Accend Networks San Francisco Bay Area Full Service IT Consulting Company

Categories
Blogs

AWS Firewall Manager

Securing Your Cloud with AWS Firewall Manager

Secure Your Cloud

Introduction

In the rapidly evolving cloud computing landscape, security remains top priorities for businesses of all sizes. With the continuous rise of sophisticated cyber threats and complex network architectures, organizations need robust solutions to safeguard their cloud Environments. One such solutions offered by AWS is the AWS Firewall Manager (or AWS Network Firewall). Which is a tool designed to simplify firewall management and enhance overall security posture.

What Is Firewall Manager?

Firewall Manager is a centralized security management service that allows you to set and administer firewall rules across all of your accounts and applications from a single location. It provides a unified approach to firewall management. Think of AWS firewall Manager as the central command centre of your cloud security. It lets you manage and enforce consistent security policies across multiple AWS accounts and resources, including WAF, Network Firewalls, VPC security groups, and others.

Benefits of AWS Firewall Manager

Simplify management of firewall rules across your accounts: AWS Firewall Manager is linked with AWS Organizations, allowing you to manage your Amazon VPC’s AWS WAF rules, AWS Shield Advanced protections, security groups, AWS Network Firewall rules, and Amazon Route 53 Resolver DNS Firewall rules from a single location.

Ensure compliance of existing and new applications: AWS Firewall Manager applies the mandatory security policies you establish across existing and newly generated resources automatically.

Easily deploy managed rules across accounts: With just a few clicks in the interface, you can select a Managed Rule from an AWS Marketplace Seller and deploy it uniformly throughout your Application Load Balancer, API Gateway, and Amazon CloudFront architecture.

Centrally deploy protections for your VPCs: Security administrators can use Firewall Manager to establish a baseline set of VPC security group rules in Amazon VPCs for EC2 instances, Application Load Balancers (ALBs), and Elastic Network Interfaces (ENIs).

Ensure compliance of existing and new applications: AWS Firewall Manager (AWS Network Firewall) automatically enforces mandatory security policies that you define across and newly created resources.

AWS Firewall Manager Prerequisites

Your account must be a member of AWS Organizations.

Your AWS account must be a member of an organization in the AWS Organizations service, and the organization must have all features enabled.

Your account must be the AWS Firewall Manager administrator

To configure Firewall Manager policies, your account must be set as the AWS Firewall Manager administrator account, in the Settings pane.

You must have AWS Config enabled for your accounts and Regions

You must enable AWS Config for each of your AWS Organizations member accounts and for each AWS Region that contains resources that you want to protect using AWS Firewall Manager.

To manage AWS Network Firewall or Route 53 resolver DNS Firewall, the AWS Organizations management account must enable AWS Resource Access Manager (AWS RAM).

The AWS Organizations management account must enable AWS RAM for all member accounts in your organization.

To use the third-party firewall, subscribe in the AWS Marketplace.

To use the third-party firewall with AWS Firewall Manager, you must first subscribe to the third-party firewall Pay-As-You-Go service in the AWS Marketplace.

AWS Organizations: Your AWS account must be a member of an organization in the AWS Organizations service, and the organization must have all features enabled.

Your account must be the AWS Firewall Manager administrator: To configure Firewall Manager policies, your account must be set as the AWS Firewall Manager administrator.

The Firewall Manager administrator account is the account you use to connect to the Firewall Manager.

AWS Config: You must enable AWS Config for each of your AWS Organizations member accounts and for each AWS Region that contains resources that you want to protect using AWS Firewall Manager.

To manage AWS Network Firewall or Route 53 resolver DNS Firewall, the AWS Organizations management account must enable AWS Resource Access Manager (AWS RAM): The AWS Organizations management account must enable AWS RAM for all member accounts in your organization.

To use the third-party firewall, subscribe in the AWS Marketplace: To use the third-party firewall with AWS Firewall Manager, you must first subscribe to the third-party firewall Pay-As-You-Go service in the AWS Marketplace.

How Firewall Manager works

You manage your Firewall Manager policies with your Firewall Manager administrator account.

Firewall Manager sets the Firewall Manager administrator account as the AWS Organizations Delegated Administrator for Firewall Manager when you create it.

This gives the Firewall Manager access to the organizational units (OUs) you use to define the scope of your Firewall Manager policies.

It generates findings for out-of-compliance resources and detects assaults, which it sends to AWS Security Hub.

Conclusion

AWS Firewall Manager stands out as a robust solution for organizations seeking to streamline and fortify their cloud security. By providing centralized management, automated rule deployment. This brings us to the end of this blog.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at [email protected].

Thank you!

Categories
Blogs

Slash AWS Expenses

Slash AWS Expenses: Automate EC2 Idle Instance Shutdown with CloudWatch Alarms.

Slash AWS

Introduction

Effective management of cloud resources is important for anyone who uses cloud services, especially when it comes to managing costs. A common issue is that you forget to stop using EC2 instances for purposes such as development, testing, and temporary work, which can lead to unexpectedly high costs.

There are several scenarios in which you might want to automatically stop or terminate your instance. For example, you might have instances dedicated to batch payroll processing jobs or scientific computing tasks that run for some time and then complete their work. Rather than letting those instances sit idle (and accrue charges), you can stop or terminate them, which helps you to save money.

Forgetting to stop an EC2 instance used for brief testing can lead to unnecessary charges. To solve this, create a CloudWatch alarm to automatically shut down the instance after 1 hour of inactivity, ensuring you only pay for what you use. In this article, I’ll share how to set up this solution using the AWS Management Console.

CloudWatch Alarm

Amazon CloudWatch is a monitoring service for AWS. It serves as a centralized repository for metrics and logs that can be collected from AWS services, custom applications, and on-premises applications. One of its important features is CloudWatch Alarms, which allows you to configure alarms based on the collected data.

A CloudWatch alarm checks the value of a single metric, either simple or composite, over some time you specify and launches the actions that you specify once the metric reaches a threshold that you define.

Key Components of CloudWatch Alarms

Metric: A metric is performance data that you monitor over time.

 

Threshold: This is the value against which the metric data is evaluated.

 

Period (in seconds): The period determines the frequency at which the value of the metric is collected.

 

Statistic: This specifies how the metric data is aggregated over each period. Common statistics include Average, Sum, Minimum, and Maximum.

 

Evaluation Periods: The number of recent periods that will be considered to evaluate the state of the alarm, based on the metric values during these periods.

 

Datapoints to Alarm: The number of evaluation periods during which the metric must breach the threshold to trigger the alarm.

 

Alarm Actions: Actions that are taken when the alarm state changes. These can include sending notifications via Amazon SNS, and stopping, terminating, or rebooting an EC2 instance.

Setting Up a CloudWatch Alarm to Automatically Stop Inactive Instances.

Solution with Console

Open the CloudWatch console, In the navigation pane, choose AlarmsAll alarms. Then choose Create alarm.

Choose Select Metric

for AWS namespaces, choose EC2

Choose Per-Instance Metrics

Select the check box in the row with the correct instance and the CPUUtilization metric, and select “select metric”.

For the statistic, choose Average. Choose a period (for example, 1 Hour).

For threshold type select static, then select lower/average. Select threshold value, and data points to alarm then select treat missing data as missing then click next.

The first action is to send a notification to an SNS topic with an email subscription. This ensures that you will be notified when the alarm stops the instance. You can create the SNS topic at this step, or you can reference an existing one if you have already created it. Had already created an SNS topic.

The second action will be to terminate the EC2 instance, under the alarm state trigger, select in alarm then select stop instance, and click next.

Provide a name for the alarm, and you can also add a description then click next.

Review a summary of all your configurations. If everything is correct, confirm the alarm creation.

The alarm was successfully created, and we can see the alarm state is ok.

You can either wait for the alarm state to be in alarm or you can use the below command to set the alarm to alarm state.

Our alarm has gone to an alarm state and if you check the state of the EC2 instance, we can see our objective has been achieved and our EC2 instance is already stopped.

Additionally, a notification has also been sent to my email via SNS.

This brings us to the end of this demo, clean up. Thanks for reading, and stay tuned for more.

Conclusion

Automating idle EC2 instance shutdown with CloudWatch Alarms cuts AWS costs and ensures efficient resource use, preventing unnecessary charges and optimizing cloud spending.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at [email protected].


Thank you!

Categories
Blogs

AWS CloudHSM

AWS Hardware Security Module: Securing Your Keys in the Cloud

Cloud HSM

Introduction

As organizations increasingly move their operations to the cloud environment, the need for robust security measures becomes equally important. One critical aspect of this cloud security measure is the management and protection of cryptographic keys. This is where the AWS Hardware Security Module or AWS CloudHSM comes in handy. This article explores what CloudHSM is, its use case, and a demo of how to create one.

What is CloudHSM?

AWS CloudHSM is a cryptographic service for creating and maintaining AWS hardware security modules (HSMs) in your AWS environment. HSMs are computing devices that process cryptographic operations and provide secure storage for cryptographic keys. You can use AWS CloudHSM to offload SSL/TLS processing for web servers, protect private keys linked to an issuing certificate authority (CA), or enable Transparent Data Encryption (TDE) for Oracle databases.

When we have the KMS, AWS manages the software for encryption and the encryption keys. But with cloud HSM, AWS only provides us with the encryption hardware. The HSM device is tamper resistant and has FIPS 140-2 Level 3 compliance. CloudHSM supports both symmetric and Asymmetric encryption.

Using AWS CloudHSM you must use CloudHSM client software since there is no API call for this service.

Key Features of Cloud HSM

Hardware-based Security: Keys are stored in hardware, which is inherently more secure than software-based storage.

High Availability and Scalability: Cloud HSM services are typically offered with high availability and can scale to meet the demands of enterprise workloads.

Compliance: Cloud Hardware Security Module is often compliant with industry standards such as FIPS 140-2 Level 3, ensuring they meet regulatory requirements for data protection.

Integration: Cloud HSMs can integrate with various cloud services and on-premises applications, enabling seamless cryptographic operations across different environments.

CloudHSM Backups

Backups are stored in Amazon Simple Storage Service (Amazon S3) within the same Region as the cluster. You can view backups available for your cluster from the CloudHSM console. Backups can only be restored to a genuine HSM running in the AWS Cloud. The restored HSM retains all the configurations and policies you put in place on the original HSM.

Creating a backup CloudHSM triggers backups in the following scenarios:

  • CloudHSM automatically backs up your HSM clusters periodically.
  • When adding an HSM to a cluster, CloudHSM takes a backup from an active HSM in that cluster and restores it to the newly provisioned HSM.
  • When deleting an HSM from a cluster, CloudHSM takes a backup of the HSM before deleting it.

A backup is a unified encrypted object combining certificates, users, keys, and policies. It is created and encrypted as a single, tightly bound object. The individual components are not separable from each other. The key used to encrypt the backup is derived using a combination of persistent and ephemeral secret keys.

Backups are encrypted and decrypted within your HSM only, and can only be restored to a genuine HSM running within the AWS Cloud.

Let’s dive into the practical.

Login to the AWS Management Console then type CloudHSM in the search box then select it under services.

In the CloudHSM dashboard, click Create cluster.

In the create cluster dashboard, click the drop-down button and select your VPC, I will move with the default VPC.

For subnet, you can only select one subnet per AZ, because I selected default VPC, I will move with the default subnet.

We will create a new cluster, so select the radio button on Create a new cluster then click next.

Enter the backup retention period then click next.

We will tag our HSM.

Review page.

For confirmation, make sure to tick the check box, then hit on the Create cluster.

Wait until it gets created complete. And move the status to an uninitialized state.

Select the cluster from the actions drop-down button then select initialize.

We will now create an IAM user, cloudhsmuser with full access.

Take note of the password and download the .csv file

Create HSM in the cluster, select the Availability Zone, and hit on Create.

Wait until the process gets completed.

Download all 4 certificates then hit next.

Configure the HSM user on the EC2 machine using Mobastream.

Make sure Cluster is Active. As per the below screen, the Cluster is in an active state.

That’s it. Thumps up.

Conclusion

AWS Hardware Security Module or Cloud HSM provides a powerful solution for secure key management in the cloud. By leveraging hardware-based security, it offers enhanced protection for cryptographic keys, helping organizations meet stringent compliance requirements and protect sensitive data.

This brings us to the end of this blog.  Thanks for reading, and stay tuned for more. Make sure you clean resources.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at [email protected].


Thank you!

Categories
Blogs

AWS CodeCommit: Streamlining Source Control in the Cloud.

What is AWS CodeCommit? Streamlining Source Control in the Cloud.

aws-code-commit

In the era of cloud computing, source control is a pivotal aspect of the workflow, ensuring that code changes are managed efficiently, collaborative efforts are streamlined, and the integrity of the codebase is maintained. Amazon Web Services (AWS) offers a robust solution for source control in the cloud with AWS CodeCommit. This article delves into the features, benefits, and use cases of AWS CodeCommit. We will also go ahead and create a code commit repository and clone the repo to our local machine, add files, commit and push them to our AWS code repository.

What is AWS CodeCommit?

AWS CodeCommit is a version control service hosted by Amazon Web Services that allows developers to store and manage their source code, binaries, and other assets in the AWS cloud.  Additionally, it is designed to work seamlessly with existing Git tools, making it easy for developers to integrate it into their current workflows.

Key Features of AWS CodeCommit.

Fully Managed Service: AWS CodeCommit takes care of the backend infrastructure, so developers can focus on writing code. There are no servers to manage.

Scalability: CodeCommit can handle repositories of any size, with the ability to scale up as your project grows.

High Availability and Durability: your repositories are always accessible and your data is protected against loss.

Security: CodeCommit integrates with AWS Identity and Access Management (IAM) to provide robust access control. You can use IAM policies to define who can access your repositories and what actions they can perform.

code-commit-security

Integration with AWS Services: CodeCommit integrates seamlessly with other AWS services such as AWS CodeBuild, AWS CodeDeploy, and AWS CodePipeline. This allows you to create a complete CI/CD pipeline using AWS tools, enhancing your development and deployment workflows.

integration-aws

Standard Git Interface: CodeCommit supports the standard Git interface, so developers can use their preferred Git client, command-line tools.

Getting Started with AWS CodeCommit

Prerequisite.

Make sure you have full permission to Codecommit, or you can log in as an administrative user additionally, you should have git installed and configured on your machine.

 

Create a Repository

Log in to your AWS management console, in the search box, type Codecommit then select codecommit under services.

repository

In the code commit UI on the left-hand side, select repositories then click Create Repository.

create-repository

In the create repository dashboard, under repository settings, name your repo, will call mine demo-commit-repo.

Codecommit is encrypted by default using KMS, but you can also choose your custom keys. We will leave it at AWS-managed keys with KMS.

Leave all other settings as default then click Create Repository.

create-respository

Success, we are greeted with connection steps. We can see HTTPS, SSH, HTTPS(GRC).

demo-code-commit

If you don’t see SSH then it means you are connected as the root user.

We will for now use HTTPS git credentials for Codemmit to connect to our git repository.

So let us log in to the I AM console.

 

services

Select users. Click your username, move to the security tab then scroll all the way down to HTTPS for git credentials.

 

git-credentials

Click on generate and your codecommit credentials will be generated. Click the download button.

git-download

Go back to the codecommit repository select your repo then click the drop-down button of the clone URL then select clone HTTPS.

In this case, it will copy the HTTPS-type URL.

repo-copied

Use your preferred Git client to clone the repository to your local machine. This allows you to start adding code and making changes.

Go back to your terminal and type in git clone and paste in the cloned URL. When you press enter, you will be prompted for your username and password. Paste them in then press enter.

git-command

We have cloned our remote repo into our local machine.

git-command

With the repository cloned, you can push your changes to CodeCommit.

We will now copy a few files into our directory, commit these files, and push them to our remote repo.

Using linux command make sure you are in the repo directory then add copy files to your repo.

git-command

Using git add the files and then commit the changes as shown in the picture bellow.

ubuntu-command-line
ubuntu-command-line

Once the changes are commited, you can then push them to the remote repo by using the below command.

ubuntu-command-line

Now let’s go and check codecommit, and yes indeed the new files have been pushed to the codecommit repository.

code-commit-repo

If you click on the commits on the left side of the repo UI, you can see the commit history.

code-commit-repo

This brings us to the end of this blog. AWS CodeCommit offers a powerful, secure, and scalable solution for source control in the cloud.

Thanks for reading, and stay tuned for more.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at [email protected].

 

Thank you!

Categories
Blogs

An Overview of DDoS Attacks: Understanding the Threat.

An Overview of DDoS Attacks: Understanding the Threat.

In the current digital era, cybersecurity is key. Among the various threats that organizations face are Distributed Denial of Service (DDoS) attacks which are particularly disruptive. DDoS attack defence is one of the top security concerns on the web today, regardless of the attacker’s purpose, because disruption of availability can result in financial losses and other undesirable repercussions. In this blog article we will explore how AWS Shield operates, its features, and its importance in the current cybersecurity landscape.

DDoS Attacks

DDoS attacks involve overwhelming a server, service, or network with more traffic than it can handle, causing it to slow down or crash. Attackers use millions of tonnes of traffic to bring down a victim’s web applications from multiple sources, which is known as DDoS extortion.

There are basically 3 types of DDoS attacks:

Volume-Based Attacks

These attacks use methods to create huge amounts of traffic in order to completely saturate bandwidth, causing a traffic jam that prevents genuine traffic from flowing into or out of the targeted site.

Protocol Based Attacks

By consuming enormous amounts of per-connection resources, these attacks misuse stateful protocols and therefore put a strain on firewalls and load balancers.

Application Layer Attacks

Some of the most advanced DDoS attacks take use of flaws in the application layer by establishing connections and launching process and transaction requests that consume finite resources such as disc space and memory.

AWS Shield Overview

What is AWS Shield?

AWS Shield is a managed solution for preventing DDoS attacks basically on AWS-hosted applications. It inspects traffic in real-time and applies mitigation strategies automatically in order to avoid performance degradation.

There are basically two types of AWS Shields.

AWS Shield Standard (Free Service)

It is a free service offered to all AWS customers. It guards you against 96% of today’s most prevalent attacks, such as SYN/ACK floods, Reflection attacks, and HTTP slow reads. This protection is deployed to your Elastic Load Balancers, CloudFront distributions, and Route 53 resources automatically and transparently.

AWS Shield Advanced (Paid Service)

It is a paid service that adds volumetric DDoS mitigation, sophisticated attack detection, and mitigation for attacks at the application as well as network layers to AWS Shield.

You also have access to DDoS Response Team (DRT) 24*7 for tailored mitigation during attacks.

Key Features of AWS Shield.

Automatic Protection: AWS Shield offers automatic protection for all AWS customers at no additional cost. This basic protection, known as AWS Shield Standard, defends against most common, frequently occurring network and transport layer DDoS attacks.

Advanced Protection: AWS Shield Advanced provides enhanced protections for more sophisticated and larger scale DDoS attacks. It includes additional detection and mitigation capabilities, 24/7 access to the AWS DDoS Response Team (DRT), and financial protection against spikes in your AWS bill resulting from a DDoS attack.

Real-Time Visibility: AWS Shield Advanced customers have access to detailed attack diagnostics and the ability to create alarms in Amazon CloudWatch based on the occurrence of DDoS events.

Integration with AWS Services: AWS Shield works seamlessly with other AWS services like AWS WAF (Web Application Firewall), Amazon CloudFront, and Amazon Route 53, providing a holistic approach to security.

Why AWS Shield is Important

Comprehensive Protection

AWS Shield’s multi-layered defence strategy covers a wide range of attack vectors. Its integration with other AWS services ensures a robust security posture for your applications.

Cost-Effective

With its automatic protection feature, AWS Shield Standard offers fundamental DDoS protection at no extra cost, making it a cost-effective solution for all AWS customers. For those requiring advanced protection, AWS Shield Advanced offers additional benefits, including financial safeguards.

Reduced Complexity

Managing cybersecurity can be complex, AWS Shield’s managed service approach reduces this complexity, allowing organizations to focus more on their core business activities.

Enhanced Business Continuity

DDoS attacks can disrupt business operations significantly. AWS Shield enhances business continuity by ensuring that applications remain available and performant even under attack.

This brings us to the end of this blog, thanks for reading and stay tuned for more.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at [email protected].

Thank you!