top of page

FINNITSEA

Security in the Cloud — A Deep Dive.

  • cadium828
  • Jul 19
  • 9 min read
ree

Security. A sentence and a word in itself, security is one of the most important considerations for a company in current times. There are a multitude of different security features, options, and solutions, where do we even start?

Well, in this article, I want to explain to you the key components for securing your AWS resources in the cloud environment. Today’s topic has a lot to cover so let’s jump right in and below you will see the items we will be covering.

  • Defense-in-Depth

  • Basics of Encryption

  • Key Management Service

  • CloudHSM

  • Identity Providers

  • Federation

  • Directory Services

  • Cognito

  • Certificate Manager

  • Web Application Firewall

  • GuardDuty

  • Shield

  • Macie

  • Inspector


General Security Principles

Defense-in-Depth

Defense-in-depth is the security concept of implementing security at multiple points in your security architecture. This is done by employing multiple layers of security controls through your information systems. Unlike general security which relies on a single protective measure, this approach creates several barriers that would need to be overcome to reach sensitive data. There are several key methods which can be implemented to achieve this hardened security:

  • Physical Security — Access Controls and secure facilities.

  • Network Security — IDS/IPS, firewalls, and network segmentation

  • Host Security — OS Hardening and endpoint protection

  • Application security — Secure coding practices and input validation

  • Data Security — Encryption

  • Administration Controls — Policies, procedures, and awareness training

  • Identity and Access Management — Authentication and Authorization

Basics of Encryption

Encryption is the process of encoding your data through the use of various standards in an attempt to prevent unauthorized viewing. Encryption dates all the way back to Ancient Rome when Julius Caesar would use a simple alphabet-shifting method to encrypt his messages in case they were to fall into the wrong hands. This was called a Caesar’s Cipher.

There are various encryption methods, types, etc so for now we are going to cover the basics such as:

  • Encryption At-Rest — Data is encrypted prior to storing

  • Encryption In-Transit — Data is encrypted as it traverses a network

  • Asymmetric Encryption — Known as public-key cryptography

  • Symmetric encryption — Plain text data is passed through an encryption process as you send and receive it, the same key is used for both encryption and decryption



Encryption Key Management

Key Management Service

AWS Key Management Service(KMS) is either AWS Managed or customer-managed and is used to create and manage encryption keys. Keys can be symmetric or asymmetric and are protected by hardware security modules (HSM).

Customer-managed keys are keys that the customers have full control over. They create and manage the keys.

AWS Managed keys are created and managed by AWS. AWS managed keys are used and integrated within various AWS services. You can’t manage, rotate, or change these keys as they are fully managed by AWS. This service creates them and uses them on your behalf.

KMS keys contain key material which is then used to encrypt and decrypt your data, when the key is rotated only the material changes allowing you to remain using all of the same key parameters in your code. By default, KMS creates the key material, however, you can import your own material for KMS, but you will be responsible for rotating and managing the key.

KMS can only encrypt up to 4KB of data. For data larger than 4KB, you will need to use the “envelope encryption” pattern.

  • AWS KMS generates a data key using the KMS Key (Often referred to as the Customer Master Key)

  • The data key is used to encrypt your data which may be of any size

  • The data key itself is encrypted by KMS — called the encrypted data key

  • You store the encrypted data key alongside your encrypted data

CloudHSM

AWS CloudHSM (Cloud-Based Hardware Security Module)is a dedicated fully-managed and automatically scaling hardware device that you have direct access to and runs in your VPC. This service is used for single-tenant operations and allows you to generate and use your own encryption keys. It uses FIPS140–2 level 3 validated HSMs.

CloudHSM has many use cases:

  • Offloading SSL/TLS processing from your web servers

  • Protect Private keys

  • Store the master key for an Oracle DB

  • Custom Key Store for AWS KMS



Identity Providers, Federations, and Directories

Identity ProvidersAn identity provider (IdP) in AWS is a service or system that creates, maintains, and manages identity information while also providing authentication services to applications. It acts as the source of truth for user identities and their credentials.

IAM Identity CenterWhat it is — Acts as a central Hub for SSO across multiple AWS accounts and applications.

How it works

  • It can connect to existing identity sources ( Active Directory, External IdPs, or its own directory)

  • Administrators define permissions set that determine access levels

  • Users get a personalized portal showing just the AWS accounts and applications they can access

Example

  • A company has multiple AWS accounts for different departments and environments (dev, testing, prod).

  • Rather than managing IAM users in each account, they use IAM Identity Center.

  • Their employees go to a single portal where they see only the accounts and apps they’re authorized to use.

  • When they click on an account, they’re automatically signed in with the appropriate permissions

Key components

  • Identity Source — Where user IDs come from (AD, IdPs, IAM Identity Center)

  • Permission Sets — Collections of policies defining what actions users can perform.

  • Assignments — Connect users or groups to specific AWS accounts with specific permission sets

CognitoWhat is it — Cognito is AWS’s comprehensive identity management service that handles, authentication, authorization, and user management for web and mobile applications

It’s essentially the doorkeeper and membership database for your digital applications. Cognito consists of 2 core components:

1.) User Pools — User Pools are directories that provide sign-up and sign-in options for your application users. They function as a complete IdP solution with robust features. A User Pool stores user profile information and handles:

  • User registration and account creation

  • Sign-in with username/password or social identity providers

  • Built-in custom user profile attributes

  • MFA

  • Account recovery flows

  • Email and Phone Verification

  • Advanced security features like adaptive auth

Users sign in to a user pool and then they receive JSON Web Tokens (JWTs)

  • ID token that contains identity information

  • Access tokens for API access

  • Refresh Tokens for obtaining new tokens without re-authentication

2.) Identity Pools — Also called Federated Identities provide temporary AWS credentials for accessing AWS services directly from client applications. This allows you to:

  • Securely access AWS resources from client-side code

  • Support multiple identity providers, including Cognito user pools

  • Set fine-grained permissions based on user identity

  • Create guest and unauthenticated roles

  • Identity pools don’t store user profile information, they translate external identities into AWS credentials through a process called “credential vending”

How It Works — Auth Flow

User Registration and Authentication

  • A new user registers with your application through Cognito User Pools

  • Cognito sends a verification through either SMS or EMAIL and handles the confirmation process

  • Upon sign-in, Cognito validates the credentials and issues JWTs (ID, Access, Refresh)

  • These tokens can be used to access your apps and APIs

AWS Resource Access

  • The app sends the user pool tokens to Cognito Identity Pools.

  • Identity Pools exchange these tokens for temporary AWS credentials

  • These credentials have permissions defined by IAM roles

  • The application uses these credentials to directly access AWS services like S3 or DynamoDB

Token Refresh

  • When tokens expire, the application uses refresh tokens to get new access tokens

  • This happens transparently to the user, maintaining their session

Example:Imagine building an Instagram-like app, where users upload photos to a S3 Bucket

  • Registration and Auth

  • The user downloads an app and creates an account with an email and password

  • Cognito User pool handles the verification email and account creation

  • The user logs in and receives auth tokens

  • Photo Upload Process

  • The user takes a photo in the n app

  • App exchanges user pool tokens for temporary S3 credentials via Identity pool

  • The app uploads the photo directly to S3 using these credentials

  • Each user only has access to their own photo folder in S3



Federation

Federation

Web Identity FederationWhat it is — Web Identity Federation allows users to sign in using well-known external identity providers (IdPs) such as Google, Facebook, Amazon, or any OpenID Connect OIDC-compatible provider.

How it works

  • User authenticates with a web IdP (Like Google)

  • IdP returns a token to the user’s app or browser

  • The token is exchanged for a temporary AWS credential via AWS Security Token Service (STS)

  • Temporary credentials allow access to permitted AWS resources

Example

  • You have S3 buckets and want to allow users to upload photos to it

  • Instead of creating an individual IAM user for each user, you allow them to sign in with their Google Account

  • When they authenticate with Google, your app exchanges the Google Token with a temporary AWS STS credential that only permits uploads to a specific location in the bucket

SAML FederationWhat it is — Security Assertion Markup Language (SAML) 2.0 federation connects enterprise identity systems like Microsoft AD or Okta to AWS

How it works

  • A user attempts to access the AWS CLI

  • They’re redirected to their organizations Identity System

  • After authenticating, the Identity system generates a SAML assertion (Digitally signed XML document)

  • Assertion is sent to AWS, which validates and provides access

Example

  • Large corporations with thousands of employees use Microsoft AD for identity management.

  • With SAML 2.0 federation, employees can sign in once to their corporate network (Single Sign-on) and then access AWS resources without a separate login.

  • Their corporate identity determines which AWS resources they can access and IT admins manage permissions centrally



Directory Services

A directory service is a centralized database and service that stores, organizes, and provides access to information about network resources, users, groups, and access privileges. It functions as a specialized database optimized for reading, browsing, and searching information that is organized in a hierarchical structure.

Directory Services have several key functions:

  • User Authentication — Verifying the identity of the user

  • User Authorization — Determining what resources an authenticated user can access

  • Centralized Resource Management — Providing a single location to store and manage information about network resources such as users, computers, printers, and servers

  • Policy Administration — ENabling admins to define and enforce security policies

  • Information Storage and Retrieval — Storing attributes about objects in the network and making this information available to applications and users.



Certificate Management

AWS Certificate Manager(ACM) is used to create, store, and renew SSL/TLS certifications. You can define certifications for single domains, multi-domains, and wild cards. ACM integrates with several AWS services and all public certificates are signed by AWS public certificate authority.



Security Features

Web Application Firewall

AWS WAF is a web-application firewall that lets you create rules to filter web traffic based on conditions. It’s also used for protecting your system and resources against common web exploits, SQL injections, and cross-site scripting. WAF is comprised of several key components:

  • Rules — statement that defines inspection criteria

  • Rule groups — Used to group rules

  • IP Sets — A collection of IP address ranges that will be used in a rule group

  • Rule Actions — Instructions to WAF for how to proceed when matches are made in a rule. There are 3 outcomes — Count, Allow, and Block.

There is a match statement which will compare the web request against conditions you define, some of which are:

  • Geographical matches

  • IP matches

  • Regex matches

  • Size constraints

  • SQL injection attacks

  • String attacks

  • XSS aattacks

GuardDuty

Guard Duty is AWS’s intelligent threat detection service. Guard duty continuously monitors for CloudTrail management and S3 Data events, VPC flow logs, and DNS logs. Guard Duty is able to detect:

  • Account compromises

  • Instances compromises

  • Malicious reconissance

  • S3 Bucket compromises

Shield

AWS Shield is used to protect your resources and system against DDoS attacks. Shield safeguards web applications running on AWS with always-on detection and helps to minimize downtime and latency. There are two tiers of AWS Shield:

  • Free tier — standard feature throughout AWS and is available at no cost to you. Shield is implemented in the free tier through CloudFront.

  • Advanced — The advanced tier has several more features and costs $3,000 per month.

Macie

AWS Macie is a fully managed data security and privacy service. Macie will analyze buckets using machine learning to discover if any sensitive information is contained in your buckets.

This is accomplished through pattern recognitions gained by machine learning and assists in monitoring and protecting S3 buckets.

Macie enables security compliance and preventative security measures such as:

  • Identifying changes to access control lists

  • Identifying a variety of data types (PII, Protected Health Information, Regulatory Documents, API keys, and secret keys)

  • Monitoring S3 posture

  • Generate security findings which can be viewed in AWS organizations

Inspector

AWS Inspector is a scheduled service provided by Amazon, that runs assessments to check for security exposures and vulnerabilities in EC2 and Lambda. AWS inspector and run network and host assessments.

  • Network assessments are network configuration analysis’ that check for ports reachable from outside of your VPC. If the inspector agent is installed on your EC2 instances, it will also find processes reachable through that port.

  • Host assessments require an inspector agent and can scan and assess for vulnerable software, host hardening and security best practices.



Conclusion

In conclusion there are A LOT of services provided by AWS to ensure your network, resources and architecture remain secure. What are your security “must haves” for the cloud? As always, I hoped this help and I’ll catch you in the next one.


 
 
 

Comments

bottom of page