1

u Assignments > Activity #14 – Create a DynamoDB due Thursday

Project Check-ins 2
u Check-in #2: 11/1 – 11/4

u Calendy links will be posted on Friday

 3
u SQL (relational) vs NoSQL
u AWS DB managed services:
u SQL - Amazon RDS
u NoSQL - DynamoDB (Key-Value), Neptune
(Graph), DocumentDB (Document)
u Pros - Lower Total Cost Ownership, higher
quality as managed by AWS
u Cons – Vendor lock-in

u Which is better?
u SQL databases provide great benefits for transactional data whose structure doesn’t
change frequently (or at all) and where data integrity is paramount
u NoSQL databases provide much more flexibility and scalability, which lends itself to
rapid development and iteration
u Bottom-line: You’ll need to think about what your data looks like, how you’ll query
your data, and the scalability you’ll need in the future
Security and Compliance in the Cloud

SWEN 514/614: Engineering Cloud Software Systems

Department of Software Engineering

Rochester Institute of Technology
Security is the top concern with organizations 7
moving to the cloud…

Source: https://www.helpnetsecurity.com/2015/06/30/security-concerns-continue-to-dog-the-cloud-industry/
…and for good reason 8
u Accenture (2017) - World’s first Cyber Resilience startup UpGuard discovered in its Cyber Risk
survey that Accenture left at least 4 AWS S3 storage buckets unsecured. As a result of this flaw,
the data on these storage media was available for download. The data exposed in this security
goof-up were authentication credentials, secret API data, digital certificates, decryption keys,
customer data, and other meta info which could be easily used by cyber crooks to mint money.
u Verizon (2017) - Nice Systems, which is a 3rd party vendor working for Verizon, committed a
configuration blunder on an AWS S3 bucket which exposed names, addresses, account details,
and pin numbers of millions of US-based Verizon customers.
u Booz Allen Hamilton (2017) - In this year, technology consulting firm Booz Allen hired UpGuard to
carry out security assessment on both its internal and external computer systems. To our surprise,
the assessment discovered that 60,000 files were on a public access on AWS S3 bucket owned
by an intelligence and defense contract of Booz Allen.
u Election Systems & Software (ES&S) (2017) - Virtually every registered voter
information from Chicago was available for public access when the
engineer working for ES&S left the AWS S3 bucket for public access. The
data was in downloadable format and is said to have compromised
personal info of more than 1.8 million Chicago voters so far.

Source: https://www.cybersecurity-insiders.com/top-5-cloud-security-related-data-breaches/
Cloud Data Breaches 9
u According to the 300 CISOs (Chief Information Security Officers) that
participated in the survey, top concerns were:
u Security misconfiguration
u Lack of adequate visibility into access settings and activities
u Identity and access management (IAM)
u Permission errors

Source: https://www.helpnetsecurity.com/2020/06/03/cloud-data-breach/ /
So, who is at fault here? 10
u More than 100 million customers have had their data compromised by a hacker after a
cloud misconfiguration at Capital One
u Thanks to a cloud misconfiguration, a hacker
was able to access to credit applications, Social
Security numbers and bank account numbers in
one of the biggest data breaches to ever hit a
financial services company
u Amazon, for its part, pointed to the admission of
misconfiguration in the court documents and
the Capital One statement, with a spokesman
telling Bloomberg that Capital One’s data was
not accessed through a vulnerability in AWS
systems
u “The Capital One breach is proof that
companies have a lot to learn when it comes to
deploying security technology effectively” Source: https://threatpost.com/aws-arrest-data-breach-capital-one/146758/
What is the cloud provider (AWS) responsible 11
for?
u Protecting the network through automated monitoring systems and
robust internet access, to prevent Distributed Denial of Service
(DDoS) attacks
u Performing background checks on employees
who have access to sensitive areas
u Decommissioning storage devices by physically
destroying them after end of life
u Ensuring the physical and environmental
security of data centers, including fire
protection and security staff
What are you responsible for? 12
u Implementing access management that restricts access to AWS
resources like S3 and EC2 to a minimum
u Encrypting data at rest (e.g. database or other storage systems)
u Encrypting network traffic to prevent attackers from reading or
manipulating data (for example, using HTTPS)
u Configuring a firewall for your virtual network that
controls incoming and out- going traffic with security
groups and Access Control Lists (ACLs)
u Managing patches for the OS and additional
software on virtual machines
u AWS won’t apply updates for you on your EC2 instance
– you are responsible for this
Shared Responsibility Model - Infrastructure 13
u AWS is responsible for security of the cloud
u The customer is responsible for security in the cloud
Shared Responsibility Model – Service Models 14
 15
Shared Responsibility Model - Infrastructure
u Example of a typical Cloud Application
 Another Security Challenge…Compliance 16
u HIPPA (Health Insurance Portability and
Accountability Act) - a series of regulatory
standards that outline the lawful use and
disclosure of protected health information
u SOX (Sarbanes-Oxley Act) - established rules to
protect the public from fraudulent or erroneous
practices by corporations and other business
entities
u GDPR (General Data Protection Regulation) -
regulation that requires businesses to protect
the personal data and privacy of EU citizens for
transactions that occur within EU member states
u PCI Compliance (Payment Card Industry) -
applies to companies of any size that accept
credit card payments
Key Questions that need to be answered for 17
Compliance (and proven)
u Where in the world is the data center?
u During an audit, you need to prove the location of your data along with the
measures that are in place to protect it
u How do you enforce access controls?
u An organization must be able to demonstrate the level of access that each user
has and how those levels are maintained
u It’s crucial for a cloud provider to have sound access controls in place and to
implement them properly
u How are you protecting the data?
u What type of encryption does a cloud provider use, and
how and when it's applied
u Companies are responsible for the protection of data in
motion and data at rest using proper encryption techniques
Source: https://www.cio.com/article/2901034/your-guide-to-compliance-in-the-cloud.html
Security on AWS 18

u Securing access to AWS services and

resources
u Identity and Access Management (IAM)
u Securing Applications
u AWS Cognito
u Protecting Data through encryption
u Key Management Service (KMS)
u Compliance
u CloudTrail
Understanding Access Controls 19

u When you sign up for your own AWS account, you are the root user
u For your AWS Academy account, you are not root user
u The root user has unrestricted access to all AWS resources
u Permissions are not restricted in any way
u As a best practice, you should
lock the root user access so no
one can access it
u Create users/groups that have
more restrictive access
Identity and Access Management (IAM) 20
u IAM is an AWS service that helps an administrator securely control access to
AWS resources
u IAM administrators control who can be authenticated (signed in) and
authorized (have permissions) to use certain AWS resources
u AWS IAM provides the following:
u Manage IAM users and their access
u You can create users in IAM, assign them individual security credentials and manage permissions in
order to control which operations a user can perform
u Manage IAM roles and their permissions
u You can create roles in IAM and manage permissions to control which operations
can be performed by the entity, or AWS service, that assumes the role

u Manage federated users and their permissions

u You can enable identity federation to allow existing identities (users, groups, and
roles) to access the AWS Management Console, call AWS APIs, and access
resources
Identity and Access Management (IAM) - Details 21
u IAM User
u Used to authenticate people accessing your AWS account
u IAM Group
u A collection of IAM users
u IAM Role
u An IAM entity that defines a set of
policies (permissions) for making
AWS service requests
u They are not associated with a
specific IAM user or group
u IAM Policy
u Used to define the permissions for
a user, group or role
IAM Policy 22

u An IAM Policy is an entity that, when attached to an identity or

resource, defines their permissions
u Policies are stored in AWS as JSON documents

u Policies can be either managed or inline

IAM Policy – Managed Policies 23
u Standalone identity-based policies that you can attach to users, groups, and roles in
your AWS account. There are two types of managed policies:
AWS managed policies Customer managed policies
Managed policies that are Managed policies that you create and
created and managed by AWS manage in your AWS account

Get, List and Put

permissions only
Full access to S3 Restricted to
for any resource resource that is
named
estore-personalize

There are hundreds of policies They provide more precise control over your
available policies than AWS managed policies
IAM Policy – Inline Policies 24

u An inline policy is added directly

to a single user, group, or role
u The maintain a strict one-to-one
relationship between a policy
and an identity
u They are deleted when you
delete the identity

2 roles include the same

policy, but they are not
sharing a single policy; each
role has its own copy of the
policy

Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
 IAM Policy Categories 25

Policy Categories

Defined by Admin
or Security Team Define Boundary Define Access Defined by Admin or
Developers

Defined the max

permissions for Organization Security Grant permissions to
account members Control Policy Identity-based Policy an identity (user,
of an organization group or role)

Defines the max Attach inline policies

permissions that the Resource-based Policy to AWS resources
identity-based Permission boundary
policies can grant
to an entity

Limit permissions for

Session Policy a created session
 IAM Policy Example - Lambda 26
AmazonS3FullAccess
u By default, Lambdas have your function needs access
{
to Amazon CloudWatch Logs for log streaming, so a "Version": "2012-10-17",
customer managed policy is automatically created "Statement": [
{
u For the “Create Lambda Function with S3” activity, you "Effect": "Allow",
"Action": "s3:*",
created a Lambda function to allow access S3 so you "Resource": "*"
used a managed policy }
]
CloudWatch logging (automatically created) } Managed Policy
{
"Version": "2012-10-17",
Customer-Managed Policy
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup", Create Log
"Resource": "arn:aws:logs:us-east-1:075837463923:*"
},
Group
{
"Effect": "Allow",
"Action": [
Create Log stream and
"logs:CreateLogStream",
"logs:PutLogEvents" log events
],
"Resource": [
"arn:aws:logs:us-east-1:075837463923:log-group:/aws/lambda/s3-test:*"
]
}
] Amazon Resource Name (ARN) identifies
} specific Lambda function called s3-test
IAM Policy Example - Lambda 27
u These policies get grouped into an IAM Role that’s assigned to your Lambda
function

u You did the same thing for the BONUS part of “Create a DynamoDB” activity
IAM Role 28

u An IAM Role is an IAM identity that you can create in your account that
has specific permissions (policies)
u Roles can be created to act as a proxy to allow users or services (e.g
EC2 instance or Lambda function) to access resources

Assign

Policy
IAM Role

Policy Details - Can delete EC2

instances if MFA is enabled
IAM Scenario #1 – User Access 29

u The ACME company has an IAM Users –

Dev2, Dev3 & Dev 4
AWS account and needs to Dev 1 Dev 2 Dev 3 Dev 4
ACME Developers
define access for it’s 4 IAM User – Admin

employees
IAM Group –
ACME Developers

u 1 employee can temporarily

be the administrator (full IAM Role - Admin
access) for the
development team
u The developers are only
IAM Policy –
allowed to create EC2 and IAM Policy - Admin
S3 and EC2

S3 {
”Sid”: “limitedSize”,

Due to budget constraints,

”Effect”: “Deny”,

u ”Action”: “ec2:RunInstances”,
”Resource”: “arn:aws:ec2:*:*instance/*”,
“Condition”: {

developers are only allowed “ForAnyValue:StringNotLike”:{

“ec2:InstanceType”: [
“*.nano”,

to create EC2 instances that

”*.small”,
“*.micro”,
“*.medium”

are not larger than medium

]
}
}
}

u What’s needed for IAM? Managed Policy

Customer Managed Policy

Managed Policy
 IAM Example #2 – Resource Access 30

u Application on EC2 requires read-only access to S3 “image” bucket

u What’s needed for IAM?

IAM Role –
AccessS3Image
IAM Policy –
S3 Read-only

Application can use role

credentials to read
“image” bucket
App retrieves role
credentials from the
EC2 instance metadata

S3 ”image”
bucket
Role: AccessS3Image
IAM Example #2 – Application Access 31

u IAM Role can be assigned while creating instances or through other

configurations (CLI, CloudFormation, etc.)
IAM Best Practices 32
u Enable multi-factor authentication (MFA) for privileged users
u Presenting two or more pieces of evidence (or factors) to an authentication mechanism

u Use Policy Conditions for Extra Security

u Policies are a set of JSON statements which provide certain permissions to users so to add
more security, specific ‘Conditions’ can be added to policies
u Remove Unnecessary Credentials (Principle of Least Privilege)
u Regularly audit user credentials and remove them in case they are not in use
u Use AWS-Defined Policies to Assign Permissions
u A major benefit of using these policies is the auto-update functionality as new or updated
policies are introduced

u Use Groups to Assign Permissions to IAM Users

u Managing permissions is not only easier but more secure and manageable
u For example, whenever there are inter-departmental moves, one simply needs to place the
individual in another group rather than redefining the whole set of permissions
Securing Your Applications with AWS Cognito 33

u User Identify and Data Synchronization

service
u Manage user data across multiple mobile or
connected devices
u User data can be app preferences, game
states, etc.
u Provide a secure user directory that scales to
hundreds of millions of users

u The two main components of Amazon Cognito are user pools and
identity pools
AWS Cognito – User Pools 34

u You can enable your users to authenticate with a user pool

u Your app users can sign in either directly through a user pool, or
federate through a third-party identity provider (IdP)
u The user pool manages the overhead of handling the tokens that are
returned from social sign-in through Facebook, Google, Amazon, and
Apple, and from OpenID Connect (OIDC) and SAML IdPs

Source: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-scenarios.html
AWS Cognito – Identity Pools 35

u Identity pools are for

authorization (access control)
u You can use identity pools to
create unique identities for
users and give them access to
other AWS services

Source: https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html
 Protecting Data with Encryption – Overview 36

u To encrypt data message, you need a key to start an encryption and you need a key
to decrypt the message
u If someone is listening and hijacks the data, they can’t read it because they don’t
have the proper keys to unlock the message

Some of the most

widely used
encryption algorithms
are AES-128, AES-192,
and AES-256

This type of encryption both the sender and the This type of encryption has two keys one public and one
receiver need to have the same key in order to private, they public key is available to anyone who wants to
make an encryption or decryption. send you data but the private key only the receiver has it, this
way only the owner of that key can decrypt the message
Encryption on AWS 37

u Encrypting data at rest is vital for regulatory compliance to ensure that

sensitive data saved on disks is not readable by any user or application
without a valid key
u Some compliance regulations such as PCI and HIPAA require that data at rest
be encrypted throughout the data lifecycle
u AWS Key Managed Service (KMS) is a fully managed service that makes it
easy to create and control encryption keys on AWS which can then be
utilized to encrypt and decrypt data in a safe manner
Encryption on AWS - Example 38

1. The administrator encrypts a secret password by using KMS

2. The administrator puts the file containing

the encrypted password in an S3 bucket
3. At instance boot time, the instance
copies the encrypted file to an internal disk
4. The EC2 instance then decrypts the file
using KMS and retrieves the secret
password.
The password is used to configure the
Linux encrypted file system.
All data written to the encrypted file
system is encrypted by using an AES-256
encryption algorithm when stored on disk.
Source: https://dev.to/matchilling/pragmatically-storing-security-sensitive-data-using-aws-kms-5e5b
AWS KMS integration 39

u Several AWS services such as

S3 (see right), Elastic Block
Store (EBS), Amazon Relational
Database Service (RDS) and
DynamoDB integrate with KMS
u These can be combined with
IAM policies to provide
another layer of control

You can set encryption under “Properties”

for your S3 bucket
Why not just encrypt everything? 40

u You could easily encrypt data when you write it to disk, when you send
it down a wire, and so on
u Encrypting everything in a comprehensive way considerably reduces
your exposure to data theft. Hackers can’t cover their tracks because
they’re not able to decrypt the log files
u Encryption poses a performance penalty, so be sure to focus
encryption on specific data that needs protection
Compliance and Audit - CloudTrail 41
u AWS CloudTrail is a service that enables governance, compliance, operational
auditing, and risk auditing of your AWS account
u It provides event history of your AWS account activity, including actions taken through
the AWS Management Console, SDKs, command line tools, and other AWS services
u It can also provide the logs of all key usage, which may be required for regulatory and
compliance needs
u This event history simplifies security analysis, resource change tracking, and
troubleshooting to even detect unusual activity in your AWS accounts
How secure are you? 42
u Amazon Inspector is an automated security assessment service that helps improve
the security and compliance of applications deployed on AWS
u Amazon Inspector automatically assesses applications for exposure, vulnerabilities,
and deviations from best practices
u After performing an assessment, Amazon Inspector produces a detailed list of security
findings prioritized by level of severity

Note this only

applies to EC2
How secure are you? 43
u AWS Trusted Advisor is an online tool that provides you real time guidance to help you
provision your resources following AWS best practices
u For Security, Trusted Advisor scans for the following:
u Checks security groups for rules that allow unrestricted access (0.0.0.0/0) to specific ports
u Checks security groups for rules that allow unrestricted access to a resource
u Checks buckets in S3 that have open access permissions
 44

u Going back to your scenarios, you’ve been asked to identify what areas might
have security risks and what your plan is to address them
u What type of Compliance issues would you need to deal with?
u Identify 2-3 potential security issues/threats that might be associated with your
scenario
u What features of IAM could help with your scenario?
u What other types of checks or precautions would you recommend in order to
protect against these threats?
u You have ~10 minutes to discuss a plan
u Download the template from Assignments > Activity #15 - Security Plan
u 1 submission per team
u Scenarios located at: Assignment > Activity #7 > Cost Estimating Scenarios