Security Services Beyond IAM
Now that you've mastered IAM fundamentals, let's explore the broader AWS security ecosystem. While IAM controls who can do what, these additional services protect your infrastructure, applications, and data from threats and vulnerabilities.
Learning Goals
- Understand AWS Shield for DDoS protection
- Configure AWS WAF for web application security
- Implement AWS GuardDuty for threat detection
- Use AWS Security Hub for centralized security management
- Explore AWS Inspector for vulnerability assessment
AWS Shield: DDoS Protection
AWS Shield provides protection against Distributed Denial of Service (DDoS) attacks. It comes in two tiers:
- AWS Shield Standard: Automatically enabled for all AWS customers at no extra cost
- AWS Shield Advanced: Paid service with enhanced protection, 24/7 DDoS response team, and cost protection
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"ShieldProtection": {
"Type": "AWS::Shield::Protection",
"Properties": {
"Name": "WebAppProtection",
"ResourceArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-web-app/1234567890123456"
}
}
}
}
Shield Advanced is particularly valuable for applications with strict availability requirements, such as e-commerce sites or financial services. The cost protection feature can save you from unexpected bills during DDoS attacks.
AWS WAF: Web Application Firewall
AWS WAF protects your web applications from common web exploits by allowing you to configure rules that filter web traffic.
Creating a WAF Rule
Name: BlockSQLInjection
Priority: 1
Action: Block
Statement:
ByteMatchStatement:
FieldToMatch:
Body: {}
PositionalConstraint: CONTAINS
SearchString: "1=1"
TextTransformations:
- Priority: 0
Type: NONE
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: BlockSQLInjection
SampledRequestsEnabled: true
- AWS CLI
- Terraform
# Create a Web ACL
aws wafv2 create-web-acl \
--name MyWebACL \
--scope REGIONAL \
--default-action Allow={} \
--visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=MyWebACLMetric
resource "aws_wafv2_web_acl" "main" {
name = "web-acl-for-alb"
scope = "REGIONAL"
description = "Web ACL for application load balancer"
default_action {
allow {}
}
rule {
name = "block-sqli"
priority = 1
override_action {
none {}
}
statement {
sqli_match_statement {
field_to_match {
body {}
}
text_transformation {
priority = 1
type = "URL_DECODE"
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "block-sqli"
sampled_requests_enabled = true
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "web-acl-metric"
sampled_requests_enabled = true
}
}
AWS GuardDuty: Intelligent Threat Detection
GuardDuty uses machine learning to detect suspicious activity and unauthorized behavior in your AWS environment.
{
"schemaVersion": "2.0",
"accountId": "123456789012",
"region": "us-east-1",
"type": "UnauthorizedAccess:IAMUser/ConsoleLogin",
"resource": {
"resourceType": "AccessKey",
"accessKeyDetails": {
"userName": "malicious-user",
"principalId": "AIDAI23456789012345"
}
},
"severity": 6,
"createdAt": "2024-01-15T12:00:00Z",
"updatedAt": "2024-01-15T12:00:00Z"
}
GuardDuty findings don't automatically block malicious activity. You must configure automated responses using CloudWatch Events or create Lambda functions to take action based on findings.
Enabling GuardDuty
# Enable GuardDuty in your account
aws guardduty create-detector --enable
# Create a sample finding for testing
aws guardduty create-sample-findings --detector-id 123abc456def789ghi
AWS Security Hub: Centralized Security View
Security Hub provides a comprehensive view of your security posture across AWS accounts by aggregating findings from multiple services.
import boto3
import json
def process_critical_findings():
client = boto3.client('securityhub')
# Get findings with critical severity
response = client.get_findings(
Filters={
'SeverityLabel': [
{
'Value': 'CRITICAL',
'Comparison': 'EQUALS'
}
]
}
)
for finding in response['Findings']:
print(f"Critical finding: {finding['Title']}")
print(f"Resource: {finding['Resources'][0]['Id']}")
print("---")
if __name__ == "__main__":
process_critical_findings()
AWS Inspector: Vulnerability Assessment
AWS Inspector automatically assesses applications for vulnerabilities or deviations from best practices.
# Create assessment target
aws inspector create-assessment-target \
--assessment-target-name my-ec2-instances \
--resource-group-arn arn:aws:inspector:us-east-1:123456789012:resourcegroup/0-ABCD1234
# Run assessment template
aws inspector start-assessment-run \
--assessment-template-arn arn:aws:inspector:us-east-1:123456789012:target/0-ABCD1234/template/0-EFGH5678
Common Pitfalls
- Over-relying on default configurations: Many security services require custom tuning for your specific use case
- Ignoring cost implications: Services like Shield Advanced and Security Hub have additional costs that can accumulate
- Failing to automate responses: Detecting threats is only half the battle; you need automated remediation
- Not enabling region-specific services: Some security services need to be enabled in each region you operate
- Overlooking integration opportunities: These services work best when integrated with each other and with your existing monitoring
Summary
AWS provides a layered security approach beyond IAM. Shield protects against DDoS attacks, WAF secures web applications, GuardDuty detects threats using machine learning, Security Hub centralizes your security view, and Inspector assesses vulnerabilities. Together, these services create a comprehensive security posture that complements IAM's access control capabilities.
Quiz
AWS Security & Compliance Fundamentals
Which AWS service provides automatic DDoS protection at no additional cost?