Amazon AWS Certified Advanced Networking Specialty – Security, Risk & Compliance

1. AWS Penetration Testing

Hey everyone and welcome back. In today’s video we will be discussing about the penetration testing in AWS. So there are certain important pointers that we should be remembering before we perform penetration testing. Not only in AWS, even in data centers or wherever your servers are. I still remember like long time back, a person from the offensive security team, he blindly hand a penetration test on the production server and immediately the production server went down after a few minutes. So this is the reason why there are certain considerations that you should take while you are running penetration test. This time we’ll focus on the consideration which are more inclined towards AWS. Now, to perform the penetration testing on AWS workloads, it is mandatory to submit an AWS vulnerability penetration testing request form to request the authorization for pen test to or from the AWS workload. This is very important part to remember.

Now along with that, if you want to fill this penetration testing form, you should be logged in using your root account credentials. So this is how the penetration testing page looks like. So if you look over here, the first thing it says that you need to request the permission. So let’s click on a DS vulnerability penetration testing request form. So this is how the form looks like. Now basically you need to log in as a root account if you want to fill the form. Now, the form contains various information related to email address, et cetera. You also have to specify the target like EC, two instances RDS, the ELP name and various others.

All right, so do remember you will have to specify things like peak bandwidth, start time, end time. So if you submit this specific form, it will be valid only during the time where you are going to perform the penetration testing for or the time which AWS approves it for you. Along with that, there are certain important pointers that you should remember is that penetration testing is not allowed for all the AWS services. Only certain AWS resources are allowed for the penetration testing and these resources are easy to RDS. Aurora, you have cloud Front, you have API gateway, you have Lambda, you have Light Sale and you have DNA zone walking. Now, AWS has recently come up with a great feature of pre authorized scanning tools.

So there are certain scanners which are available in AWS marketplace which are pre authorized by AWS, which means that it negates the need to obtain the explicit permission from AWS before scanning. So basically, if you are using the pre authorized scanners which are approved by AWS, you do not need to get the explicit permission from AWS before you scan the workloads. Now these type of scanners already have the configuration and the appropriate set of policies which can avoid the adverse effect whenever you are scanning the AWS resources. So in this screenshot you see you have the Qalysis scanner and it says that it is pre authorized scanning. So it is pre authorized by AWS. So I’m in my AWS marketplace. Let me type nessus. Nessus is a pretty famous vulnerability scanner. You see, within Ness you have something called pre authorized. Let’s try other scanner. I’ll say we’ll make use of calls and also in calls, you see, you have pre authorized scanning.

So if you make use of these, you don’t have to get the explicit permission from AWS. So, for the curious people who wanted to know on what happens when you try to scan your AWS workload without the approval or without the pre authorized scanner. So, a penetration testing without the prior approval can result in blocks being placed on the instances, or if it is shown to be willfully done, possibly even an account suspension. So you have to make sure that you do not do things without approval or without a non pre authorized scanner. Now, penetration test is not allowed to be performed on following resources, because here, if you look here within the allowed resource, we had EC Two, we even had RDS. But there are certain instance types within EC Two as well as RDS where you cannot perform the penetration testing. And those are the small or micro RDS instance type. And for easy to two, it is M one small T one micro T two nano. So these are the instances where the penetration testing is not being permitted.

2. AWS CloudTrail

Hey everyone and welcome back. In today’s video we’ll be discussing about Cloud Trail. Now, Cloud Trail is one of the very important services and typically this is the first service that I generally enable whenever I create a doubles account. So let’s go ahead and understand more about Cloud Trail. Now basically it is very important for us to record each and every activities that that are happening within your infrastructure, your cloud service provider and even your servers. So typically sometime it might happen that your servers are breached and if you do not know on what were the activities which were happening, you will not be able to find out the root cause behind those beach. And that has actually happened with lot of organization. And hence it is very important to record each and every activity that is going on within your account. Now, a Cloud Trail is a service that allows us to record every API calls that happens within your AWS account.

So let’s understand this with an example where you have an auditor who is auditing your organization and he asks you for a question which states that show me what did Annie do on 3 January 2017 between 10:00 A. m. To 02:00 p. m. ? Now this you will only be able to show if you have Cloud Trail enabled. Now do remember that this question is specific for AWS account. If you if auditor asks you for this question saying that what did Annie do inside the server in this time frame, then you need a different mechanism for that. But as far as AWS is concerned, Cloud Trail is something that will help you achieve or answer this specific question. So how Cloud Trail works is you get something similar to this table where it says that on 03:50 P. m. A user call as James logged in, annie modified a security group at 07:30 p. m. And Susan created a new EC two instance at 11:00 P. m. .

So from now from here you can say all right, on this specific time frame, Annie had modified a security group. So this is a very simple table that can give you a glimpse on what Cloud Trail is all about. So let’s do one thing, let’s go ahead and understand this in a practical manner. So I’m in my AWS EC to console and basically what I did was few minutes back before recording the video, I have started the demo one instances and we just wanted to show you on how exactly it might look like in Cloud Trail. So I’ll go to services and I’ll put Cloud Trail and within the event history I already have the Cloud Trail enabled. We’ll also look into how we can enable it. But for our demo purposes, the Cloud Trail has already been enabled. So now if you look here, you have the event time, you have the username, you have the event name, you have the resource type and the resource name.

So the first event name here is start instances and if you click here it will basically give you a lot of aspects here. One of the detailed ones is the view event. So if you click on view event you will get the actual JSON value on what exactly happened. So let’s understand this. So it is basically saying that this is the ARN, ARN is of root and if you go a bit down, the event source is EC two Amazon 800 list. That means that this specific event happened on this service which is EC two. Now, what was the event which happened here? So the event which happened here is that instances event. Where did the instance start? It started in the EC two or I would say US East one region. Now who started it? Which IP address started it? This is the IP address of the user who started the EC to instance. And the final question is what is the instance ID which was started by this specific user. And this is the instance ID. So this instance ID is phi e 30 and basically if you see over here it says phi e 30. So basically from this cloud trail law I can say that someone who is a root user. So basically root user from the IP address of 277-10-1165 started an easy to instance in the North Virginia region and the EC two instance ID is this. So this is one of the sample cloud trail event.

So if you see where there are lot of cloud trail event and each cloud trail event will have the similar functionality around. So coming back into how we can enable cloud trail. So in order to do that, you need to go to Cloud trail dashboard which is here and you need to go to trails. Now, within trails you see there is one trail which is created called Demo Hyphen KP Labs and it is basically has an association of S three bucket. So basically what happens is that whatever event history that you see within the cloud trail, this event history does not really get stored for unlimited amount of time. In fact it is saying that you can view the last 90 days of events. So before this you could only view up to seven days, but AWS has increased it to 90 days which is very beneficial. But what really happens after 90 days? So after 90 days these events get stored in the S three bucket which is Demo Hyphen Kplabs Hyphen trail which is specified within the configuration value.

So let’s look into this specific SD bucket. So now you see within this trail we are more interested in US East one. So basically you will get the cloud trail events associated with every region. So if you just want to see what were the events that had happened within the US East one region which is not Virginia, you can just click over here, it gives you 2018 624 and all of these are the compressed files. So when you download it, you’ll have to uncompressed and you will see the JSON event which we had seen within the Cloud Trail console just a moment back. So in order to create a trail, what you need to do, you need to come to the Trail tab and click on Create Trail. Now, you need to give a trail name. I’ll say KP. Labs. Cloud trail. And you have an option of apply trail to Aldregion. This is very important. Make sure that this option is always selected which is apply Trail to all region. Now, for the management event, we need to log all the read and write events.

So I’ll select all and basically for the data events, you can select all s three bucket within your account. So basically, if you want to record the S three object level API activity, then you need to select this. Very important, do make sure that you even select this within the Lambda. Also, you can basically record the invoke API operations that are being happening. So make sure you select log all the current and future functions within the Data event field. Now, we already know that Cloud Trail will only store maximum of 90 days. So it’s always recommended to never delete your cloud trail activity at least for the period of one year. Now, how will you store it to s three buckets is defined by the storage location here. So you say create a new s three bucket. You specify the bucket name. I say Kplabs.

Cloud Trail Demo. So this is the bucket name and then you can go ahead and you can do a create. So once your trail is created, which is Kplabs Cloud Trail, if you go to the event history, you should be able to see the Cloud Trail activity up in your dashboard. Now, do remember is that if you enable it right now, you will not get the past event. You’ll only get the events from the time frame where you enabled Cloud Trail. And also remember that Cloud Trail events that appear over here, they are not very instantaneous. It might take a few minutes for the event to appear here. So by that I mean that if you say if I stop this easy to instance, it will not immediately come here. It will take certain amount of time, typically a few minutes for that event to appear within the Cloud Trail console.

• Category: Uncategorized