Aws Security Specialty 4 Data Protection With Vp Cs Flashcards ionicons-v5-c

Virtual Private Cloud

Networking layer for EC2. Allows you to build your own virtual network within AWS. You control IP range; creating your own subnets; configuring your own route tables, gateways, & security settings.Within a region, you can create multiple VPC's, and each one is logically isolated even if it shares IP address ranges.You must specify IP range by choosing a CIDR block range (10.X.X.X, 172.X.X.X, 192.X.X.X). IP block size = /16 (65k) - /28 (16). Blocks should not overlap any other network with which they are to be connected.

VPC Components

* Subnets* Route tables* DHCP option sets* Security groups* Network Access Control Lists (ACLs)Optional* Internet Gateways (IGWs)* Elastic IP's*Elastic Network Interface (ENIs)*Endpoints* Peering* Network Address Translation Instances and NAT gateways* Virtual Private Gateway (VPG)* Customer Gateways* Virtual Private Networks (VPNs)

Subnets

AWS reserves the first four IP's and the last IP of every subnet for internal networking purposes.After creating a VPC, you can add one or more subnets in each AZ. Subnets reside within one AZ and cannot expand zones.For exam, one subnet equals one AZ.

Route Tables

Logical construct that has a set of rules (routes) that are applied to the subnet and used to determine where traffic is directed. These routes are what permit instances within different subnets within a VPC to communicate with each other. It can be modified.Can be used to specify which subnets are public by directing internet traffic to the IGW, and which are private.Each table contains a default route called "Local Route" which enables communication within the VPC. Can't be modified or removed.Points to remember:* Each has an implicit router.* Automatically comes with a modifiable main route table.*Additional custom route tables can be created for your VPC.*Each subnet must be associated w/ a table, which controls routing for the subnet. If no subnet associated with a particular table, the main table is used.* Main route table can be replaced w/ custom table so that each new subnet is automatically associated with it.* Each table specifies a destination CIDR and target. AWS uses the most specific route that matches the traffic to determine how to route traffic.

Internet Gateways (IGW)

A horizontally scaled , redundant and highly available VPC component that allows communication between instances in your VPC and the internet. Provides a target in your VPC route tables for internet-routable traffic, and performs NAT for instances that have been assigned public IP's.

Steps to create a public subnet with internet access

* Attach an IGW to your VPC.* Create a subnet route table rule to send all non-local traffic (0.0.0.0/0) to the IGW.*Configure your network ACLs and security group to allow relevant traffic to flow to and from your instance.

...

You can scope the route to all destinations not explicitly known to the route table (0.0.0.0/0), or your can scope the route to a narrower range of IP's, such as the public IP's of your company's public endpoints outside of AWS or the EIP's of otherEC2 instances outside your VPC.

DHCP Option Sets

Automatically created for your VPC and sets two options:DNS servers (defaulted to AmazonProvidedDNS. Enables DNS for instances that need to communicate over the IGW).Domain-Name

Elastic IP Addresses (EIPs)

I pool of public IPs in each region available for you to associate to resources within your VPC. They allow you to maintain a set of IP's that remain fixed while underlying infrastructure may change over time.* You must first allocate an EIP for use within a VPC and then assign it to an instance.* Specific to each region.* There is a one-to-one relationship between network interfaces and EIPS.* They remain associated with your account until you explicitly release them.* Charges are applied to your account, even if they aren't being used.

Elastic Network Interfaces (ENIs)

A virtual network interface that can be attached to an instance in a VPC. Associated with a subnet upon creation. They can have only one public IP, and multiple private IP's. If there are multiple private IP's, one is primary. One created independently of an instance persists regardless of the lifetime of any instance to which it's attached; if an instance that it's attached to fails, the IP may be preserved by attaching it to a replacement instance.

Endpoints

A private connection between your VPC and another AWS service without requiring access over the internet or through a NAT instance, VPN, or AWS Direct Connect. You can create multiple ones for a single service, and you can use route tables to enforce different access policies from different subnets to the same service.

Steps for Creating Endpoints

1. Specify the VPC.2. Specify the service. A service is identified by - com.amazonaws.<region>.<service>3. Specify the policy. Full access or create custom. Can be changed any time.4. Specify route tables. A route will be added to each specified route table, which will state the service as the destination and the endpoint as the target.

Peering

A network connection between two VPCs that enables instances in either VPC to communicate as if they are on the same network. Can be created between your own VPCs or ones from another account within a single region.A VPC may have multiple connections, and they are a one-to-one relationship = No multiple connections to the same VPCs.Transitive routing is not supported.For exam:* Can't create a peering connection between VPCs that have matching or overlapping CIDR blocks.* Can't create a peering connection between VPCs in different regions.* No multiple peering connections between the same two VPCs at the same time.

Security Group

A virtual stateful firewall that controls inbound and outbound traffic to resources and EC2 instances. All instances must be launched into one. If not specified, the instance will be launched in the default one for the VPC.

Security Group Points to know for the exam

1. You can have up to 500 Security groups for each VPC.2. You can add up to 50 inbound and 50 outbound rules to each security group. If you need to apply more than 100 rules to an instance, you can associate up to 5 security groups with each network interface.3. You can specify allow rules, not deny rules. Important difference between security groups and ACLs.4. You can specify separate rules for inbound and outbound traffic.5. By default, no inbound traffic is allowed until you add inbound rules to the security group.6. By default, new security groups have a rule that allows all outbound traffic. You can remove the rule and add rules taht allow specific outbound traffic only.7. Security groups are stateful, meaning that responses to allowed inbound traffic are allowed outbound regardless of outbound rules and vice-versa. An important difference between security grouups and network ACLs.8. Instances associated with the same security group can't talk to each other unless you add rules allowing it.9. You can change the security groups with whic an instance is associated after launch, the changes will take effect immediately.

Network Access Control Lists (ACLs)

Acts as a stateless firewall on a subnet level. It's a numbered list of rules that AWS evaluates in order, starting with lowest numbered rule, to determine if traffic is allowed in or out of any subnet associated with the network ACL. VPCs are created with a modifiable default network ACL associated with every subnet that allows all inbound and outbound traffic. Custom network ACLs are initially configured with 'deny all' inbound and outbound traffic until you create rules that allow otherwise. Overall, every subnet must be associated with a network ACL.

Instances and NAT Gateways

AWS provides them to allow instances deployed in private subnets to gain internet access. NAT Gateways provide better availability and higher bandwidth.

Steps for using a NAT Gateway

*. Configure a route table associated with the private subnet to direct internet-bound traffic to the NAT gateway.* Allocate an EIP and associate it with the NAT Gateway

Virtual Private Gateway (VPGs)

The virtual private network (VPN) concentrator on the AWS side of the VPN connection between the two networks.

Customer Gateway (CGW)

The physical device or software application on the customer's side of the VPN connection.

VPN Connections

You must specify type of routing will be using when the VPN is created.If you are using static routing, you must enter the routes for your network that should be communicated to the VPG. Routes will be propogated to the VPC to allow your resources to route traffic back to the corporate network through the VPG and across the VPN tunnel.Amazon VPCs supports multiple CGWs, each having a VPN connection to a single VPG.

VPGs, CGWs, and VPN points to understand for the exam

VPG is the AWS end of the tunnelCGW is the hardware or software app. on the customer's side of the VPN.You must initiate the VPN tunnel from the CGW to the VPG.VPGs support dynamic routing with BGP and static routing.The VPN connection consists of two tunnels for higher availability to the VPC.

What is a security group?

Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level.

What is a Network Access Control List (NACL)?

Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level.You can secure your VPC instances using only security groups; however, you can add network ACLs as an additional layer of defense.See here for additional info regarding NACL: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

What are Flow logs?

Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC.You can monitor the accepted and rejected IP traffic going to and from your instances by creating a flow log for a VPC, subnet, or individual network interface.

What happens when you launch an instance in a VPC regarding security groups?

When you launch an instance in a VPC, you can associate one or more security groups that you've created. Each instance in your VPC could belong to a different set of security groups. If you don't specify a security group when you launch an instance, the instance automatically belongs to the default security group for the VPC.See https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

What do routing tables do?

Traffic from an Internet gateway is routed to the appropriate subnet using the routes in the routing table

Refresher: What is the scope for a VPC?

A VPC spans all the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability Zone.

Can you add more than one subnet in an Availability Zone?

Yes, but a subnet can be in only one Availability zone.

Can a subnet span availability zones?

No, Each subnet must reside entirely within one Availability Zone and cannot span zones.

Can Amazon EC2 instances within a VPC communicate with Amazon S3?

Yes. There are multiple options for your resources within a VPC to communicate with Amazon S3. You can use VPC Endpoint for S3, which makes sure all traffic remains within Amazon's network and enables you to apply additional access policies to your Amazon S3 traffic. You can use an Internet gateway to enable Internet access from your VPC and instances in the VPC can communicate with Amazon S3. You can also make all traffic to Amazon S3 traverse the Direct Connect or VPN connection, egress from your datacenter, and then re-enter the public AWS network.

What is a security group?

Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level.

What is a Network Access Control List (NACL)?

Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level.You can secure your VPC instances using only security groups; however, you can add network ACLs as an additional layer of defense.See here for additional info regarding NACL: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

What are Flow logs?

Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC.You can monitor the accepted and rejected IP traffic going to and from your instances by creating a flow log for a VPC, subnet, or individual network interface.

What happens when you launch an instance in a VPC regarding security groups?

When you launch an instance in a VPC, you can associate one or more security groups that you've created. Each instance in your VPC could belong to a different set of security groups. If you don't specify a security group when you launch an instance, the instance automatically belongs to the default security group for the VPC.See https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

What do routing tables do?

Traffic from an Internet gateway is routed to the appropriate subnet using the routes in the routing table

Refresher: What is the scope for a VPC?

A VPC spans all the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability Zone.

Can you add more than one subnet in an Availability Zone?

Yes, but a subnet can be in only one Availability zone.

Can a subnet span availability zones?

No, Each subnet must reside entirely within one Availability Zone and cannot span zones.

Can Amazon EC2 instances within a VPC communicate with Amazon S3?

Yes. There are multiple options for your resources within a VPC to communicate with Amazon S3. You can use VPC Endpoint for S3, which makes sure all traffic remains within Amazon's network and enables you to apply additional access policies to your Amazon S3 traffic. You can use an Internet gateway to enable Internet access from your VPC and instances in the VPC can communicate with Amazon S3. You can also make all traffic to Amazon S3 traverse the Direct Connect or VPN connection, egress from your datacenter, and then re-enter the public AWS network.

Virtual Private Cloud (VPC) - Introduction

● Virtual data center in the cloud with AWS super security● You can create your own private IP addresses● Possible to connect private data center to AWS VPN● NACLs - stateless, you must open both the inbound and outbound ports● Security Groups -stateful, you only need to open inbound ports and it will automaticallyopen the outbound ports.● AWS launches a default VPC but you can customize.● AWS VPC Peering allows you to connect VPCs between different accounts via their IPaddress - but no transitive peering!● With AWS 1 subnet = 1 AZ - this is a contrast with GCP that allows multiple AZs in aSubnet● Provides not only isolation from other customers in the private cloud, it provides Layer 3 isolation from the Internet as well***security groups network Access Control Lists; API call security via secret and public access keys; internet gateways

VPC - DHCP Options Sets

● The Dynamic Host Configuration Protocol (DHCP) provides a standard for passingconfiguration information to hosts on a TCP/IP network.● After you create a set of DHCP options, you can't modify them. ○ If you want your VPC to use a different set of DHCP options, you must create anew set and associate them with your VPC.● How can you ensure that your VPC does not use AWS DNS (Route 53) for routing DNSrequests? Simple - create a new DHCP option set and replace the existing one.

VPC Lab Notes

● VPC that you create from scratch will not automatically have subnets. You must addthem after the initial VPC is created. You also add EC2 instances to drop into thesubnets/AZs.● You lose 5 private IP addresses when you setup the IP CIDR blocks because AWSreserves them for other uses - the first 4 and last 1.● All ICMP IPv6 type/protocol allows private subnet to ping/connect to public subnet.● Best practice is to use a Bastion Host / Jump box to connect.1 Internet Gateway = 1 VPC1 Security Group = 1 VPC1 Subnet = 1 VPC*pro-tip - AZs 1a, 1b, etc. are randomized by AWS account to prevent over-subscription sincemost go with the first option.How do you provide private subnets with public access to install updates, patches, github repos,and apps without having to go through the public subnet?

NAT Instance

● Located in EC2 community AMIs● Placed in VPC's public subnet with security group that has HTTP and HTTPS● Change the source and destination checks to disable (only for NAT instances)● Have route out via NAT Instance● Pro tip - the NAT Instance could be a bastion server; Con - single instance in single AZwith single OS and single point of failure. Violates rule of never allow for a single point offailure in design.

NAT Gateways

● Eliminates the cons of NAT Instances● Operates on IPv4 protocol● Attach to public subnet when creating● Takes 10-15 minutes to provision● Update default route table to add NAT Gateway as a target●Best practice is to have NAT Gateway in multi-AZs● No need to access SSH, patch or associate with a security group - it's all managed by AWS

NACLs vs. Security Groups

1 subnet = 1 NACL but a NACL can be associated with multiple subnets1:many NACL = 1 VPC● By default a private NACL will deny all access● NACLs don't offer logging● AWS recommends that you add NACL rules by increments of 100 to allow revisions. Userules to add access to SSH, HTTP, and HTTPS ports.● NACLs are stateless so you need to add both inbound and outbound rules.● Outbound rules - TCP - are associated with ephemeral ports.● NACL ephemeral port ranges vary based on OS● NACL rules are evaluated in numerical order - ie, to make a change to deny when rule100 allows, then add rule 99 to deny access● NACLs are assessed before Security Groups in the VPC**NACLs work in conjunction with security groups, and can allow or deny traffic even before it reaches the security group.Comparison of Security Groups and Network ACLs (Picture Attached):

Load Balancers and Custom VPCs

● Application Load Balancers - Layer 7 - HTTP and HTTPS (ALB)● Network Load Balancers - Layer 3 - TCP (ELB)● Application Load Balancers must be associated with at least 2 public subnets/AZs*Pro-Tip - use classic load balancers to support legacy application.

VPC Flow Logs

● Captures IP traffic going to / from VPC - created in CloudWatch Logs and created as aLog Group● Created to track at VPC, Subnets, and Network interface levels● You enable VPC flow logs in the VPC-Your VPC-Actions-Create Flow Log.● New IAM role is created for the VPN flow log ARN and can't be changed later. You mustassign the CW Log Group too.● Data from the flow logs can be exported to S3, as well.● You can stream log data to a Lambda function that can automate responses as well.● What's not tracked - DNS server queries, Windows license activation, metadata/curl,DHCP, or default VPC router reserved IP address traffic.

NATs vs. Bastions

● Bastion is hardened and is only used to access public subnet to get into private subnet.Bastions are used to securely administer EC2 instances using SSH or RDP in privatesubnets.● Bastions are called jump boxes because you jump onto the Bastion server to bounceinto the private subnet.● NATs are on the way out. They are used to provide internet traffic to EC2 instances inprivate subnets.How do you make a Bastion highly available?1. Create a Bastion in multiple subnets, multiple AZs2. Setup auto-scaling group with all the AZs to have at least one Bastion instance runningso that AWS will fail-over to the another instance when one goes down.

VPC Endpoint

● Provides internal method to send objects to S3 without having to go via publictraffic/subnet.● To use VPC endpoints we update our VPC NACL and associate a public subnet with thedefault NACL. ○ We then SSH into the public subnet EC2 instance and then SSH into the privatesubnet. ○ Create an IAM policy to provide ARN endpoint access. ○ Don't need a NAT Gateway if you have a VPC endpoint setup.

Amazon Elastic Container Service (Amazon ECS)

Highly scalable, high-performance container orchestration service that supports Docker containers and allows you to easily run and scale containerized applications on AWS. Amazon ECS eliminates the need for you to install and operate your own container orchestration software, manage and scale a cluster of virtual machines, or schedule containers on those virtual machines.With simple API calls, you can launch and stop Docker-enabled applications, query the complete state of your application, and access many familiar features such as IAM roles, security groups, load balancers, Amazon CloudWatch Events, AWS CloudFormation templates, and AWS CloudTrail logs.SECUREAmazon ECS launches your containers in your own Amazon VPC, allowing you to use your VPC security groups and network ACLs. No compute resources are shared with other customers. You can also assign granular access permissions for each of your containers using IAM to restrict access to each service and what resources a container can access. This high level of isolation helps you use Amazon ECS to build highly secure and reliable applicationsOTHERWhen an application makes use of the AWS SDK or CLI to make requests to the AWS API, it must sign each request with valid AWS access keys so that AWS can identify who sent the request (for example, if your application accesses an Amazon DynamoDB table). This requires you to define a strategy for managing and distributing credentials for applications to use.Previously, you could specify an IAM role for the Amazon EC2 instances in your ECS cluster, but this resulted in all the privileges required by any task in the cluster being added to a single IAM role, potentially letting tasks use privileges that were not required. Now, you can specify an IAM role for each ECS task.

AWS Security Group (Hypervisor Level) (Stateful)

A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you can specify one or more security groups; otherwise, we use the default security group. You can add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group. When we decide whether to allow traffic to reach an instance, we evaluate all the rules from all the security groups that are associated with the instance.When you launch an instance in a VPC, you must specify a security group that's created for that VPC. After you launch an instance, you can change its security groups. Security groups are associated with network interfaces. Changing an instance's security groups changes the security groups associated with the primary network interface (eth0). For more information, see Changing an Instance's Security Groups in the Amazon VPC User Guide. You can also change the security groups associated with any other network interface. Are Security Groups stateful?Yes, all inbound rules are automatically set as outbound rules. The security group is just one level of security. The way it works is that any traffic that is inbound will have an outbound communication over that same port regardless if you have deleted all outbound rules. it's about where the connection was initiated. A connection initiated by a client outside the security group follows the Inbound rules. A connection initiated inside the security group will follow the Outbound rules. The security group is just one level of security. ***Everything is blocked by default. You can only allow traffic.***You can add multiple security groups to 1 instance.***Changes made to security groups are instantaneous.***EC2 instance can have an unlimited amount of security group associations.***Making changes like removing or adding rules to a security group will automatically affect all of the associated EC2 instances.***Security groups cannot block specific IPs. They can only allow certain IPs.

Firewall Options

Host-Based Firewall (OS level)In addition to security groups at the hypervisor level, customers can also enable operating system firewalls. These include built-in OS capabilities such as iptables and Windows Firewall, or third-party software that provides additional functionality such as deep packet inspection, IPS/IDS, or network threat protection. Host-based security software works well with highly distributed and scalable application architectures because network packet inspection is distributed across the entire software fleet.In-Line Firewall (layer 7)Multiple AWS Partner Network members offer virtual firewall appliances that can be deployed as an in-line gateway for inbound or outbound network traffic. Firewall appliances provide additional application-level filtering, deep packet inspection, IPS/IDS, and network threat protection features. Note that due to the in-line nature of this option, the firewall/gateway can become a throughput bottleneck or single point of failure. Therefore, customers must take extra care when selecting this approach over host-based options to ensure that an in-line network appliance is architected and engineered to be highly available and scalable.