Information Security
AWS/GCP/Azure Security
2020. SolarWinds. Compromised organizations included Microsoft, FireEye, and the US Treasury. Analysis revealed: many victims had AWS accounts with CloudTrail disabled or poorly configured, making forensics nearly impossible. The attackers could operate for weeks without leaving a trace. The same organizations that invested in perimeter security had no visibility into what happened inside their cloud accounts after the breach.
- **Capital One 2019**: IAM misconfiguration + SSRF = 106 million records. The AWS infrastructure itself was not breached - the client's configuration was the vulnerability.
- **Twitch 2021**: S3 bucket without encryption and misconfigured ACL - 125GB of data including source code exposed publicly.
- **S3 bucket research (ongoing)**: thousands of publicly accessible S3 buckets with sensitive data are found every day through automated scanning.
Security Groups and Network Segmentation
SolarWinds 2020: one of the reasons the breach was so extensive was that compromised systems had unrestricted egress - they could make HTTP requests to any external destination. Network segmentation limits blast radius: each component only talks to what it needs. Security Groups in AWS are stateful firewalls per resource.
AWS VPC Flow Logs record metadata for all network traffic (not payload): source/destination IP, port, bytes, and action (ACCEPT/REJECT). Anomaly analysis: unusual outbound destinations, unexpected ports, rejected traffic spikes. Athena queries on Flow Logs can identify lateral movement, data exfiltration, and SSRF attempts across an entire VPC.
An RDS PostgreSQL Security Group should allow inbound traffic from the App Server. What should the source be?
KMS: Managing Encryption Keys
AWS KMS (Key Management Service) is a managed service for creating and managing cryptographic keys. Keys never leave the KMS HSM (Hardware Security Module). Every encryption and decryption operation is logged in CloudTrail. KMS is the standard for at-rest encryption in AWS: S3, RDS, EBS, Secrets Manager.
KMS Key Rotation: enable automatic annual rotation. On rotation, new data is encrypted with the new key material; old key versions are retained for decrypting existing data. If a KMS key is compromised, the correct response is: create a new CMK, re-encrypt all affected S3 objects, then schedule the compromised key for deletion (minimum 7-day waiting period prevents accidental lock-out).
An application stores sensitive data in S3 with SSE-KMS. The KMS key is compromised. What should be done?
WAF: Layer 7 Attack Protection
AWS WAF, Cloudflare WAF, and Azure Front Door WAF block known attack patterns at the HTTP layer: SQL injection signatures, XSS patterns, CVE exploits, and DDoS request patterns. WAF operates at Layer 7 and can inspect request content - unlike security groups which operate at Layer 3/4.
WAF does not replace fixing vulnerabilities in code. Bypass techniques: URL-encoding payloads (SELECT -> %53%45%4C%45%43%54), comment injection (SEL/**/ECT), HTTP parameter pollution, chunked encoding. WAF is a defense-in-depth layer, not a substitute for parameterized queries and input validation.
A WAF blocked a legitimate request from a corporate security scanner. What should be done?
CloudTrail: Audit Logging for Everything
AWS CloudTrail logs every API call in the account: who, what, when, from which IP. This is the foundation of forensics and incident response in AWS. Without CloudTrail, there is no way to determine what an attacker did after gaining access, which resources they accessed, or what data was exfiltrated.
GuardDuty uses CloudTrail, VPC Flow Logs, and DNS Logs with ML models to detect: cryptocurrency mining, backdoor C2 traffic, compromised EC2 instances, unusual API activity from unknown locations, and IAM credential theft. GuardDuty findings integrate with Security Hub, EventBridge, and SNS for automated incident response workflows.
An attacker gains access to an AWS account. Their first action is to disable CloudTrail to cover their tracks. What helps detect this?
Summary
- **Security Groups**: stateful per-resource firewalls. Reference by SG ID (not CIDR) for auto-scaling. Principle: default deny, only allow what is needed.
- **KMS**: keys never leave the HSM. Every operation is logged in CloudTrail. Compromised key: create new CMK, re-encrypt, then schedule deletion (7-day minimum).
- **WAF**: Layer 7 protection against OWASP Top 10 and CVE exploits. Count mode for testing, Block mode for production. Use allowlists for trusted scanners - never disable for false positives.
- **CloudTrail**: enable multi-region, log file validation, and SNS alerts on critical events (StopLogging, DeleteTrail, ConsoleLogin, AssumeRole). Without CloudTrail, forensics is impossible.
Related Topics
Cloud security controls connect to IAM, encryption, and monitoring:
- IAM and Access Management — IAM roles control access to every cloud resource - Security Groups and KMS both depend on IAM policy definitions.
- Data Encryption: At Rest and In Transit — KMS is the primary at-rest encryption tool for all AWS storage services.
- SIEM and Security Monitoring — CloudTrail logs feed into SIEM platforms for correlation, alerting, and long-term threat hunting.
Вопросы для размышления
- A new AWS account is created for a production workload. List the 5 security baseline controls you would enable on day one, in order of priority.
- A developer accidentally makes an S3 bucket public at 9 AM. CloudTrail is enabled. Walk through how you would investigate the incident: what did the attacker access, and when?
- A security team wants to prevent any developer from disabling GuardDuty or CloudTrail in any AWS account in the organization. How would you implement this?