Amazon AWS Certified SysOps Administrator Associate – Security and Compliance for SysOps Part 2

3. [CCP] Penetration testing on AWS

Okay, so now let’s talk about penetration testing on the cloud. So, penetration testing is when you’re trying to attack your own infrastructure to test your security. A customer of Alias is welcome to carry out these security assessment and penetration testing against your own infrastructure without prior approval for eight services.

So our Amazon is two instances nat Gateway and elastic load balancers, amazon RDS CloudFront aurora, the API gateways, lambda and lambda edge functions, light cell resources and elastic beanstalk environments. The list can increase over time, but this is not something that you will be tested on at the exam. Just remember that you don’t need an authsorization for these eight services, but if you wanted to do other type of activities, they could be prohibited. For example, you cannot do a DNS zone walking via Amazon Route 53 hosted zone.

You cannot perform a distributed attack on your systems. You cannot perform a Dust or a DDoS, or a simulated dust, or a simultaneous you cannot just attack your own infrastructure with a denial of service. You cannot do port flooding, you cannot do protocol flooding, request flooding which are variants of an attack. And for any other event you need to contact the security team at AWS to ensure that they can approve it. If you wanted to read more, you could read more here.

So from an exam perspective, yes, you can do pen testing on your cloud. Remember that some are authorized, but anything that looks like an attack, such as a DDoS attack, or a DNS zone walking or a port flooding is not authorized because for AWS it will seem like you’re trying to attack their infrastructure and they wouldn’t like it. So I hope that was helpful and I will see you in the next lecture.

 [SAA] Inspector Overview

Now, let’s talk about Amazon Inspector. Amazon Inspector is a way for you to do automated security assessments for your EC two instances. So remember, this is only for EC two instances. They’re not for Amis, they’re not for RDS, they really are just for your EC two instances. And they help you analyze the running operating system and check it against known vulnerabilities. You can also analyze against unintended network accessibility.

And to do all these assessments, you need to install the AWS Inspector agents on the operating system of your EC two instance. Once the assessment is run, you will get a report with a list of vulnerabilities and you can send notifications of that report into SNS. So you have the Inspector agents and then you install it on your EC two instance. It’s going to connect to the Inspector service and then the assessment is going to be run and the findings are going to be sent into a notification that will be sent into an SNS topic. Now, what does the Inspector evaluate? Well, this is only for a two instances and there will be one type of assessment that will be Agent List.

That means that will not require the agent to be installed, which is a Network Reachability assessment. But for anything done within your host, you need to have an agent installed. And so therefore we will be running checks against common vulnerabilities and exposures. We’ll be having the center for Internet Security Benchmarks and Security Best Practices. So that’s it for Inspector. I hope you liked it. Just remember, it is really to run security assessments from within your easy to instances. And I will see you in the next lecture.

 Inspector Hands On

So let’s practice using inspector. And for this I’m going to go into the Inspector service getting started. And as you can see here, I have the option to set up weekly checks or run once or do an advanced setup or just cancel. So the assessment skies we can do on Inspector are network assessments in where the Agent is not going to be required.

Okay? And here’s a pricing. Basically, if you do 100 instances weekly, you’re going to cost, this is going to cost you $61 per month and a host assessment where the Agent is required. If you assess 100 instances weekly, the cost would be around $120 per month. So this is if you wanted to set up a once or weekly. But for now, what I’m going to do is just cancel this to get into the dashboard and go and find the Inspector assessment targets. So targets are going to be easy to instances that can be having run assessments runs against them.

And so for this I need to create an assessment target and then it’s going to be all EC two instances and we’re going to include all EC two instances in this account and region. Okay? And we need to install the Agents on these EC two instances in the Assistance targets. And for to do so, we need to have the SSM Agent installed and an Im role that allows to do run commands.

So let’s go ahead and set up our first EC two instance. And this is pretty cool because it shows an integration with SSM. So we will launch on Amazon X two of type T two micro and then I’m going to have to choose an Im role that we did set up from before. So the Amazon role for SSM and this is going to allow the EC two instance to be registered with SSM and therefore to run a run command on it. So we’ll do next at Storage Security Group we can use whatever security group we had from before. It doesn’t really matter because we’re using SSM anyway. So I’m launching my instance and now we’re good to go.

So what I need to do is to wait for my instance to be registered, otherwise this is not going to work. So I’m going to save this. Okay? And we are also going to have to create an Avias service role for Inspector to do a describe on easy two instances and these two tags to get the assessment targets. So we’ll say okay, now my command has been running with success and so soon once I have the instance being registered, I can install the Agents with a run command.

So let me wait for the EC two instance to start and then what I have to do as well is go into the Systems Manager and go under Fleet Manager which is right here and wait for my EC two instance to appear within my Fleet Manager. So right now it’s not there yet and I’m going to have to wait a little bit. So my EC two instance is now registered within SSM. And so that means that what I can do is that I can install the agents with a run command. And so this is going to go and do a run command and because my agent is connected to my SSM service, then the Inspector agent is

going to be installed on my EC Two instance. So I can verify this by going onto the run command menu and look at the command history. So this did install my Inspector agents and one target and it was one success. So that means that now my easy to instance is ready to be used with Inspector. And what I can do is that I can do an assessment run. So first we need to specify a template. So we’re going to create an assessment templates and I’ll call it Demo templates. The target name is going to be all these two instances and then what roles package do I want to run so I can run these four roles packages? I told you before the duration of the assessment, so 1 hour is recommended. Do I want to notify into an SNS topic in order to notify for events?

This is fine. And then do I want to run this on a schedule? So no, I don’t need to, I just want to run once. So I’ll do create and run. And now my assessment run has started and you can look at the run in here. It is run right here. And what I need to do now is to wait an hour and get back to you when this is done. Okay, so it’s now been about an hour and the analysis is complete. So there were 100 fighting. So I can click on these findings and have a look at all of them. So some of them are of high severity, some of them are medium, some of them are low, and some of them are informational.

Okay, so we can have a look at the high findings and we can have a look at this one and saying, hey, this instance is not compliant with the rule 1. 6 or 1. 3 ensure Se Linux policy is configured and so on. And so you can have some recommendations in here and view the details here in JSON form if you wanted to. Okay, so this is quite handy if you wanted to have a look at all the possible issues within your account. You can have a look at the assessment here and you can download a report entirely.

So what you can do is that you can click on here, download reports, and it can be a Findings report or a full report in PDF format or HTML format. And this report is huge, it’s over 800 pages long so you can have a look at all of it. But this could be quite helpful to have a look at all your findings, maybe produce some documentation regarding some compliance and so on. So have a look at it, but at least the Inspector service really allows you to see what is going on within your two instances and look at all these findings and making sure that you’re not running any critical issue, security issue on your instances. So to be done with this, just take instance and terminate it, okay? As well, as an Inspector, you have nothing else to do. You don’t need to change targets or templates or runs, because nothing is scheduled to happen every week. So that’s it for this lecture. I hope you liked it, and I will see you in the next lecture.