Cloud Security

 Suraj Barkul 01-36-006 MMS-

FIN
 Darshil Khandar 01-36-023 MMS-
FIN
 Aakash Tiwari 02-26-101 PG-MKT
 Aman Pandey 02-26-104 PG-MKT
 Anand Jolly 04-18-010 PG-IB
What is cloud security

 Cloud security is the protection of data, applications, and infrastructures

involved in cloud computing. Many aspects of security for cloud environments
(whether it’s a public, private, or hybrid cloud) are the same as for any on-
premise IT architecture.
 Like any computing environment, cloud security involves maintaining adequate
preventative protections so you:
• Know that the data and systems are safe.
• Can see the current state of security.
• Know immediately if anything unusual happens.
• Can trace and respond to unexpected events.
Cloud Firewall
Cloud Firewall
 Firewalls were initially designed to control network perimeter and not let
anything malicious through.
 A firewall is a security product that filters out malicious traffic. Traditionally,
firewalls have run in between a trusted internal network and an untrusted
network – e.g., between a private network and the Internet.
 Cloud firewalls block cyber attacks directed at these cloud assets. As the name
implies, a cloud firewall is a firewall that is hosted in the cloud.
 Cloud-based firewalls form a virtual barrier around cloud platforms,
infrastructure, and applications, just as traditional firewalls form a barrier
around an organization's internal network.
 Firewalls block and allow network traffic according to an internal set of rules.
Some firewalls allow administrators to customize these rules.
 FWaaS runs in the cloud just like PaaS, SaaS, IaaS. A third party vendor
provides the firewall as a service that they update and maintain from their end.
DDoS: Distributed Denial of Service
 In computing, a denial-of-service attack (DoS attack) is a cyber-
attack in which the perpetrator seeks to make a machine or network
resource unavailable to its intended users by temporarily or indefinitely
disrupting services of a host connected to the Internet.
 Denial of service is typically accomplished by flooding the targeted
machine or resource with superfluous requests in an attempt to overload
systems and prevent some or all legitimate requests from being fulfilled.
 In a distributed denial-of-service attack (DDoS attack), the
incoming traffic flooding the victim originates from many different
sources (IP addresses) using a malware. This effectively makes it
impossible to stop the attack simply by blocking a single source. As it
becomes difficult to distinguish between genuine traffic and infected
traffic.
 Generally DDoS attacks happen on high profile web servers like banks or
credit card payment systems.
 One of the most common attacks is the SYN Floods attack.
What is a IPS?
 An Intrusion Prevention System (IPS) is a network security/threat prevention
technology that examines network traffic flows to detect and prevent vulnerability
exploits.
 Vulnerability exploits usually come in the form of malicious inputs to a target application
or service that attackers use to interrupt and gain control of an application or machine.
 Following a successful exploit, the attacker can disable the target application (resulting
in a denial-of-service state), or can potentially access to all the rights and permissions
available to the compromised application.
 The IPS often sits directly behind the firewall and provides a complementary layer of
analysis that negatively selects for dangerous content. Unlike its predecessor IDS, IPS is
placed inline (in the direct communication path between source and destination),
actively analysing and taking automated actions on all traffic flows that enter the
network. Specifically, these actions include:
 Sending an alarm to the administrator (as would be seen in an IDS)
 Dropping the malicious packets
 Blocking traffic from the source address
 Resetting the connection
Detection by IPS
 Signature-based detection is based on a dictionary of uniquely
identifiable patterns (or signatures) in the code of each exploit. As an
exploit is discovered, its signature is recorded and stored in a continuously
growing dictionary of signatures. Signature detection for IPS breaks down
into two types:
 1. Exploit-facing signatures identify individual exploits by triggering on the
unique patterns of a particular exploit attempt. The IPS can identify specific
exploits by finding a match with an exploit-facing signature in the traffic stream
 2. Vulnerability-facing signatures are broader signatures that target the
underlying vulnerability in the system that is being targeted. These signatures
allow networks to be protected from variants of an exploit that may not have
been directly observed in the wild, but also raise the risk of false positives.
 Statistical anomaly detection takes samples of network traffic at
random and compares them to a pre-calculated baseline performance
level. When the sample of network traffic activity is outside the parameters
of baseline performance, the IPS takes action to handle the situation.
IDS(Intrusion Detection System)
 An Intrusion Detection System (IDS) is a system that monitors network traffic for
suspicious activity and issues alerts when such activity is discovered.
 It is a software application that scans a network or a system for harmful activity or policy
breaching. Any malicious venture or violation is normally reported either to an
administrator or collected centrally using a security information and event management
(SIEM) system.
 A SIEM system integrates outputs from multiple sources and uses alarm filtering
techniques to differentiate malicious activity from false alarms.
 Some types of IDS are
 Network IDS
 Host IDS
 Protocol-based IDS
 IDS and firewall both are related to the network security but an IDS differs from a firewall
as a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls
restrict access between networks to prevent intrusion and if an attack is from inside the
network it don’t signal. An IDS describes a suspected intrusion once it has happened and
then signals an alarm.
Web Application Firewall
 A regular web application firewall (WAF) provides security by operating
through an application or service, blocking service calls, inputs and outputs
that do not meet the policy of a firewall, i.e. set of rules to a HTTP
conversation.

 The rules to blocking an attack can be customized depending on the role in

protecting websites that WAFs need to have. This is considered an
evolving information security technology, more powerful than a
standard network firewall, or a regular intrusion detection system.

 Cloud-based WAFs, thus, utilize all advantages of WAFs and share that
threat detection information among all tenants of the service, which
improves results and speeds up detection rates. The whole community learns
from an attack to any website sharing a single cloud-based WAF service.
AWS Security
Security
Group
 All inbound traffic is blocked by default
 All outbound traffic is allowed by default
 You can have multiple security group attached to EC2 instance
 If you have created an inbound traffic IN, that traffic is automatically allowed
back out again
 You can not block specific IP addresses, using security groups, instead you
need to use Network access control list (NACL)
 You can only specify allow rules not deny rules
 Security group is applied at an instance but NACL is applied to subnets
NACL
 Your VPC automatically comes with default NACL and by default allows all
the outbound and inbound traffic
 NACL operates at subnet level
 Each subnet in your VPC must be associated with an NACL if you do not
associate explicitly, the subnet will be associated with default NACL
 You can associate NACL with multiple subnets however a subnet can be
associated with only one NACL at a time
 NACL contains a number list of rule that is evaluated in order
 NACL has separate inbound and outbound rule and each rule either allow or
deny traffic (based on IP address)
 NACL are stateless
Identify & access management
Identify management for your apps Amazon Cognito

Simple secure service to share AWS AWS Resource Access manager

resource

Rotate, manage and retrieve secrets AWS Secrets Manager

Cloud single-sign-on(SSO) service AWS Single Sign-ON

Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps
quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity
providers.
AWS Resource Access Manager (RAM) is a service that enables you to easily and securely share AWS
resources with any AWS account or within your AWS Organization. You can share AWS Transit Gateways,
Subnets, AWS License Manager configurations.
AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT
resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys,
and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to Secrets
Manager APIs, eliminating the need to hardcode sensitive information in plain text.
AWS Single Sign-On (SSO) makes it easy to centrally manage access to multiple AWS accounts and
business applications and provide users with single sign-on access to all their assigned accounts and
applications from one place.
Detective controls
Unified security and compliance center AWS Security Hub

Managed threat detection service Amazon GuardDuty

Analyze application security Amazon Inspector

Discover, classify and protect your Amazon Macie

data
AWS Security Hub gives you a comprehensive view of your high-priority security alerts and
compliance status across AWS accounts. There are a range of powerful security tools at your
disposal, from firewalls and endpoint protection.
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity
and unauthorized behavior to protect your AWS accounts and workloads.
Amazon Inspector is an automated security assessment service that helps improve the security
and compliance of applications deployed on AWS. Amazon Inspector automatically assesses
applications for exposure, vulnerabilities, and deviations from best practices. After performing an
assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of
severity. These findings can be reviewed directly or as part of detailed assessment reports which are
available via the Amazon Inspector console or API.
Amazon Macie is a security service that uses machine learning to automatically discover, classify,
and protect sensitive data in AWS. Amazon Macie recognizes sensitive data such as personally
identifiable information (PII) or intellectual property, and provides you with dashboards and alerts
that give visibility into how this data is being accessed or moved.
Infrastructure
protection
DDoS protection AWS Shield

Filter malicious web traffic AWS Web Application Firewall (WAF)

Central management of firewall rules AWS firewall Manager

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards
applications running on AWS. AWS Shield provides always-on detection and automatic inline
mitigations that minimize application downtime and latency, so there is no need to engage AWS
Support to benefit from DDoS protection.
AWS WAF is a web application firewall that helps protect your web applications or APIs against
common web exploits that may affect availability, compromise security, or consume excessive
resources. AWS WAF gives you control over how traffic reaches your applications by enabling you
to create security rules that block common attack patterns, such as SQL injection or cross-site
scripting, and rules that filter out specific traffic patterns you define.
AWS Firewall Manager is a security management service which allows you to centrally configure
and manage firewall rules across your accounts and applications in AWS Organization. As new
applications are created, Firewall Manager makes it easy to bring new applications and resources
into compliance by enforcing a common set of security rules. Now you have a single service to
build firewall rules, create security policies, and enforce them in a consistent, hierarchical manner
across your entire infrastructure.
Data Protection
Key storage management AWS Key management service (KMS)

Hardware based key storage for regulatory AWS CloudHSM

compliance

Provision, Manage, and deploy public and AWS Certificate Manager

private SSL/TLS certificates

AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic
keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a
secure and resilient service that uses hardware security modules that have been validated under FIPS
140-2, or are in the process of being validated, to protect your keys.
AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate
and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own
encryption keys using FIPS 140-2 Level 3 validated HSMs. CloudHSM offers you the flexibility to
integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography
Extensions (JCE), and Microsoft CryptoNG (CNG) libraries.
AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and
private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services
and your internal connected resources. SSL/TLS certificates are used to secure network
communications and establish the identity of websites over the Internet as well as resources on private
networks. AWS Certificate Manager removes the time-consuming manual process of purchasing,
uploading, and renewing SSL/TLS certificates.
Compliance

No cost, self-service portal for on-demand AWS Artifact

access to AWS compliance reports

AWS Artifact is your go-to, central resource for compliance-related information that matters
to you. It provides on-demand access to AWS’ security and compliance reports and select
online agreements. Reports available in AWS Artifact include our Service Organization Control
(SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies
across geographies and compliance verticals that validate the implementation and operating
effectiveness of AWS security controls. Agreements available in AWS Artifact include the
Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA).
Benefits of AWS Cloud Security

 Scale securely with superior visibility and control

 Automate and reduce risk with deeply integrated service

 Built with the highest standard for privacy and data security

 Largest ecosystem of security partner and solution

 Inherit the most comprehensive security and compliance control

Benefits of AWS cloud security
 Scale securely with superior visibility and control

 Automate and reduce risk with deeply integrated service

 Built with the highest standard for privacy and data security

 Largest ecosystem of security partner and solution

 Inherit the most comprehensive security and compliance

control
Thank You!