network ACLs (NACLs). Isolate responsibilities and functions for a better defense. For example, you can only give network administrators or the security administrator permission to manage security groups and restrict other functions.
Practice 3: Activate the AWS Cloud Trail logs for your account. AWS Cloud Trail will log all security group events and will be required for administration and security group operations. Event streams can be created from the AWS Cloud Trail logs and processed by AWS Lambda. For example: each time a security group is deleted, this event will be captured with details in the AWS Cloud Trail logs. Events can be triggered on the AWS Lamdba, which can process this change of SG and alert the MS / SOC on the panel or email according to their workflow. This is a very powerful way to react to events within a range of <7 minutes. As an alternative, you can process the AWS Cloud Trail records stored in your S3 to each X frequency as a batch and obtain what was mentioned above. But the reaction time of the operation teams may vary depending on the frequency of generation and investigation of the AWS Cloud Trail records. This activity is mandatory for your operations team.
Practice 4: Activate AWS App Config for your AWS account. App records all events related to your security group and can even send emails.
Practice 5: Have appropriate naming conventions for the Amazon Web Services security group. The naming convention must follow a corporate standard. For example, you can follow the qualification: "AWS Region + Environment Code + SO Type + Level + Application Code" Name of the security group - EU-P-LWA001 AWS Region (2 char) = UE, VA, CA , etc (1 Char) = Production-P, Q-QA, Test-T, Development-D, etc.Type of SO (1 Char) = L-Linux, W-Windows etcCamada (1 Char) = W- WebCam, C-Cache, D-DB, etc.Code of application (4 characters) = A001 We have used Amazon Web Services since 2008 and, over the years, the management of security groups in various environments is, in Yes, a huge task. The right naming conventions from the beginning are a simple practice, but they will make your AWS trip manageable.
Practice 6: To ensure in-depth security, make sure that the naming convention of Amazon Web Services security groups does not be self-explanatory, also make sure that your naming patterns remain internal. Example: The AWS security group called UbuntuWebCRMProd is self-explanatory for hackers, as it is a Production Web layer.
Practice 7: Detect, alert or exclude periodically AWS security groups that do not strictly follow the naming patterns of the organization. It also has an automated program doing this as part of its SOC / managed service operations. After having implemented this more rigorous control, things automatically go online.
Practice 8: It has automation to detect all resources of EC2, ELB and other AWS associated with security groups. This automation will help us periodically detect Amazon Web Services security groups in an inactive state without associations, alert the MS team and clean them. Unwanted security groups accumulated over time create unwanted confusion.
Practice 9: In your AWS account, when you create a VPC, AWS automatically creates a default security group for the VPC. If you do not specify a different security group when you start an instance, it will be automatically associated with the appropriate default security group. Inbound traffic will only be allowed from other instances associated with the "standard" security group and allow all outbound traffic from the instance. The default security group is specified as a source security group in its input rules. This is what allows the instances associated with the default security group to communicate with other instances associated with the default security group. This is not a good security practice. If you do not want all your instances to use the default security group, create your own security groups and specify them when you start your instances. This applies to EC2, RDS, ElastiCache and some additional services in AWS. Therefore, detect "standard" security groups periodically and observe the SOC / MS.
Practice 10: Email alerts and the cloud management control panel must be activated each time groups or rules are added or modified. security critical / excluded in production. This is important for the reactive action of your managed services / security operations team and audit purpose.
Practice 11: By associating several security groups with an Amazon EC2 instance, the rules of each security group are added in a way that creates a set of rules. AWS uses this set of rules to determine whether or not to allow access. If there is more than one SG rule for a specific port, AWS will apply the most permissive rule. For example, if you have a rule that allows access to TCP port 22 (SSH) of IP address 203.0.113.10 and another rule that allows access to TCP port 22 for all, then all will have access to TCP port 22, because the Permissive has precedence.
Practice X.1: Having automated programs detecting the EC2 associated with several SG / rules and alerting the SOC / MS periodically. - Condense the same manually for 1-3 max rules as part of its operations.
Practice X.1: Have automated programs detecting SG / conflicting rules, such as restrictive + permissive rules, and alert the SOC / MS periodically.
Practice 12: Do not create Less restrictive security groups such as 0.0.0.0/0, which is open to all. As Web servers can receive HTTP and HTTPS open traffic, only their SG can be permissive0.0.0.0 / 0, TCP, 80, Allow HTTP access entry from anywhere0.0.0.0 / 0, TCP, 443, Allow HTTPS entry access from anywhere. The least restrictive SGs created in your account should be immediately alerted to the SOC / MS teams.
Practice 13: Have a security policy to not start servers with standard ports like 3306, 1630, 1433, 11211, 6379 etc. If the directive has to be accepted, the security groups will also be created in the new hidden listening ports instead of the default ports. This provides a small layer of defense, since the port information of the security group in the EC2 service it is protecting can not be inferred. Automated detection and alerts must be created for SOC / MS if the security groups are created with default ports.
Practice 14: Applications that require stricter compliance requirements, such as HIPAA, PCI, etc., must be addressed so that end-to-end transport encryption is implemented on the server backend in AWS. The ELB communication to the Web-> App-> DB-> Other layers need to be encrypted using SSL or HTTPS. This means that only secure ports such as 443, 465, 22 are allowed in corresponding EC2 security groups. Detection and automated alerts must be created for the SOC / MS if the security groups are created in secure ports for regulated applications.
Practice 15: Detection, alerts and actions can be performed by analyzing the AWS Cloud Trail records based on the standards In the event that a port has been opened and closed in <30 or X minutes in production it may be a candidate for suspicious activity if it is not a normal standard for its production15.2: If a permissive security group was created and closed in <30 or X minutes may be a candidate for suspicious activity if it is not the normal standard for its production. Detect anomalies how much time has changed and reverted in security groups in production.
Practice 16: If the ports should be opened in the security groups of Amazon Web Services or a permissive security group of AWS should apply, automate this whole process as part of their operations, so that a security group is opened by X agreed minutes and closes automatically aligning with your change management. Reducing manual intervention avoids operational errors and adds security.
Practice 17: Ensure that the SSH / RDP connection is open in the AWS security group only for bastion mailboxes / hosts for their subnets / VPCs. Have stricter controls / policies to avoid opening SSH / RDP to other instances of the production environment. Periodically check, alert and close this hole as part of your operations.
Practice 18: It is a bad practice to have the SSH open for the entire Internet for emergency or remote support. By allowing full Internet access to your SSH port, nothing prevents an attacker from exploring your EC2 instance. The best practice is to allow very specific IP addresses in your security groups, this restriction improves protection. This can be your office or local or CD through which you connect your jump box. Practice 19: Much or much less: How many security groups for a multilayer web application are often preferred is a frequent question? : A security group that cuts several levels is easy to configure, but it is not recommended for secure production applications. Option 2: A security group for each instance is a great protection and difficult to manage long-term operations. Option 3: Individual security group for different application layers. For example: Have separate security groups for the ELB, Web, App, DB and Cache layers of your application stack. Check periodically if the rule of type Option 1 is being created in your production and deals with SOC / MS.
Practice 20: Avoid allowing UDP or ICMP for private instances in security groups. It is not a good practice, unless it is specifically necessary.
Practice 21: Open only specific ports, the opening interval of ports in a security group is not a good practice. In the security group, you can add many entry entry rules. When opening the doors, it is always advisable to open specific ports, such as 80,443, etc., instead of a range of ports such as 200-300.Add rules for communication between partner instances
Practice 22: Private subnet instances can only be accessed from the IP range of the CIDR VPC. Opening instances for public IP ranges is a possibility, but it does not make sense. For example, opening HTTP to 0.0.0.0/0 in the SG of the private subnet instance does not make sense. Therefore, detect and clean these rules.
Practice 23: The AWS CloudTrail registry captures security related events. Lambda AWS events or automated programs should activate alerts for operations when abnormal activities are detected. For example: 23.1: Alert when SG number X was added / excluded in "Y" Hours or Day per user / account of IAM23.2: Alert when number X of SG Rules was added / deleted in "Y" Hours or Day per user / IAM
Pratica 24 account: If you are a company, make sure that all the activities related to your production of the security groups are part of the change management process. The actions of the Security Group can be manual or automated with the management of changes in a company. If you are a Startup or an agile SMB and do not have a complicated change management process, automate most of the tasks and events related to the security group as shown in several best practices. This will bring great efficiency to your operations.
Practice 25: Use exit / exit security groups where applicable in your VPC. Restrict the FTP connection to any Internet server in your VPC. In this way, you can avoid data dumps and important files transferred from your VPC.
Practice 26: For some layers of your application, use the ELB in front of your instance as a security proxy with restrictive security groups - restrictive ports and IP ranges. Most of the tools we use together to automate and satisfy best practices are the automated programs ServiceNow, Amazon CFT, AWS API, Rundeck, Puppet, Chef, Python, .Net and. Java.
Therefore, in this article, I share our experience in dealing with AWS security groups since 2008 as a set of best practice indicators related to the configuration and perspective of daily operations. In the world of security, the proactive and reactive speed determines the winner. So, many of these best practices must be automated in reality. If the Dev / Ops / Devops teams in your organizations need help with automating the security group's best practices, feel comfortable to contact me. AWS has released so many resources in recent years related to security, we should not see security groups separately. This simply does not make more sense. The security group should always be seen in the general security context, thus starting the pointers.
Practice 1: Activate AWS VPC flow records for your VPC, subnet or ENI level. The AWS VPC flow records can be configured to capture acceptable and rejected entries that flow through the ENI and Security groups of EC2, ELB + plus some services. These VPC flow record entries can be checked to detect attack patterns, alert abnormal activities and information flow within the VPC, and provide valuable information for SOC / MS team operations.
Practice 2: Use Identity Management and AWS access (IAM) to control who in your organization has permission to create and manage security groups and network ACLs (NACLs). Isolate responsibilities and functions for a better defense. For example, you can only give network administrators or the security administrator permission to manage security groups and restrict other functions.
Practice 3: Activate the AWS Cloud Trail logs for your account. AWS Cloud Trail will log all security group events and will be required for administration and security group operations. Event streams can be created from the AWS Cloud Trail logs and processed by AWS Lambda. For example: each time a security group is deleted, this event will be captured with details in the AWS Cloud Trail logs. Events can be triggered on the AWS Lamdba, which can process this change of SG and alert the MS / SOC on the panel or email according to their workflow. This is a very powerful way to react to events within a range of <7 minutes. As an alternative, you can process the AWS Cloud Trail records stored in your S3 to each X frequency as a batch and obtain what was mentioned above. But the reaction time of the operation teams may vary depending on the frequency of generation and investigation of the AWS Cloud Trail records. This activity is mandatory for your operations team.
Practice 4: Activate AWS App Config for your AWS account. App records all events related to your security group and can even send emails.
Practice 5: Have appropriate naming conventions for the Amazon Web Services security group. The naming convention must follow a corporate standard. For example, you can follow the qualification: "AWS Region + Environment Code + SO Type + Level + Application Code" Name of the security group - EU-P-LWA001 AWS Region (2 char) = UE, VA, CA , etc (1 Char) = Production-P, Q-QA, Test-T, Development-D, etc.Type of SO (1 Char) = L-Linux, W-Windows etcCamada (1 Char) = W- WebCam, C-Cache, D-DB, etc.Code of application (4 characters) = A001 We have used Amazon Web Services since 2008 and, over the years, the management of security groups in various environments is, in Yes, a huge task. The right naming conventions from the beginning are a simple practice, but they will make your AWS trip manageable.
Practice 6: To ensure in-depth security, make sure that the naming convention of Amazon Web Services security groups does not be self-explanatory, also make sure that your naming patterns remain internal. Example: The AWS security group called UbuntuWebCRMProd is self-explanatory for hackers, as it is a Production Web layer.
Practice 7: Detect, alert or exclude periodically AWS security groups that do not strictly follow the naming patterns of the organization. It also has an automated program doing this as part of its SOC / managed service operations. After having implemented this more rigorous control, things automatically go online.
Practice 8: It has automation to detect all resources of EC2, ELB and other AWS associated with security groups. This automation will help us periodically detect Amazon Web Services security groups in an inactive state without associations, alert the MS team and clean them. Unwanted security groups accumulated over time create unwanted confusion.
Practice 9: In your AWS account, when you create a VPC, AWS automatically creates a default security group for the VPC. If you do not specify a different security group when you start an instance, it will be automatically associated with the appropriate default security group. Inbound traffic will only be allowed from other instances associated with the "standard" security group and allow all outbound traffic from the instance. The default security group is specified as a source security group in its input rules. This is what allows the instances associated with the default security group to communicate with other instances associated with the default security group. This is not a good security practice. If you do not want all your instances to use the default security group, create your own security groups and specify them when you start your instances. This applies to EC2, RDS, ElastiCache and some additional services in AWS. Therefore, detect "standard" security groups periodically and observe the SOC / MS.
Practice 10: Email alerts and the cloud management control panel must be activated each time groups or rules are added or modified. security critical / excluded in production. This is important for the reactive action of your managed services / security operations team and audit purpose.
Practice 11: By associating several security groups with an Amazon EC2 instance, the rules of each security group are added in a way that creates a set of rules. AWS uses this set of rules to determine whether or not to allow access. If there is more than one SG rule for a specific port, AWS will apply the most permissive rule. For example, if you have a rule that allows access to TCP port 22 (SSH) of IP address 203.0.113.10 and another rule that allows access to TCP port 22 for all, then all will have access to TCP port 22, because the Permissive has precedence.
Practice X.1: Having automated programs detecting the EC2 associated with several SG / rules and alerting the SOC / MS periodically. - Condense the same manually for 1-3 max rules as part of its operations.
Practice X.1: Have automated programs detecting SG / conflicting rules, such as restrictive + permissive rules, and alert the SOC / MS periodically.
Practice 12: Do not create Less restrictive security groups such as 0.0.0.0/0, which is open to all. As Web servers can receive HTTP and HTTPS open traffic, only their SG can be permissive0.0.0.0 / 0, TCP, 80, Allow HTTP access entry from anywhere0.0.0.0 / 0, TCP, 443, Allow HTTPS entry access from anywhere. The least restrictive SGs created in your account should be immediately alerted to the SOC / MS teams.
Practice 13: Have a security policy to not start servers with standard ports like 3306, 1630, 1433, 11211, 6379 etc. If the directive has to be accepted, the security groups will also be created in the new hidden listening ports instead of the default ports. This provides a small layer of defense, since the port information of the security group in the EC2 service it is protecting can not be inferred. Automated detection and alerts must be created for SOC / MS if the security groups are created with default ports.
Practice 14: Applications that require stricter compliance requirements, such as HIPAA, PCI, etc., must be addressed so that end-to-end transport encryption is implemented on the server backend in AWS. The ELB communication to the Web-> App-> DB-> Other layers need to be encrypted using SSL or HTTPS. This means that only secure ports such as 443, 465, 22 are allowed in corresponding EC2 security groups. Detection and automated alerts must be created for the SOC / MS if the security groups are created in secure ports for regulated applications.
Practice 15: Detection, alerts and actions can be performed by analyzing the AWS Cloud Trail records based on the standards In the event that a port has been opened and closed in <30 or X minutes in production it may be a candidate for suspicious activity if it is not a normal standard for its production15.2: If a permissive security group was created and closed in <30 or X minutes may be a candidate for suspicious activity if it is not the normal standard for its production. Detect anomalies how much time has changed and reverted in security groups in production.
Practice 16: If the ports should be opened in the security groups of Amazon Web Services or a permissive security group of AWS should apply, automate this whole process as part of their operations, so that a security group is opened by X agreed minutes and closes automatically aligning with your change management. Reducing manual intervention avoids operational errors and adds security.
Practice 17: Ensure that the SSH / RDP connection is open in the AWS security group only for bastion mailboxes / hosts for their subnets / VPCs. Have stricter controls / policies to avoid opening SSH / RDP to other instances of the production environment. Periodically check, alert and close this hole as part of your operations.
Practice 18: It is a bad practice to have the SSH open for the entire Internet for emergency or remote support. By allowing full Internet access to your SSH port, nothing prevents an attacker from exploring your EC2 instance. The best practice is to allow very specific IP addresses in your security groups, this restriction improves protection. This can be your office or local or CD through which you connect your jump box. Practice 19: Much or much less: How many security groups for a multilayer web application are often preferred is a frequent question? : A security group that cuts several levels is easy to configure, but it is not recommended for secure production applications. Option 2: A security group for each instance is a great protection and difficult to manage long-term operations. Option 3: Individual security group for different application layers. For example: Have separate security groups for the ELB, Web, App, DB and Cache layers of your application stack. Check periodically if the rule of type Option 1 is being created in your production and deals with SOC / MS.
Practice 20: Avoid allowing UDP or ICMP for private instances in security groups. It is not a good practice, unless it is specifically necessary.
Practice 21: Open only specific ports, the opening interval of ports in a security group is not a good practice. In the security group, you can add many entry entry rules. When opening the doors, it is always advisable to open specific ports, such as 80,443, etc., instead of a range of ports such as 200-300.Add rules for communication between partner instances
Practice 22: Private subnet instances can only be accessed from the IP range of the CIDR VPC. Opening instances for public IP ranges is a possibility, but it does not make sense. For example, opening HTTP to 0.0.0.0/0 in the SG of the private subnet instance does not make sense. Therefore, detect and clean these rules.
Practice 23: The AWS CloudTrail registry captures security related events. Lambda AWS events or automated programs should activate alerts for operations when abnormal activities are detected. For example: 23.1: Alert when SG number X was added / excluded in "Y" Hours or Day per user / account of IAM23.2: Alert when number X of SG Rules was added / deleted in "Y" Hours or Day per user / IAM
Pratica 24 account: If you are a company, make sure that all the activities related to your production of the security groups are part of the change management process. The actions of the Security Group can be manual or automated with the management of changes in a company. If you are a Startup or an agile SMB and do not have a complicated change management process, automate most of the tasks and events related to the security group as shown in several best practices. This will bring great efficiency to your operations.
Practice 25: Use exit / exit security groups where applicable in your VPC. Restrict the FTP connection to any Internet server in your VPC. In this way, you can avoid data dumps and important files transferred from your VPC.
Practice 26: For some layers of your application, use the ELB in front of your instance as a security proxy with restrictive security groups - restrictive ports and IP ranges. Most of the tools we use together to automate and satisfy best practices are the automated programs ServiceNow, Amazon CFT, AWS API, Rundeck, Puppet, Chef, Python, .Net and. Java.
AWS TRAINING IN BANGALORE | AMAZON WEB SERVICES TRAINING IN BANGALORE | AWS TRAINING IN RAJAJI NAGAR| AWS TRAINING IN BTM| AWS TRAINING IN MARATHAHALLI | AWS TRAINING IN JAYANAGAR|
AWS TRAINING IN CHENNAI | AMAZON WEB SERVICES TRAINING IN CHENNAI | AWS TRAINING IN VELACHERY | AWS TRAINING IN TAMBARAM | AWS TRAINING IN SHOLINGANALLUR | AWS TRAINING IN ANNA NAGAR | AWS TRAINING IN CHENNAI |
ReplyDeleteTitle:
Top Oracle Training in Chennai | Infycle Technologies
Description:
Infycle Technologies is the best software training institute in Chennai, which offers amazing Oracle training in Chennai in 100% practical training with experienced trainers in the field. Apart from the training, the mock interviews will be arranged for the students, so that, they can face the interviews without any struggles. Of all that, complete placement assurance will be given in top MNC's. For more details, call 7502633633 to Infycle Technologies and grab a free demo to know more.
Best training in Chennai
No.1 Oracle DBA Training in Chennai | Infycle Technologies
ReplyDeleteDescription:
Learn Oracle Database Administration for making your career towards a sky-high with Infycle Technologies. Infycle Technologies gives the top Oracle DBA Training in Chennai, in the 200% hands-on practical training with professional specialists in the field. In addition to that, the placement interviews will be arranged for the candidates, so that, they can set their career towards Oracle without any struggle. The specialty of Infycle is 100% placement assurance will be given here in the top MNC's. To have the best career, call 7502633633 and grab a free demo to know more.
Best software training in Chennai
Big Data training in Chennai is nowadays not easy for many students. They don’t know how to start this?? Here, is the secured and Certified placewhich is INFYCLE who were all offering good courses with training and with top salary package placement. HURRY UP!!!
ReplyDeleteA Python programming class teaches syntax step by step.It emphasizes hands-on coding practice.This Python programming class builds confidence.It is dependable.
ReplyDeleteExcellent blog! This course breaks down UI/UX concepts beautifully.ui ux design course online
ReplyDelete