Let's say I have an imaginary website: https://myimaginarywebsite.com.
If I try to exploit it, and I make massive concurrent GET requests (source is just one ip), would WAF have a feature to prevent this?
Since this is technically valid traffic but abnormal pattern, I'm curious how AWS WAF handles this.
Is there an already built-in WAF feature we can just add to prevent this, or Do we have still have to tune this in WAF?
Yes, WAF can handle HTTP floods with rate based rules.
The AWS Security Automations quick start found here, and associated docs found here, provide a great template starting point and example of some of the features you can configure in AWS WAF.
Related
I am trying to find out if it is correct to say that - In AWS we can only perform vulnerability scanning for EC2 instances.
From my research, it seems like there can be pen tests on other AWS services, but vulnerability scanning seems to be focused on EC2? (https://aws.amazon.com/security/penetration-testing/). If so, would it be safe to assume that vulnerabilities scans can be only focused on EC2 instances, but also periodic pen tests on the AWS services listed in the link above?
Any help is appreciated.
You are correct in seeking out pentesting which goes beyond EC2. However, the type of testing (if any) is highly dependent on which specific services you use.
It's very common that pentests do not cover all services only because they are improperly scoped. Not all AWS services will be relevant to a penetration test, but some may be critical. Here are some worthwhile misconfigurations to consider:
S3 - Buckets have their own access controls and unique API. Without insight to bucket names and AWS expertise, a pentester cannot determine if they are misconfigured. It is fairly common for buckets to allow access to AllUsers which is very dangerous.
RDS - You should make sure that databases are not publicly accessible from the internet (for obvious reasons).
Cognito, SNS, SQS - If you are pentesting an application, you will need to take a close look at the permission and configuration of authentication and messaging services (if they are in use). Misconfigurations here can allow someone to self-enroll in applications they shouldn't.
It would be worthwhile to spend some time to evaluate each service and get an understanding of it's attack surface. Here's an AWS pentesting guide for reference.
I'm trying to find a way to determine Cloudfront Origin Shield IP ranges and was wondering if by any chance it could be "CLOUDFRONT_ORIGIN_FACING" service from https://ip-ranges.amazonaws.com/ip-ranges.json ?
There are quite a few overlapping ranges from different services, its hard to just test this.
Yes, while there is no official confirmation in the documentation, I can't think of any other service with the above service code.
CLOUDFRONT_ORIGIN_FACING can only be referring to Amazon CloudFront Origin Shield.
Overlaps are fine, AWS can & will reuse IPs for various services.
Recently, while trying to build a terraform IaC, I found that I couldn’t get the API Gateway to route to the Lambda properly. It turned out that when using the console AWS automatically assigns the permissions the gateway needs for the Lambda, but with IaC in terraform this must be assigned explicitly.
The above is understandable but for a newbie, to both AWS and terraform, confusing.
Is there documentation which explains the required components within an infrastructure connection, such as that above?
I know of the AWS docs and the terraform docs are particularly well thought out but none of it actually explains (as far as I’ve seen) that a certain resource is required in any particular (however common or obscure) setup. Inferring these connections from general searching is not a great replacement.
I don't think that there is a documentation that lists "all of the required components" in one single page/area. But you can get different pieces of information from different docs, and as you mentioned AWS and Terraform do both a great job at this.
Talking about AWS, in the case of permissions in API gateway, I can think of two useful links (the 1st one is referenced from the 2nd one though):
How API Gateway resource policies affect authorization workflow
Control access for invoking an API
I agree in the fact that sometimes it's a lot of guesses to translate AWS into terraform if you don't really know what you are trying to achieve. Usually when I am blocked on something that "should theoritically work" in IaC vs AWS console, I step back from the problem and try to figure out what kind of components am I really trying to glue together in AWS world. Then usually things become more obvious.
Because in terraform it's really creating small independant pieces of infrastructure and make them work together. Comparing with other IaC, in my experience it's a lot more granular than CloudFormation for instance.
A personal practice that helps me figure out things faster is to read every single intro doc of the components I am working on in Terraform. For instance, if I am writing lambda in terraform IaC, I would quickly read all the lambda_xxxx_yyyy intro parts to get less stuck and react faster when something fails. It usually works for me.
I haven't see such a documentation, but I can share my work-around for similar cases.
You can make changes you need using AWS console - manually, using UI. Then you can define resources you just created in your TF files, defining only/required required set of properties, even random values will work. Then you import what you created manually into resources you defined.
By running terraform plan you will see the differences, that will allow you to adjust your TF files accordingly.
After few iterations you will replicate what you have just done in the UI using TF. As a final test you can manually revert your changes, run terraform apply and ensure that everything works as expected.
I am new in the AWS Cloud services.
I assigned a project to prepare a new environment in the cloud, to which my team will later migrate their applications. The Stakeholders have come up with some Technical and Business requirements:
They are concerned about the security of the environment, so they have decided to virtually isolate their network from the rest of the customers and rest of the environments in the same AWS Cloud Account
Which AWS Cloud service I could try to use to implement this requirement?
Please let me know if I need to provide more details.
Thank you in advance.
First of all, I would question why the Stakeholders would assign someone with very little AWS experience the task of creating a secure network from scratch in it, and then reveal they are concerned about how secure it will be. (Nothing personal against you, just seems like a strange approach)
Secondly, this is a deep topic, with multiple answers depending upon the specifics of your Technical and Business requirements...
From what I can gather, at a high level you're trying to implement a multi-VPC setup in a single AWS Account.
In short, there are too many scenarios to go into for a StackOverflow answer. The best advice I could give would be to seek advice from an AWS networking/security architect (or consultant) if that is an option for you. They should be able to review your requirements in detail and formulate an appropriate solution.
I'll give you an idea of the sorts of services/resources you should be looking to read up on if you want to implement a secure multi-VPC network in AWS:
VPC peering connections or Transit Gateway to handle routing between VPCs
NACLs to control layer 3 traffic into and out of your VPCs
Security Groups to control layer 3 & 4 traffic into and out of the instances in your VPCs
I tried searching for this topic on Google and after many failed attempts I decided to post this as questions here.
What I want to achieve: Monitoring my aws limits using Nagios.
As I have understood aws cli can be used to get the limits of only few aws services, for more in depth cost management and service limit management one has to opt for trusted advisor. Unfortunately it's quite expensive.
So I was wondering if there's a much simpler way with Nagios in which I could get notified if any of the aws services for my account is hitting a limit?
What kind of service limit notification strategy is used by organizations(That can't afford to buy a subscription of trusted advisor) that use Aws?
You're right: only few services can show their limit (and current usage) through CLI or API. I don't like it either :) We have three options here:
Create a parser that grabs information from AWS Console (there is an example code here: https://forrestbrazeal.com/2015/07/20/adventures-in-aws-automating-service-limit-checks/).
Buy Trusted Advisor (btw, you can get a Trusted Advisor report with API call).
Try using awslimitchecker. Cause someone already tried to solve this problem.
https://awslimitchecker.readthedocs.io/en/latest/