Accend Networks San Francisco Bay Area Full Service IT Consulting Company

Tag: AWS Security

Categories
Blogs

Benefits of Using AWS Secrets Manager Part One

Safeguarding Your Secrets: The Importance of Using AWS Secrets Manager Part One

What is a Secrets Manager?

Secrets Manager is a specialized tool or service designed to securely store, manage, and retrieve sensitive information. In addition, it enables us to replace embedded credentials in our code, including passwords with an API call to Secrets Manager to retrieve the secret programmatically. This ensures that anyone examining our code cannot compromise the secrets, as they no longer exist in the application code. Additionally, the secrets are independent of the development of the application. Furthermore, we can configure the Secrets Manager to automatically rotate the secret for us according to a specified schedule. Consequently, this allows us to replace long-term secrets with short-term ones, thereby significantly reducing the risk of compromise.

Key Benefits of Using a Secrets Manager:

  • Enhanced Security
  • Centralized Management
  • Automated Rotation
  • Audit Trails

The concepts required to understand AWS Secret Manager.

Secret– It consists of secret information, the secret value, plus metadata about the secret. A secret value can be a string or binary. To store multiple string values in one secret, we recommend that you use a JSON text string with key/value pairs.

A secret’s metadata includes: An Amazon Resource Name (ARN)
Version – A secret has versions that hold copies of the encrypted secret value. Moreover, when you change the secret value or rotate the secret, Secrets Manager creates a new version. Secrets Manager doesn’t store a linear history of secrets with versions. Alternatively, it keeps track of three specific versions by labeling them: The current version — AWSCURRENT The previous version — AWSPREVIOUS The pending version (during rotation) — AWSPENDING
Rotation – Rotation is the process of periodically updating a secret to make it more difficult for an attacker to access the credentials. In Secrets Manager, you can set up automatic rotation for your secrets. Additionally, when Secrets Manager rotates a secret, it updates the credentials in both the secret and the database or service.
Rotation strategy– Secrets Manager offers two rotation strategies:
Single User: This strategy updates credentials for one user in one secret. The user must have permission to update their password. This is the simplest rotation strategy, and it is appropriate for most use cases.
Alternating Users: This strategy updates credentials for two users in one secret. In addition, you create the first user, and during the first rotation, the rotation function clones it to create the second user. Every time the secret rotates, the rotation function alternates which user’s password it updates. However, most users lack permission to clone themselves, so you must provide the credentials for a superuser in another secret.

Who Can Use Secrets Manager

Mainly the users of Secrets Manager can have one of the below-mentioned roles:
IT Admins: If you are an IT Admin who is responsible for storing and managing secrets.
Security Admin: As a Security Admin responsible for ensuring regulatory and compliance requirements, you can use Secrets Manager. Furthermore, you can audit and monitor secret usage and ensure necessary secret rotation.
Developer: If you are a developer, you can onboard the Secrets Manager so that you don’t have to worry about managing secrets.

Features

Rotate Secrets Safely: Without worrying about updating or deploying the code, you can easily rotate secrets.
Manage Access with Fine-grained Policies: Certain Identity and Access Management (IAM) policies enable the management of access to the secrets. For example, you can create a policy that enables developers to access the secrets during development purposes.
Secure and audit secrets centrally: By encrypting the secrets with encryption keys you can secure your secrets as well. You can easily achieve this by using the Amazon Key Management Service (KMS) to encrypt data.
Pay as you go: The charges will only apply based on the number of secrets managed by the Secrets Manager and the number of Secrets Manager API calls you make.
Retrieve Secrets programmatically: With Secrets Manager, you can programmatically retrieve encrypted secret values at runtime.

Use cases of AWS Secrets Manager?

  • Newer service, meant for storing secrets.
  • Capability to force rotation of secrets every X days.
  • Automate generation of secrets on rotation (uses Lambda).
  • Integration with Amazon RDS (MySQL, PostgreSQL, Aurora).
  • Ability to encrypt secrets using KMS.
  • Mostly meant for RDS integration.
This brings us to the end of this blog. stay tuned for more.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at sales@accendnetworks.com.

Thank you!

Categories
Blogs

How to Store Secrets with Secrets Manager – Part II

How to Store Secrets with Secrets Manager - Part II

Securing secrets is crucial in modern software development, and AWS Secrets Manager serves as a key solution. As a fully managed service from Amazon Web Services (AWS), it effectively safeguards sensitive information, such as API keys and database passwords.

AWS Secrets Manager enables you to centralize and manage access to sensitive data, reducing the risk of unauthorized access. Additionally, it facilitates regular rotation and auditing of secrets, enhancing overall application security. Moreover, its seamless integration with other AWS services simplifies the implementation of security best practices in your infrastructure.
Task: Creating an RDS Database, Managing Credentials with Secrets Manager, and Auditing with CloudTrail.

We will embark on this task by first creating an RDS Database, ensuring seamless management of credentials through Secrets Manager. Subsequently, dive into auditing processes with CloudTrail to maintain a comprehensive and secure AWS environment.

a) Sign in to AWS Management Console and create an RDS MySQL instance.
b) Store a new secret.
c) Verify the secret created.
d) Using cloud trail to monitor secret manager activities.

Hands-on:

a) Sign in to AWS Management Console and create an RDS MySQL instance.
Log into the AWS management console and in the search box, type RDS then select RDS under services.
In the RDS console, click on Create Database.

In the Create database screen, select the following:
Choose a database creation method: Standard create
Engine type: MySQL
Templates: free tier
In the settings and DB instance class tab, fill in the details as follows:
DB instance identifier: SecretManagerLab (any name)
Master username: admin (any username for your database instance)
Master password: dcVRBrxLbhacVU6 (any password for your instance)
DB instance class: db.t2. micro
Note: Make sure to remember the username and password or simply paste in a text file.
In the Storage tab, keep everything as default and make sure to undo the checkbox for Enable storage autoscaling.
In the connectivity tab, make sure that the public access is set to No.
Keep everything else as default. After this click Create Database.

It takes some time for your database to be created.

We’ve created an RDS MySQL instance successfully!
b) Store a new secret.

In the search box, type secrets manager and select secrets manager under services.
In the AWS Secret Manager dashboard, click on Store a new secret.
Now in Secret type, please select Credentials for Amazon RDS database and enter the following details:
User name: (username of our database instance, here we used admin)
Password: (password of our db instance, here we used dcVRBrxLbhacVU6)
Encryption key: (keep it as default)
Select the database instance you created in the previous step, (named SecretManagerLab) and click next.
On the next screen, give the Secret name as any name (LabSecret ) and keep everything else as default. Click next.

Secret ‘LabsSecret’ has been stored, with Secret Manager.

c) Verify the secret created.

Once the secret is created and rotation is configured click on the secret name [LabsSecret]
Now click on the Retrieve secret value button
We can see the details of our secret value including the password.
d) Using cloud trail to monitor secret manager activities.

Search for CloudTrail in the search then select it under services.
In the lookup attributes, select Event name and Enter event name as GetSecretValue.

You can see the user’s name of all the users who tried to access the secret and the event time.
AWS Secrets Manager is a service provided by Amazon Web Services (AWS) that helps you manage and protect sensitive information such as passwords, API keys, and other credentials. It allows you to securely store, access, and rotate these secrets, reducing the risk of unauthorized access and improving overall security for your applications and services.

AWS CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.

This brings us to the end of this demo. Make sure to pull down everything.

If you have any questions concerning this article or have an AWS project that requires our assistance, please leave a comment below or email us at sales@accendnetworks.com.

Thank you!

Categories
Blogs

How To Filter Traffic with AWS Web Application Firewall – Part One

How To Filter Traffic with AWS Web Application Firewall - Part One

AWS Web Application Firewall WAF

What is AWS Web Application Firewall?

AWS Web Application Firewall is a web application firewall that helps you protect your web applications against common web exploits that might affect availability and compromise security.

WAF helps protect web applications by filtering and monitoring HTTP traffic between a web application and the internet. It typically protects web applications from attacks such as cross-site forgery, cross-site scripting (XSS), file inclusion, and SQL injection, among others

How does it work?

By deploying a WAF for a web application, a shield is placed between the web application and the internet. WAF is a reverse proxy, protecting the server from exposure by having clients pass through the WAF before reaching the server.

AWS Web Application Firewall WAF

A WAF operates through a set of rules often called policies. These policies aim to protect against vulnerabilities in the application by filtering out malicious traffic.|


AWS WAF supports and can be used to control how resources like Amazon CloudFront distribution, Amazon API Gateway REST API, Application Load Balancer (ALB), or AWS AppSync GraphQL API respond to web requests.

AWS WAF components

Web ACLs — Web Access Control List (Web ACL) is used to protect a set of AWS resources. You create a Web ACL and define its protection strategy by adding rules. Rules define criteria for inspecting web requests and specify how to handle requests that match the criteria. A default action for the Web ACL is a set that indicates whether to block or allow requests that pass the rules inspections. A web ACL is an AWS WAF resource.
Rules — Rules contain a statement that defines the inspection criteria, and an action to take if a web request meets the criteria. When a web request meets the criteria, it is a match. We can use rules to block or allow matching requests. We can also count matching requests using rules.
Rule groups — You can define rules directly inside a web ACL or in reusable rule groups. AWS Managed Rules and AWS Marketplace sellers provide managed rule groups for your use. You can also define your rule groups.

Rule groups are reusable. AWS Managed Rules and AWS Marketplace sellers provide managed rule groups. We can also define our rule groups.
Priority of Rules — If we define more than one Rule in a Web ACL, AWS WAF evaluates each request against the Rules in order based on the Priority value. AWS WAF processes rules with lower priority first. The priorities need not be consecutive, but they must all be different.

AWS Managed Rule groups

AWS WAF Bot control — protection against automatic bots, provides additional visibility through,Cloudwatch, and generates labels that you can use to control bot traffic to your applications (paid rule group, Capacity 50)

Free rule groups

Admin protection — Contains rules that allow blocking external access to admin pages
Amazon IP reputation list — Contains rules based on Amazon threat Intelligence. Useful if you want to block sources associated with bots or other threats
Anonymous IP list — Used to filter out viewers that may try to hide their identity from your applications (e.g. block requests from VPN, proxies, Tor nodes, and hosting providers)
Core rule set — Generally applicable to web applications. This protects a wide range of vulnerabilities, including those described in OWASP publications
I have known Bad inputs — Rules that allow blocking of request patterns that are known to be invalid and associated with exploitations.
Linux operating system — Rules that block request patterns associated with the exploitation of vulnerabilities specific to Linux. Prevent file content exposure and execution of codes by attackers.

Custom rules can be created to block, allow, or count traffic/access which

  • Originates from a country
  • Originates from a CIDR range
  • Requests with a specific header, URI path, or body, And also set whether the traffic that does not match any of the Web ACL rules should be blocked, allowed, or counted.
IP Set: An IP set provides a collection of IP addresses and IP address ranges that you want to use together in a rule statement. IP sets are AWS resources.

AWS WAF charges are based on the number of web access control lists (web ACLs) that you create, the number of rules that you add per web ACL, and the number of web requests that you receive.

Web ACL $5.00 per month
Rule $1.00 per month
Request $0.60 per 1 million requests (for inspection up to 1500 WCUs)

AWS WAF web ACL capacity units (WCUs)

Every rule has a relative cost. AWS WAF calculates rule capacity when you create or update a rule. AWS WAF calculates capacity differently for each rule type

Rule group WCUs

The WCU requirements for a rule group are determined by the rules that you define inside the rule group. The maximum capacity for a rule group is 5,000 WCUs.

Conclusion

AWS WAF provides a managed solution to protect your web applications against common exploits and vulnerabilities. By leveraging WAF’s advanced rulesets and integration with services like Application Load Balancer, you can effectively filter malicious web traffic while allowing legitimate users access.

Stay tuned for more.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at sales@accendnetworks.com.

Thank you!

Categories
Blogs

Filtering Traffic with AWS Web Application Firewall Part Two

Filtering Traffic with AWS Web Application Firewall Part Two.

A Web Application Firewall is a specialized security solution designed to monitor, analyze, and filter HTTP traffic between web applications and the Internet.

In this blog article, we will showcase the practical aspects of a WAF in action.
A prerequisite for this demo is you should have two running EC2 instances(webservers) with Apache installed.

We will start by creating an application load balancer. Log into the management console, https://aws.amazon.com/console/ then in the EC2 Console, Navigate to Target Groups, present in the left panel under Load Balancing. Click on the Create target group then Specify group details.
Under Basic configurations,

Choose a target group: Choose Instances

Target group name : Enter web-server-TG

Keep all the settings as default.

Health check protocol: HTTP

Health check path: Enter /index.html

Scroll down and click the Next button.

Register targets.

For this project have already created two instances and called them webservers A and B. And bootstrapped with the bellow code. The code Echo’s response coming from webserver’s A and B.
I will select both instances and click on the Include as pending below button.
Instances will be present in the Review target’s part, having health status as Pending. Click on the Create target group button.
success.
After creating Target group, proceed and create load balancer. In the EC2 console, navigate to Load balancers the left-side panel then Click on Create load balancer. We will create an application load balancer.
Under the Application load balancer, click on the Create button.
configure the load balancer as below

For the Basic configuration section,

Name: Enter Web-server-LB

Scheme: Select Internet-facing

IP address type: Choose IPv4
For the Network mapping section:

Move with the Default VPC.
Mappings: Select all the AZ’s present.
For the Security groups section, I have created a security group and opened port 80 for HTTP, and called it Load balancer-SG, I will select it.
For the Listeners and routing section,

The listener is already present with Protocol HTTP and Port 80.

Select the target group web-server-TG for the Default action forwards to option.
Keep the tags as default and click on the Create load balancer.
copy the DNS name of the load balancer and paste it into your browser.
Refresh the browser a few times and you will see the request is serving from both instances (servers). You will see the output as RESPONSE COMING FROM SERVER A & RESPONSE COMING FROM SERVER B.

Creating an IP set

In the search box, type WAF & Shield then select it under services.
On the left side, you will be able to see the IP sets menu. Click on IP sets and click on Create IP sets.
On the next screen, fill out the details under Create IP set.

IP set details:

IP set name: Enter MyIPset

Description: Enter IP set to block my public IP

Region: Select US EAST (N.Virginia )

IP Version: Select IPv4

IP address: Enter the IP of your local network/32

Note: You have to give /32 after the IP is pasted or else you won’t be able to create an IP set. Then once you have provided the above details, click on Create IP set.

Creating a Web ACL

Web ACL details,

Navigate to the AWS WAF dashboard and select Web ACLs. Click on Create web ACL to create a new web ACL.
Configure the ACL as below:

Web ACL details

Name: Enter MywebACL

Description: Enter ACL to block my public IP

Resource type: Select Regional resources (Application Load Balancer and API Gateway)

Region: Select US EAST (N.Virginia)
To associate an AWS resource, click on Add AWS resources.
In Add AWS resources select Application Load Balancer and select the name of ALB. Click on Add.
Lastly, click on the Next button.

Add rules and rule groups

Under Rules click on Add rule and Add my own rules and rule groups in the drop-down menu.

In Rule typeselect IP set as shown below and fill in the details as given below:

Rule type: Select IP set

Name: Enter MywebACL-rule

IP set: select the IP set created Above (MyIPset)

IP address to use as the originating address: Source IP address

Action:Select Block

Once you provide the above details, click on the Add rule.
Lastly, click on the Next button.

Set rule priority

Leave as default and click on Next.
Configure metrics.

Leave as default and click on Next.

Review and create web ACL

Review all your inputs and click on Create Web ACL

We have successfully created a web ACL for ALB with the help of an IP set created with your public IP.

Testing the working of the WAF.

To test the WAF, navigate to Load Balancers and select the Application load balancer Web-server-LB.

Copy the DNS name and paste it into your browser.

You will get a 403 forbidden error showing that WAF blocked your connection to ALB.

Unblocking the IP.

To unblock the IP, navigate to IP sets and click on MyIPset. Select your public IP and then click on Delete
You have successfully removed the IP from WAF.

Again, select load balancer you just created. Copy its DNS name and paste into your browser.

This time around, you will get the response from the web servers either stating RESPONSE COMING FROM SERVER A or RESPONSE COMING FROM SERVER Bas shown below:
Congratulations, you are all done. Thanks for reading and stay tuned for more.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at sales@accendnetworks.com.

Thank you!

Categories
Blogs

How To Create Serverless Computing with AWS Lambda

How To Create Serverless Computing with AWS Lambda.

In the ever-evolving landscape of cloud computing, AWS Lambda has emerged as a revolutionary service, paving the way for serverless computing. This paradigm shift allows developers to focus on building and deploying applications without the burden of managing servers.

What is Lambda

AWS Lambda is a compute service that lets you run code without provisioning or managing servers.


Lambda runs your code on a high-availability compute infrastructure and performs all of the administration of the compute resources, including server and operating system maintenance, capacity provisioning automatic scaling, and logging. With Lambda, all you need to do is supply your code in one of the language runtimes that Lambda supports.


You organize your code into Lambda functions. The Lambda service runs your function only when needed and scales automatically. You only pay for the compute time that you consume — there is no charge when your code is not running.

Things That Can Cause Lambda Capabilities

AWS source triggers (DynamoDB functions, S3 situations, Message Queue functions, and so on)

AWS endpoints (Relaxation calls)

Key Features of AWS Lambda:

Event-driven: AWS Lambda is designed to respond to events from various AWS services or custom events e.g. changes to data in an Amazon S3 bucket, updates to a DynamoDB table, etc.
Multiple Programming Languages: Lambda supports multiple programming languages, including Node.js, Python, Java, Go, Ruby, and .NET Core.
Automatic Scaling: Lambda automatically scales based on the number of incoming requests.
Cost-Efficient: AWS Lambda follows a pay-as-you-go pricing model. You are charged only for the compute time consumed by your code.
Built-in Fault Tolerance: AWS Lambda provides built-in fault tolerance by automatically distributing the execution of functions across multiple availability zones.

Use Cases for AWS Lambda:

Real-time File Processing: AWS Lambda can be used to process files uploaded to an S3 bucket in real-time.
Microservices Architecture: Lambda functions are well-suited for building microservices, allowing developers to break down large applications into smaller, manageable components promoting agility and maintainability.
API Backend: With the help of API Gateway, AWS Lambda can be used to build scalable and cost-effective API backends. This allows developers to focus on building the application’s logic without worrying about managing servers.
Data Transformation and Analysis: Lambda functions can process and analyze data from various sources, providing a serverless solution for tasks like log processing, data transformation, and real-time analytics.

Create a Lambda function with the console

Log into the management console and type lambda in the search box then select lambda under services.
In the lambda dashboard on the left side of the navigation pane, select function then click create function.
In the create function dashboard, Select Author from scratch then in the Basic information pane, for Function name enter mytestfunction.

Then for Runtime, choose Node.js 20.x

Then scroll down, leave the architecture set to x86_64, and choose the Create function.
Remember default, Lambda will create an execution role with permissions to upload logs to Amazon CloudWatch Logs.
These are the only settings we need to create our function so scroll down and click create function.

Lambda creates a function that returns the message Hello from Lambda!

Lambda creates a function that returns the message Lambda also creates an execution role for your function. An execution role is an AWS Identity and Access Management (IAM) role that grants a Lambda function permission to access AWS services and resources.

To see the role scroll down and select the configuration tab then select permission, in the execution role under the role name you can see the role.
When you select it, it will take you to the I am console and you can see the policy.

Now back to lambda under code, we can see the Hello from Lambda! Code.

We will change this code with a different code Choose the Code tab.

In the console’s built-in code editor, you should see the function code that Lambda created. Then we will replace this cord with our code as shown below.
Select Deploy to update your function’s code. When Lambda has deployed the changes, the console displays a banner letting you know that it’s successfully updated your function.
Invoke the Lambda function using the console.
To invoke our lambda function using the Lambda console, we first create a test event to send to our function. The event is a JSON-formatted document.

To create the test event

In the Code source pane, we will choose Test then you will be taken to configure the test console.

select Create new Event, then for Event name enter myTestEvent In the Event JSON panel, we will paste in our code as shown below. Then we choose to save.
We will now test our function and use the Lambda console and CloudWatch Logs to view records of our function’s invocation.

To test our function, In the Code source pane, we will choose Test. Then wait for our function to finish running. We will see the response and function logs displayed in the Execution results tab as shown below. This confirms that our lambda function was invoked successfully.
This brings us to the end of this blog.

Pull down and stay tuned for more.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at sales@accendnetworks.com.

Thank you!