Study Guide985 words
Comprehensive Study Guide: Common Security Threats in AWS Networking
Common security threats
Comprehensive Study Guide: Common Security Threats in AWS Networking
This guide covers the critical security landscape for the AWS Certified Advanced Networking Specialty (ANS-C01), focusing on identifying threats, understanding mitigation strategies, and leveraging AWS native security services.
Learning Objectives
By the end of this module, you should be able to:
- Identify and define the most common security threats facing cloud and hybrid architectures.
- Evaluate threat models for application architectures including infrastructure, APIs, and third-party services.
- Map specific AWS security services (e.g., WAF, Shield, GuardDuty) to the threats they mitigate.
- Differentiate between various network-level security controls such as Security Groups, NACLs, and Network Firewalls.
- Understand the role of logging and monitoring in threat detection and incident response.
Key Terms & Glossary
- Advanced Persistent Threat (APT): A sophisticated, long-term, and targeted cyberattack where an intruder gains access to a network and remains undetected for an extended period.
- Cryptojacking: The unauthorized use of a victim's compute resources (like EC2 instances) to mine cryptocurrency, leading to performance degradation and high costs.
- Denial of Service (DoS): An attack meant to shut down a machine or network, making it inaccessible to its intended users by overwhelming it with traffic.
- In-Transit Encryption: The process of protecting data while it moves across a network, typically using SSL/TLS protocols.
- Misconfigured Security Control: An error in the setup of security tools (e.g., an overly permissive Security Group or public S3 bucket) that creates an entry point for attackers.
The "Big Idea"
[!IMPORTANT] Security in the cloud is a Shared Responsibility. While AWS secures the infrastructure "of" the cloud, you are responsible for security "in" the cloud. In a hybrid networking environment, vulnerabilities are transitive: a breach on-premises can traverse a VPN or Direct Connect to infiltrate your AWS environment, and vice versa.
Formula / Concept Box
| Service / Protocol | Primary Function | Layer of Defense |
|---|---|---|
| SSL/TLS | Encrypts data in flight | Application/Session |
| AWS WAF | Filters web traffic (Layer 7) based on rules | Application |
| AWS Shield | Managed DDoS protection | Infrastructure/Edge |
| Security Groups | Stateful instance-level firewall | Network (Instance) |
| NACLs | Stateless subnet-level firewall | Network (Subnet) |
| AWS GuardDuty | Intelligent threat detection using ML | Management/Audit |
Hierarchical Outline
- Foundational Threat Landscape
- External Threats: Account hijacking, APTs, malware, and viruses.
- Internal Threats: Insider threats (intentional or accidental data theft) and third-party provider risks.
- Resource Misuse: Cryptojacking and unauthorized access.
- Network-Level Attacks
- DoS/DDoS: Volumetric and application-layer exhaustion.
- Man-in-the-Middle (MITM): Interception of traffic in transit.
- The Mitigation Strategy
- Inbound Protection: WAF, Shield, Network Firewall.
- Outbound Protection: Proxy servers, Gateway Load Balancers (GWLB), Network Firewall.
- Logging & Analysis: VPC Flow Logs, CloudTrail, Amazon Athena.
Visual Anchors
Threat Mitigation Workflow
Loading Diagram...
Secure Application Flow Architecture
Below is a representation of a multi-tier secure architecture using TikZ.
\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, rounded corners, text centered, minimum width=3cm, minimum height=1cm}] \node (internet) {Internet}; \node (shield) [below of=internet] {AWS Shield / CloudFront}; \node (waf) [below of=shield] {AWS WAF}; \node (alb) [below of=waf] {Application Load Balancer}; \node (app) [below of=alb, xshift=-2cm] {App Tier (SG)}; \node (db) [below of=alb, xshift=2cm] {DB Tier (SG)};
code
\draw[->, thick] (internet) -- (shield);
\draw[->, thick] (shield) -- (waf);
\draw[->, thick] (waf) -- (alb);
\draw[->, thick] (alb) -- (app);
\draw[->, thick] (alb) -- (db);
\draw[dashed] (-5,-1) rectangle (5,-8);
\node[draw=none] at (4,-1.3) {\small VPC};\end{tikzpicture}
Definition-Example Pairs
- Account Hijacking
- Definition: Gaining access to an authorized user's credentials to manipulate cloud resources.
- Example: An employee falls for a phishing email, giving their IAM password to an attacker who then launches 100 high-end EC2 instances for crypto mining.
- Misconfigured Security Controls
- Definition: Security settings that are either left at default or configured too broadly, allowing unintended access.
- Example: Creating a Security Group for a database that allows
0.0.0.0/0on port 3306, exposing the database to the entire internet.
- Insider Threat
- Definition: Damage caused by individuals with legitimate access to the organization's systems.
- Example: A disgruntled sysadmin exports a sensitive S3 bucket to a personal account before leaving the company.
Worked Examples
Scenario: Mitigating a Layer 7 DDoS Attack
Problem: A web application behind an Application Load Balancer (ALB) is experiencing a surge in HTTP GET requests from a distributed botnet, causing the target EC2 instances to become unresponsive.
Step-by-Step Breakdown:
- Identification: Use CloudWatch metrics for the ALB to see an anomaly in request counts. Check VPC Flow Logs to identify source IP patterns.
- Mitigation (Edge): Deploy AWS WAF associated with the ALB.
- Rule Creation: Implement a Rate-based rule in WAF to limit the number of requests from a single IP address (e.g., 2000 requests per 5 minutes).
- Verification: Monitor the
BlockedRequestsmetric in WAF to ensure the botnet traffic is being dropped while legitimate users regain access.
Checkpoint Questions
- Which AWS service is best suited for detecting "unusual" API calls or login patterns across your entire account?
- In a hybrid network, why is a vulnerability in an on-premises data center a risk to your AWS VPC?
- What is the primary difference between how a Security Group and a Network ACL (NACL) handle traffic rules?
- How does "Cryptojacking" impact an organization beyond just security risks?
▶Click to see answers
- Amazon GuardDuty (it analyzes CloudTrail, VPC Flow Logs, and DNS logs).
- Because hybrid networks provide a common architecture where vulnerabilities can traverse the network (e.g., via VPN or Direct Connect) to affect cloud operations.
- Security Groups are stateful (return traffic is automatically allowed) and apply at the instance level. NACLs are stateless (return traffic must be explicitly allowed) and apply at the subnet level.
- It causes performance degradation (slowing down legitimate apps) and significant financial costs due to unintended compute resource usage.
Muddy Points & Cross-Refs
- WAF vs. Shield: This is often confused. Remember: WAF is for application-layer filtering (SQL injection, XSS, rate limiting). Shield Standard is for infrastructure-layer (L3/L4) DDoS protection and is on by default for all AWS customers.
- Stateful vs. Stateless: If you block a port in a Security Group, it's blocked. If you allow a port in a Security Group, the reply is automatically allowed. In NACLs, you must manage both inbound and outbound rules manually.
- Deep Dive Reference: For more on threat modeling, refer to the AWS Well-Architected Framework (Security Pillar) documentation mentioned in the source materials.
Comparison Tables
Infrastructure Protection Services
| Feature | AWS WAF | AWS Shield (Advanced) | AWS Network Firewall |
|---|---|---|---|
| OSI Layer | Layer 7 (Application) | Layers 3, 4, & 7 | Layers 3 through 7 |
| Protection Type | Web exploits (SQLi, XSS) | Advanced DDoS protection | Deep Packet Inspection (DPI), URL filtering |
| Scaling | Automatic | Automatic | Managed high availability |
| Use Case | Protecting HTTP/S apps | High-value public endpoints | Full VPC traffic inspection |