Domain 2 - Logging & Monitoring

10. Understanding AWS WAF

Hey everyone, and welcome back to the Kplaps course. So in today's lecture we'll be discussing the AWS web application firewall offering. So this is a pretty interesting and straightforward wave that AWS provides. So let's look into what exactly and how exactly it really works. So basically, AWS VA basically works based on conditions, rules, web sales and associations. So this might be a little confusing as a start. So what we'll do is take a very simple use case that will help us understand the entire flow that AWS operates on. So let's take an example. So let's suppose that I live in a place A in Bangalore and want to meet a friend who is living in a place B. So I'm living in place A and I want to visit a friend who is living in place B. So in order to meet a friend, what I have to do is definitely travel. So before traveling, you should remember that Bangalore is a well-known city for traffic. So before that, before I can actually travel, I have certain conditions. The first condition is whether the traffic isle or whether there is a huge amount of traffic. That is the first condition that I have. So the second condition is whether there are any Ubers or Olas available so that I can hire a cab and get to location B. Because it's not necessary that public transport should always help you reach a destination place.So there are two conditions. So now these are the two conditions that I have. Now this is the conditional part. So there can be multiple conditions over here. Now let's go to the rules part. So within the rules plot, what I do is combine the conditions. So if traffic is less and if Uber and Ola's are available, you are making an exception over here. If this is true and the second condition is also true, So that is what the rules define. So you can have multiple conditions. You can combine multiple conditions in a rule. Now, what happens if these two conditions meet? So if they meet, then yes, the rule is taken. If they do not meet, then the no rule is defined. So babysails are like, okay, if these conditions are met, then okay, I'll go to meet my friend. If they do not meet, then okay, I'll stay at home and I'll go some other day. So this is like allow or deny-based rules. Now these are the three conditions. Now the last part is association. So this is associated with me, which is it? As a result, the entire section So I hope you understand. You have the condition, you have the rule which contains multiple conditions. You have the website which allows you to either allow or block. So either I should go or I should stay back and associate. So is it associated with me? Is it associated with some other person? This is what the association is all about. Great, so we'll understand this in great detail. So let's take each of them on a separate page and understand them in great detail. So first are the conditions. So condition defines the characteristic that must be analysed within the HTTP-based web request. So there can be multiple conditions. So as far as the AWS office is concerned, there are a total of six conditions which it supports. You have SQL injections, you have cross-site scripting, you have geographic location. Let's assume that geographic location, like if someone is coming from Russia, becomes a condition. So all of these are part of the geographic location. You have conditions based on the length of the request. So there are multiple conditions that are defined. So, when discussing rules, if you have defined multiple conditions, you can add them to a rule in an and manner. So again, we can combine multiple conditions into a rule to precisely target a specific HTTP request. So there are two types of rules which are available. One is the regular rule, and the second is the rate-based rule. So when you take an example of a regular rule, so let's take if a request comes from172 at 00:50 and if they include SQL likecode, so these are two individual conditions. So in one rule, there can be multiple conditions and they are treated as and so if the request is coming from this IP, and if the request contains SQL-like code, this becomes a rule. So this is a regular rule. Now, there is also a rate-based rule. So, what exactly is a rate base rule? It is a regular rule with a rate limiting feature. So the same thing, if the request is coming from 170 to 30 00:50, they include a SQLi code, and if the request exceeds a thousand requests in ten minutes, there is a rate limiting feature in the rate base rule. Okay, so let's look into the first sample. So what happens if the request is coming from this IP and it includes the SQLi code? Should it be allowed? Should it be allowed? is a question that is defined in the WebCL. So Webb is pretty straightforward. If the condition is met, what should be done; should you allow, should you block, or should you just count? So there are three types of action. You either allow it, you either block it, or you just count it. These are the three conditions which are allowed. Now, the last is association. The question now is who these three entities should be associated with. Should it be associated with the EC? It is unclear whether the two instances should be associated with the load balancer or the CloudFront distribution. So association is a very important concept because, as of now, the VA cannot be associated with the EC. There are only two supported associations: one is the application loadbalancer and the second is the cloud run. So this is something which you need to remember that you cannot directly attach to the EC in two instance perfect.So much of the theory that we have already looked into, let's look into the AWS VA and let's look into each one of these. So I'll go to the valuable sheet so they have the combined page for now, then I'll go to the AWS wave, and if you look at the conditions, there are six conditions that are part of VAT as of 2018. GeoMatch is something which is quite interesting because, let's assume that you have an e-commerce website based in India, so you don't really need to have a request which is coming from Russia or some other part of the country. So you can actually block all requests from other countries except India. So many conditions and too many startups which are solely based on India and Indian customers. I suggest they implement the GeoMatchbased conditions anyway, so I'll show you. So these are the conditions. Now within the GeoMatch condition, you can have multiple conditions, so let me put in Virginia. So you'll have to select the region and within this I have a condition which is already created called the Geo condition. So this is the name of the condition. Now within this condition, what I have is a filter for India, so it will look into all the requests which are coming from multiple countries and it has the capability to check whether the request is coming from India or whether it is coming from countries which are not India. So I have one condition, so now I go to the rules. So we have already looked within rules where you can attach conditions. So I have attached this specific condition. Within this rule, there can be multiple conditions which can be attached, and I have a rule, a condition, and the last is webacl. So, within the web ACL I have associated a rule. So you see, I have associated this rule, which basically it will check whether it should allow or block a request. So, currently it's allowed. So let me click on the block. So what it will do is this web ACL will check whether the request is coming from India or not. If it is coming from India, then the action is allowed. Now, if it is not coming from India, then you have a default action whether to allow or to block. So I'll say okay, I'll click onblock because I don't really need okay. So this is what the ACLs are generally all about. The AWS web has a nice little graph which gives you an overview of the blocked requests, the allowed requests, and various other things. So if you even do a geo ruleso, this is where you can generate samples. It can actually tell you from which IP the request has been coming in. We'll be looking into it during the implementation part. But this is where it gives you a great amount of detail. So let's look into whether it really works. So currently I'm based in India, so this specific VAT is connected to my load balancer. So I'll show you this. So I'll add an association. I'll associate it with my application load balancer. So currently, this is associated with the load balancer. We already discussed that association part. There are only two associations. One is the application load balancer, and one is CloudFront. So, currently this is associated with the application load balancer. So I'll quickly go to the ALB to verify whether it is actually connected or not. So I'll go to load balancer, I'll go to theKpops ALB, and if you look into the web ACL,I already have a VA ACL rule which is associated. Perfect. So now let's look at whether it is actually working or not. So we'll send a request to the ALB,one from India and the second from another location. So ideally, what should happen is that requests coming from India should be allowed and requests coming from some other location should be blocked. So if I press Enter, you see I get a request which is Kplabz internal. So this seems to be working perfectly. Now I have an Opera browser. And within the Opera browser, I have a VPN. So Opera comes with a default VPN, and within the VPN I have Europe as a location. So now if I go to the same URL,let's see whether it should actually work or not. And you see, it is showing 430 bits. And this is what the Faf is actually doing. So this is one of the classic examples of the geolocation based rules of VA. We have already seen that it can actually protect against various attacks like SQLinjection, cross-site scripting, and various others.

11. Implementing AWS WAF with ALB

Hey everyone, and welcome back. So in the earlier lecture, we discussed the high-level overview of what the Run command is all about. So what we'll be doing in today's lecture is we'll be creating an EC2 instance over here, and we'll be configuring this EC2 instance to work with the Run command. So the very first thing that you need to do is create an iM role. So in this easy instance, let me just refresh here, there is no I role associated with it. So let's do one thing. Let's go to Im and let's create a new role. So I'll go to the roles. I'll create a new role. This role will now be for EC Two. So I'll select the EC two over here. And within this, there is an ECto roll for Simple Systems Managers. So we'll be selecting this one, and I'll click on Next Permission. So by default, there is an apolicy which AWS has already created. So we don't really have to select the policy. I'll just click on "Next Review." I'll give the role name as "Runcommand" and I'll click on Create Role. So once this role is created, I'll attach this role to the EC2 instances. So I'll go to Instance Settings and attach ReplaceRole and here we'll be selecting the Runcommand role and clicking on Apply. Perfect. Quickly verify whether you can see the Imrole Run command and it is perfect. So once the Im role is attached, the next thing that you need to do is install the SSM Agent. Now within the documentation itself, you have the command with which you can install the SSM Agent. It is simple to install if you're running a Red Hat-based system. So in my case, I am running Amazon Linux. So I'll use this specific command to execute it. So let me just log in again. Perfect. So let me just quickly install the SSM Agent. I'll be pasting this command into the resources. So in case you need it,you can directly copy and paste that. Perfect. So the Amazon SSM agent has been installed. So the next thing that you would want to do is just verify whether the status of this Amazon SSM Agent is running or not. So I'll quickly do a status on Amazon SSA Agent and you'll see it is running as expected. Perfect. So, once you have agents installed and Imrole configured, the next thing you can do is go ahead and select the Runcommand and click on the Run command. So there are various ways in which you can run a command. In our case, I'll be using the Run shell script. If you look into the targets, you will still see one or two EC instances. So this EC2 instance has the SSM Agent installed, which is the reason why you are seeing this. So once you see and select this instance, Go ahead and type the command that you want to execute. So I'll do LSL Root and I'll do Rpm QA. So these are the two commands that I want to execute. Now, let's quickly verify the contents of the root directory. There is a file called atest within the root directory. So this will allow us to verify the output that you can see from the run command. So these are the two commands that we'll be executing. I'll just put it as Mand. Within the advanced option, you can store the output of your command in three buckets or you can enable the SNS notification as well. So along with that, you also have an already made command which the SSM has already generated. So whatever command that you have written over here is converted to the SSM specific command, and you can actually run this command manually as well. However, this is something that we'll not be doing right now. So let's do one thing. Let's go ahead and click on "run. Perfect. So now if we go and view the results,this is a success. The status is success. And now you look into the view output,the first command. This is the first command where we did LS, this one LS root. So this was the first command that was executed and the output was test. And this is something that you see within the run command output as well. And the second command that we executed was Rpm HyphenQA, and these are all the packages that were part of it. Now, one thing that you will see here is that the output is truncated. So there are certain character limits. 2500 characters of output are shown. So if you want to see the entire output, you need to configure it with the three buckets. So since we have not configured it with the three buckets, we'll only see the truncated output. But the ideal case is that whenever you run a command,you configure the s three bucket as well, so that the entire output of the command would be stored in the s three bucket for you to look into. So this is the high level overview of what the run command is all about. I have found that the run command is very useful in certain cases related to investigation or even certain use cases where your SSH feels. So this is all about the run command. I hope you found this information useful, and I hope to see you at the next lecture.

12. Understanding EC2 Run Command

Hey everyone and welcome back to the Knowledgeful Review series. In today's lecture we'll be exploring some of the services which are part of the SystemsManager service. In today's lecture we'll be speaking specifically about the run command. So the run command, and in fact, the entire SSM, is a new feature which has been introduced recently within the AWS environment. So the Run command, as the title itself says, allows us to run a specific set of commands within the instances that you are running. So generally, let's assume that I have a Linux server here and I want to execute a certain command here. So what I would typically do is I would log into the server via SSH and then I would run a specific command. So this is one of the normal ways. Now let's assume that you have hundreds of instances and you want to run one specific command in all the hundred instances.So what is the easiest way to achieve this? So, while configuration management tools like Ansible are ideal, AWS has also enabled us to execute this specific use case using its own service called run command. So generally, let me show you that when you click on the run command, there are various ways in which you can execute a certain use case. So the use case can be for Windows, and the use case can be for Linux as well. So let me show you one of the examples. So you have a specific AWS run shell script over here, and if you go a bit down, there are certain commands that you can execute over here. So what you can do is you can specify which command that you want to run, you can create Iptables, firewall rules, or whatever you want to specify the command, you specify the instances on which the commands should execute, and you can also specify the timeout related values as well. So all of those things can be specified and after you have specified your configuration, the AWSrun command will execute the commands that you have specified in this text box to all the instances that have been selected. One question you may have is, "How can you run command execute thecommand inside the EC two instances?" So let me just quickly show you. I have my account logged in, so if I do a quick Rpm QA on Amazon, you will see there is an Amazon SSM agent which is installed. So if you want to work with the run command, you have to install the SSM agent on all the two instances where you want to execute the command. So once the agent is installed, you can go ahead and create your own command and that agent, which is installed on the server, is responsible for executing that specific command. So I have one sample command which I have executed. So this is the command. You see, the document name is AWS run shell script, so if I go into the output, the status of this specific command has been successful, and if I go ahead and click on viewoutput, you see it has given me the output of the command which has been run. So basically, I had run an acommand which was rpm Hyphen QA. Let me just show you. So Rpm QA, this is the command that I executed with the run command and this is the output that the run command gave me. So this is what the "run" command is all about. We'll be doing is wrapping up the lecture right now, and in the upcoming lecture here, we'll look into how we can execute the run command. So there are a few steps that we have to take, like IAM role policy installation of the SSM agent, before we can go ahead and do a run command. So this is it for this lecture. I hope you found this information useful, and I hope to see you at the next lecture.

13. Deploying our first RunCommand

Hey everyone, and welcome back to the Kplaps course. So in the early lecture we had a high-level overview related to what AWS WAF was all about. So in today's lecture we will look into the implementation part and look into how we can actually configure the vast. Now, one thing that we already discussed in the association part is that AWSVAP currently supports two types of associations. One is the ALB and the second is the cloud front. So before we design a VAP, we should have one of these things already deployed. I already have an ALB deployed, but what I'll do is we'll do this exercise again and we'll deploy a brand new album so that we are on the same page. So before ALB can be deployed, you need to have one EC Two instance. So I have this EC2 instance which has a simple NGINX page. So this is a simple page. You can just do a Yumby install of NGINXand Service Engineer start and these are the only two steps that you need to do. And you should have some kind of page for the simple example. Once you have it, we can go ahead and create a load balancer. The type would be application load or balancer. Let me name it KP Labs, so that it is easily recognizable. The type would be IPV four.And I'll put it in the availability zone. One is okay, great. So select the two availability zones. I'll go to the security groups. I'll select the security group which has basically allowed now routing, go to the Target group, name this as Target, and go to Next. And here, basically, just select the easiest instance which has the web server running. Go to Next Review and go ahead and click on Create. Perfect. So you have the Tplabs WAP over here. The Kpops Wave, on the other hand, takes some time to configure. So until that time, the state changed from provisioning to available. We can go ahead and deploy our application firewall. Perfect. So I'll go to Services and I'll type AWS Wrap. This will take me to the common page of WAF and Sheet and I'll select WAF for the time being. So if you look into the graph in a simple way, first you have to create a condition, and second, you create a rule. Third, you create a website, and fourth, you create an association. So we'll follow a similar approach. So first we'll select a condition. So the condition is I'll select Geo Match now and you have to filter by the region where it will be implemented. I'll be using the North Virginia region where my ALB is deployed. So I'll create a condition. I'll say it as KP Labs Hype and Demo. The region will be north of Virginia. Because this is a Geo Match, the location will be country, and you can then specify the country. I'll select India. Perfect. And I'll click on "Add location." So this location has been added. So if you want to maybe allow requests from multiple countries, you can add them here as well. So I'll click on "create perfect." So now you have the condition that is created. Now what you can do is the next thing you can do is create a rule. So I'll go to rules and I'll create a new rule. I'll name it KP Labs Hyperman Rules. The rules can be regular or rate based.I'll select "regular" for the time being. And now in the other section you have when a request does match which condition. So we'll select the original geographic location because we are working days on geography. And I'll select the condition that we defined, which is Kpops Demo. And I'll click on "add condition." The rule is when a request matches. So when the request originates from a geographic location which is defined in the KPAs' hyphendemo condition name, and that is India, This is what the rules are all about. So you see, you can actually put multiple rules over here and they work based on conditions. So we'll just use one rule for our demo so that it becomes easier and less confusing. So I'll create a rule. Perfect. So now we have the Kpops' rule. So we have a condition which we have created. We have the rules which have created. Now the question is the web ACS. So we'll go to the web ACLs and I'll click on "Create a Web ACL." "Here we are," I'll say. KP Labs, F and Web ACL. The region would be North Virginia, and now AWS has resources to associate with So this is where the association comes into the picture. So this is where you have to put the ALB names. So I'll put in the Kplab Hyponva, which is the ALB. Now before we do that, let's quickly verify. Currently, if you see the AWS WebACL, it does not really have anything. Now as soon as you click on next, this is the page which will be presented to you. So you'll have to basically put in the rules. So what we'll do is we'll click on Next and within the rules column I'll select the KP Labs rule over here and I'll select Add rule to the Web ACL. Now this asks me if the request matches this rule. So this rule already states that it will analyse the HTTP packet and verify whether it is coming from India or not. So if it is coming from India, what action should be taken? I'll say click on allow. So if it is India, it will be allowed. Now the next section is if the request doesn't match any rules. So if the request is not originating from India, then what do you want to do? I'll say then I want to block all the requests that don't match. So before we do that, let's quickly verify whether our ALP is working properly or not. So let me open up the ALBC name. Okay, so 503 service is temporarily unavailable. Let's quickly verify. So I'll go to the target groups. This is the target wife Oops. I think the targets were not registered. So this is a bit confusing when you come from the classic load balancer background. So you have to click on "Add to Register." Then it goes here and you click on Save. Perfect. So let's just wait for a moment. So the status is initial. Perfect. So now the status has been changed to "Healthy." So if I quickly verify, you see, I have a page which is up and running perfectly. great. So everything seems to be working perfectly. I'll go and I'll click on Review and Create. And I'll click "confirm." So what it will do is it will associate this specific web application firewall ACL that we have created to the application load balancer named Kplabenwa. So if you go to the loadbalancer, let me just quickly refresh. It is still not associated. So it takes a little amount of time for the association to take place. So let's just wait for a moment. Perfect. So the web ACL is successfully associated. So even here, if I just refresh the page,you see, AWS Web ACL should be allowed. great. So everything should be working as expected. So in order to verify this again, what we'll do is use the Opera Browser. Opera Browser will click Control Shift N so that it goes to the private window. Here I'll click on VPN. I'll enable the VPN and optimal location. Let me select it as "Europe perfect." So now whatever request that I put in will go from the European location. So now I can open up the DNS name. I'll copy this DNS on the back and I'll enter it in the Opera Browser. So this will be tunnelled through the European VPN, and you see it is showing 403 forbidden. You can now use it in Chrome, which does not have a VPN. So now you see, it works perfectly. So this is what the geolocation related VAS is implemented. So again, once you have this ACS, you can actually get a nice little graph based on a five-minute period and you can even get the sample. So this is where you'll get the IP addresses from which the requests are coming from. So you can actually look into the great logs that you expect. So this is about configuring the AWS VA. I hope you understand the basic configuration, and I hope to see you in the next lecture.

ExamSnap's Amazon AWS Certified Security - Specialty Practice Test Questions and Exam Dumps, study guide, and video training course are complicated in premium bundle. The Exam Updated are monitored by Industry Leading IT Trainers with over 15 years of experience, Amazon AWS Certified Security - Specialty Exam Dumps and Practice Test Questions cover all the Exam Objectives to make sure you pass your exam easily.