Domain 3

DDoS Mitigation

Reduce Attack Surface Area - Limit the options for attackers e.g. application and database should not be on the same server and you can do this with services such as: SQS and Elastic BeanStalk.
Plan for Scale - E.g. whenever CPU load is more than 70%. automatically add one more Application server to meet the needs and you can do this with services such as: Elastic Load Balancer (ELB) and Auto Scaling Groups (ASG).
Know what is normal and abnormal traffic - E.g. a website getting a huge surge in traffic in the middle of the night at 3 AM is abnormal and you can do this with services such as: CloudWatch and SNS.
Deploy Firewalls for Sophisticated Application attacks - It is recommended to have at least AWS Business Support.
Services for DDoS Mitigation: Shield, CloudFront, Route53, WAF, Elastic Load Balancing, VPC & Security Groups.

Connect to your Linux instance if you lose your private key

Stop the instance.
Detach its root volume/copy its AMI and attach it to another instance.
Modify the authorized_keys file with a new public key.
Move the volume/AMI back to the original instance.
Restart the instance.

Direct Connect

You can connect to all your AWS resources in an AWS Region, transfer your business critical data directly from your data centre, office, or colocation environment into and from AWS, bypassing your Internet service provider and removing network congestion.
It does not encrypt your traffic that is in transit.
- You have to use Direct Connect with Site-to-Site VPN to get an IPsec-encrypted private connection.

EBS Security

An EBS volume is a has been wiped prior to being made available for use.
If you have procedures requiring that all data be wiped via a specific method, such as those detailed in NIST 800-88, you have the ability to do so on EBS.
You should conduct a specialized wipe procedure prior to deleting the volume for compliance with your established requirements.
EBS cannot wipe the data before the customer has released it; it only wipes the data before giving the volume to a new user. So , you will need to use custom tools for this.

EC2 Tenancy

Shared Tenancy (Default) - Multiple customers will share the same pieces of hardware.
Dedicated Hosts - Entire physical host from AWS and you can create as many EC2 instances as that host will allow for no additional charges.
Dedicated Instances - Separated hosts from the rest of the AWS customers but you are not paying for the entire host all at once.

Signed URLs

Signed URLs in the following cases:
- Provide access to an individual file, for example, an installation download for your application
- Users are using a client (for example, a custom HTTP client) that doesn't support cookies.
Signed cookies in the following cases:
- Provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers' area of website.
- Don't want to change your current URLs.

Origin Access Identity (OAI)

Ensure that your users access your files using only CloudFront URLs:
1. Create a special CloudFront user called an OAI and associate it with your distribution.
2. Configure your S3 bucket policy so that CloudFront can use the OAI to access the files in your bucket and serve them to your users.

Configure CloudFront distribution to use a SSL/TLS certificate

Key length must be 1024 or 2048 bits and cannot exceed 2048 bits.
Must import the certificate in the US East (N. Virginia) Region.
Must have permission to use and import the SSL/TLS certificate.

VPC Endpoints

Enables private connections between your VPC and supported AWS services
Interface endpoints - An elastic network interface with a private IP address from the IP address range of your subnet. Powered by AWS PrivateLink.
Gateway endpoints - You specify a gateway endpoint as a route table target for traffic destined to S3 and/or DynamoDB.

Network ACL (NACL)

Default NACL = ALLOWS all inbound and outbound traffic.
Custom NACL = DENIES all inbound and outbound traffic until you add rules.
There is a default limit of 20 to both inbound and outbound rules per list.
AWS provides additional rules on request, however the absolute maximum is 40.

URL Whitelisting

Allows AWS resources to download content from specific URLs.

Lambda@Edge

It is a feature of CloudFront that lets you run code closer to users of your application, which improves performance and reduces latency.
You don't have to provision or manage any infrastructure.
You pay only for the compute time you consume - there is no charge when your code is not running.

Simple Email Service (SES)

Modern email servers use port 587 for the secure submission of email for delivery.
EC2 restricts email traffic over port 25 by default.
To avoid timeouts when sending email through the SMTP endpoint from EC2, you can request that these restrictions be removed or use a non-default port.

`iptables`

Users can be blocked from accessing metadata using iptables.

PreviousDomain 2 NextDomain 4

Last updated 4 years ago

Was this helpful?

DDoS Mitigation

Reduce Attack Surface Area - Limit the options for attackers e.g. application and database should not be on the same server and you can do this with services such as: SQS and Elastic BeanStalk.

Plan for Scale - E.g. whenever CPU load is more than 70%. automatically add one more Application server to meet the needs and you can do this with services such as: Elastic Load Balancer (ELB) and Auto Scaling Groups (ASG).

Know what is normal and abnormal traffic - E.g. a website getting a huge surge in traffic in the middle of the night at 3 AM is abnormal and you can do this with services such as: CloudWatch and SNS.

Deploy Firewalls for Sophisticated Application attacks - It is recommended to have at least AWS Business Support.

Services for DDoS Mitigation: Shield, CloudFront, Route53, WAF, Elastic Load Balancing, VPC & Security Groups.

Direct Connect

You can connect to all your AWS resources in an AWS Region, transfer your business critical data directly from your data centre, office, or colocation environment into and from AWS, bypassing your Internet service provider and removing network congestion.

It does not encrypt your traffic that is in transit.

You have to use Direct Connect with Site-to-Site VPN to get an IPsec-encrypted private connection.

EBS Security

An EBS volume is a has been wiped prior to being made available for use.

If you have procedures requiring that all data be wiped via a specific method, such as those detailed in NIST 800-88, you have the ability to do so on EBS.

You should conduct a specialized wipe procedure prior to deleting the volume for compliance with your established requirements.

EBS cannot wipe the data before the customer has released it; it only wipes the data before giving the volume to a new user. So , you will need to use custom tools for this.

EC2 Tenancy

Shared Tenancy (Default) - Multiple customers will share the same pieces of hardware.

Dedicated Hosts - Entire physical host from AWS and you can create as many EC2 instances as that host will allow for no additional charges.

Dedicated Instances - Separated hosts from the rest of the AWS customers but you are not paying for the entire host all at once.

Signed URLs

Signed URLs in the following cases:

Provide access to an individual file, for example, an installation download for your application
Users are using a client (for example, a custom HTTP client) that doesn't support cookies.

Signed cookies in the following cases:

Provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers' area of website.
Don't want to change your current URLs.

VPC Endpoints

Enables private connections between your VPC and supported AWS services

Interface endpoints - An elastic network interface with a private IP address from the IP address range of your subnet. Powered by AWS PrivateLink.

Gateway endpoints - You specify a gateway endpoint as a route table target for traffic destined to S3 and/or DynamoDB.