AWS Cloud Security: Proactive Way | Kumar . | Skillshare

Playback Speed


  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x

AWS Cloud Security: Proactive Way

teacher avatar Kumar ., Cloud Architect | Alexa Developer

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Lessons in This Class

39 Lessons (4h 50m)
    • 1. Is this course for me?

      4:06
    • 2. Welcome to 'AWS Cloud Security: Proactive Way'

      4:52
    • 3. 1 1 AWS Config: What Is It?

      1:07
    • 4. 1 2 AWS Config: How It Works?

      1:42
    • 5. 1 3 AWS Config: Introduction to Config Rules

      2:11
    • 6. 1 4 AWS Config: How to configure Config Rules

      4:33
    • 7. 1 5 AWS Config: Identify Non Compliant Rules & Resources

      2:42
    • 8. 1 6 AWS Config: Introduction to Advanced Querying

      1:18
    • 9. 1 7 AWS Config: Advanced Querying In Action

      3:16
    • 10. 1 8 AWS Config: Introduction to Multi Account Aggregators

      2:13
    • 11. 1 9 AWS Config: Aggregators In Action

      4:06
    • 12. 2 1 Introduction to Auto Remediation

      2:39
    • 13. 2 2 Automatically Enforce S3 Bucket Versioning

      7:23
    • 14. 2 3 Automatically Enforce S3 Bucket Encryption

      6:50
    • 15. 2 4 Automatically Enforce No Public IPs for EC2 Instances Policy

      5:26
    • 16. 2 5 Automatically Enforce AMI ID Compliance for all EC2 Instances

      6:40
    • 17. 2 6 Automatically Enforce compliance to AMI ID by Tags for all EC2 Instances

      7:00
    • 18. 2 7 AWS Config: Tribal Knowledge Common Rules & Best Practices

      7:11
    • 19. 2 8 AWS Config: Introduction to Custom Rules

      2:47
    • 20. 2 9 Monitor & Flag Unused IAM Roles using Config Custom Rules

      12:25
    • 21. 2 10 Monitor & Flag Users With Excessive Privileges

      10:07
    • 22. 3 1 Automatically Remediate AWS Cloutrail Disabling: Monitor, Alert, ReEnable

      8:04
    • 23. 3 2 Monitor & Automatically Revoke Unintended IAM Access

      11:17
    • 24. 3 3 Automatically Remove Unused Security Groups

      6:37
    • 25. 3 4 Proactively monitor & fix bad or overly permissive S3 Object ACLs

      16:59
    • 26. 3 5 Proactively monitor and fix bad or overly permissive S3 Bucket Policies

      11:11
    • 27. 3 6 Proactively monitor and respond to failed SSH logins to EC2 Instances

      14:45
    • 28. 3 7 Automatically rotate EC2 SSH keys for ALL your instances reliably

      6:07
    • 29. 3 8 Proactively Block S3 Public Access At Scale

      5:31
    • 30. 3 9 Attribute Based Access Control: Proactively Restrict S3 Access based on UserTags

      15:41
    • 31. 3 10 Attribute Based Access Control: Proactively Restrict Access To EC2 Based On Tags

      15:37
    • 32. 4 1 Learn how to create fine grained permissions like a PRO

      7:46
    • 33. 4 2 Use AWS Secrets Manager to secure database credentials and retrieve from lambda

      11:59
    • 34. 4 3 Use an outbound VPC proxy for domain whitelisting and content filtering

      14:45
    • 35. 4 4 Use AWS IAM Access Analyzer to Identify Unintended Resource Access

      7:43
    • 36. 4 5 Automatically respond to DDoS Attacks with Web Application Firewall(WAF)

      9:06
    • 37. 4 6 Detect EC2 Instance Credential Abuse

      5:08
    • 38. 4 7 Automatically respond to EC2 Instance Credential Abuse Part 01 of 02

      10:00
    • 39. 4 7 Automatically respond to EC2 Instance Credential Abuse Part 02 of 02

      11:16
  • --
  • Beginner level
  • Intermediate level
  • Advanced level
  • All levels
  • Beg/Int level
  • Int/Adv level

Community Generated

The level is determined by a majority opinion of students who have reviewed this class. The teacher's recommendation is shown until at least 5 student responses are collected.

53

Students

--

Projects

About This Class

Numerous security measures are provided by AWS, however, awareness of relevant security features and appropriate configuration, are key to taking full advantage of these measures. There are many useful and powerful features that a customer can use to protect themselves against security incidents.

In this course, You will learn about how these features can be combined to delivery cloud security. All the examples shown here are from real-world customer use-cases and being used in production. The automation templates and scripts provided here are modified for the any entry level user to get themselves familiar with these services.

At the end of this course, you will be able to answer the following questions,

  • How to simplify compliance auditing, security analysis, change management, and operational troubleshooting

  • How to assess, audit, and automate the remediation of non compliant resources configurations. Write custom compliance rules to meet organisational needs

  • How to automatically respond to security incidents. 

  • How to effectively respond to and mitigate the potential impact of security incidents

  • You will learn advanced techniques to prepare and respond to security events.

  • Why do I need for cloud security?

  • What are different security services offered by AWS?

  • How to use the AWS security services to comply to a frameworks(for example NIST)?

  • How can I use AWS services to automate my security?

  • How can I use this in my every day job?

Meet Your Teacher

Teacher Profile Image

Kumar .

Cloud Architect | Alexa Developer

Teacher

Class Ratings

Expectations Met?
  • Exceeded!
    0%
  • Yes
    0%
  • Somewhat
    0%
  • Not really
    0%
Reviews Archive

In October 2018, we updated our review system to improve the way we collect feedback. Below are the reviews written before that update.

Why Join Skillshare?

Take award-winning Skillshare Original Classes

Each class has short lessons, hands-on projects

Your membership supports Skillshare teachers

Learn From Anywhere

Take classes on the go with the Skillshare app. Stream or download to watch on the plane, the subway, or wherever you learn best.

Transcripts

1. Is this course for me?: everyone. Welcome to why another lecture on security This time I'll come up with a complete automated Siris on security. What are we going to see here? We are going to try and build a secure cloud on. I'm going to assist you in the journey when you're trying to build a cloud, I want you to understand what is it most important assets in your cloud resources on how to protect them on when something goes wrong. How to detect those incidents on Once you detect them, you want to respond automatically to those incidents also on you sometimes want to recover from those incidents or so this is what we're going to see. When you have these conflicting requirements, you have the choice off moving fast or staying secure. This was the scenario earlier. When you don't have automation is you need to manually respond to incidents than you need to respond to recovery incidents on all those things. Is that a way forward? Is that somehow you can move fast and also stay secure? That is what we're going to see now. But sometimes whenever I say automation, the next question comes, is do we need to know. According do we need to know programming. My answer. This big know? Then how the hell are we going to do that? Interviews Confirmation is going to come to the rescue now Then the question comes, I don't know. Cloud formation. Then how do we go ahead and do an automation? You don't have to absolutely worry about anything. We've got you covered here. The reason for that is everything in this course is completely prepackaged and ready to deploy clot formation templates we have vested with multiple people we have vested in multiple accounts. We have tested in multiple regions on all this store for mission templates work in different scenarios, so you should be able to take them on, run them in your accounts as it is, or if you want to go ahead and customize it for your environment. That is also possible. Since all this court formation templates are open source, you can go ahead and modify them coming back and make a pulled request so that other people can also get benefit off your improvements that you have made. So what are you going to learn here? These are some of the topics that you're going to learn here, you are going to learn how to respond to instant reaches on whenever instances, instances compromised. How you can recover from that scenario. Also, how you are going to automatically and force complaints across multiple accounts. Sometimes enterprises have more than one account on multiple regions. How do you enforce an automation across all those regions? That is also you're going to see here on. You are also going to learn how to find out what markets which are having Greek policies. Our if somebody's modifying them, how to automatically responded to let scenario country walk those weak policies. You're also going to find out if somebody is going to start an easy two instance within unapproved image or an unsecure image. How to automatically stop that instance on? Keep that user from doing the same thing again and again, so you are going to learn how to do that automatically. Another thing that you will also learn is how to identify roles that are not used in your account so that people don't start using old rules and create some tissues. You will also learn how to find out users with excessive, probably sometimes very old policies have style privileges which gives more access than what they need. You will learn how to find those poor users and also how to rework those users. Also, these are not the only things that are many more things. I'm just going to list them here so that you can go ahead and see a clear idea off order. All the things that you will learn on all of these items that you see here are backed by an cloud formation template. You don't have to try and configure them in times, click on each and every concert window and miss something. And how some errors everything is a cloud formation template that you see here on these are not the one lead things, so no longer You're just going to listen and learn. Let us move forward on. You are going to listen. Do on learn. See you in my next lecture. Thank you. 2. Welcome to 'AWS Cloud Security: Proactive Way': Hello, folks. Thank you for making security as your priority on choosing my calls to know more about it. I wholeheartedly welcome you to my course. Now that you have decided to do this course it is. Go ahead and see what you're going to learn. Andi, how the course is structured so that you can learn more about AWS cloud security. So the courses sexual into four main models on, Let us say the first chapter here, it will teach you about detective controls. So when you're talking about detective controls in AWS AWS, conflict is the most important service which allows you to apply compliance rules and then evaluate those rules and find out what is a non compliance is Andi hope to re mediate them . So that is what we're going to see in the chapter one on this is qualifying. The detective controls off NASD framework. So that is on chapter one. So once you do that, you go ahead and start doing the tear after two on in chapter two, we are going to see how to reacted to an event or in security incident, are on noncompliance in your account that you want to remedy it. So that is what we're going to see in Chapter two on some off them might be to automate your security. Noncompliance is writing your compliance rules which might not be default for Amazon. So you use services like Lambda up on cloudwatch events and cloud trail toe automate your security and you also combined those of services to monitor excessive privileges. So these are not only list that you will see there are many more are there. But basically, in chapter two, you are going to react to incidents or events that already happened in your account. So that is what we're going to learn in Chapter two on when we come to chapter three. We have going toe do it proactively. So far, we're reacting to events. We're going to take it one step forward on see how you can proactively enhance security in your aws cloud. Things that you learn here is a tribute based access control say, for example, poisonous Having tag as from hitch, our department will not have access to production resources. Likewise, the project yet would not have access to project be so we will see how to apply these kind off attributes for on entry and enterprise. Two different services like it s very easy to or careless. So that is what you learn here on another proactive control that you can see is how to remediate bad policies. Let us a junior resource. Are bad actors trying to change the access policies in your account? How do you proactively monitor for that on that? Remedy it immediately and not allow the policy taken to effect. Unlike ways that might be some unused resources, which is nobody's monitoring on. You don't want to legals and use resources, so you want to actively clean them up whenever a certain threshold or age. Ismet. So these are not the only things that are many more proactive. Controls are talked about just to give you a sample. I'll put them under chapter three here. Finally, we're going to take this one step forward. Andi, let us say there is an incident that has happened in your account. So we're going to proactively rights of automation that will take into effect whenever there is an security incident in our in your account, for example, let's say there's an 82 that it's been compromised then what actions that you need to take . That is what you're going to see here. They say that it's a service that has been abused by and bad actor are in a malicious users within the environment. Then how do identify the service abuse on restrict access for that user? Likewise, that is indeed ours. Attack that is happening then how do you automatically respond to the DDOS attack in a proactive way, that is, You don't have to do anything. You can go ahead and sleep on the weekend, but as the automation that we do, or what I mentioned we put in place is going to different the resources against those DDOS attacks. So these are the different things. This is how the separate for structured in addition to the step before I also introduce its after fly. This is and self based assignments. There are some security related questions that you can go ahead on the trigger, your thinking on how to defend your resources in the cloud. I want to giving you the answers also so you can go ahead and check them out when you complete your assignments. Finally, the completeness and air course I have put together a lot of resources so that you can follow the course along with me on some off them are open source so you can go ahead and contribute to them. Or you can just download them to your account and then try it out. And I listen to that. There are some white papers also, so you can go ahead and read those white papers on enhance your knowledge in the cloud. So we have seen all those different chapters on. But just to give you a summary, these are some off the services that we will be using in this course on. This is not an exhaustive list, but this is a most off the core team surrounding the services. There are many other services. When you do the course, you will come to know them on the best. I'll see you in the next lecture 3. 1 1 AWS Config: What Is It?: Welcome back. Let's talk about Interviews. Conflict, which is an infantry and configuration management service offered by Amazon. With AWS convict, you can find out near real time inventory off all the resources that is running in your account. You haven't enterprise on multiple accounts are there. You can aggregate all your configuration details into one dashboard, and then you can find out how many resources are running in your account. And it is not just a point in time data. You can go ahead and see what was the configuration previously on particular resources so you can navigate on. Find out what changes have happened on a particular resource, and what is the relationship between different resources. In addition to that, it also allows you to find out whether you are compliant to some security standards like PC . I keep up on it on also used AWS conflict to find out whether you are using best practices or not. Another advantage of using enemies confidence that you can go ahead and order immediate setting controls by using the dashboard or writing some custom rules and custom Lambda functions, which can go ahead and order the mediate Any complaints that you can find in your account 4. 1 2 AWS Config: How It Works?: let us see how this all works. Let's say you haven't a cone with a lot of resources. It can be computed can be databases. It can be s three bucket or it can be some configuration items that you have custom defined . So when you go ahead and enable eight of this convict, what happens is it creates an appointed name. Snapshot off all this contribution and it keeps maintaining at the court of all this data in your account and this data is normalized. So you everything is questioned control here so that you can apply some rules on this data . Now, there are some rules that are provided by Amazon itself, and there are some custom rules are also possible. But you can go ahead and write in your favourite language on Amazon, away to some broad constructs on how you can write these rules. And if you go to get up a lot of open source rules and many people have written them on it is very easy to incorporate those rules into your account also. So now that we have some rules and we have some data, so what you can do with it is you can trigger some notifications when something is not got planned. You can use the Amazon NBA's on some SD case auto Immediate. Some off. The no complaints is that you find or you can go for historical snapshot off all the data, for example, for complaints reasons you want to prove that this instance have been complained over the petered off X amount of time. You can just go ahead and look at all the historical data. So So how does this look like? Here's a snapshot off an easy two instance the source that is being monitored by AWS conflict on. If I move over here, you can see here that is in a contribution timeline Onda a compliance timeline on you have quite a lot of meta data here and in the bottom You can see here what did the resources complaint or not, 5. 1 3 AWS Config: Introduction to Config Rules: here we are in the AWS console for Virginia region. As you can see here as off now, I have not enabled out of this conflict on this account. So let us enable it in her account on boot up some easy to instances and see how they're monitored on. Let's make some changes also proceed with those changes are picked up, click on get started. And it is going to ask me why I want to record all the data that is being monitored by in this country so we can go ahead and choose a new bucket or you choose an existing bucket. But in this case, I'm going toe choose a new bucket here on another option is Do you want to do it for global resources like I am? Yes, let's go ahead and choose that as well. And I'm just going to say this is called a country bucket on that. Do we want to create a new room or use an existing role? I'm going to leave it as a service linked role so that aws will know what permissions that required. So if you go ahead and choose, this option isn't stopping what I was going to happen. Whenever lettuce and changes or somebody is trying to disable it or anything, you can get a notification and click on next. Now it is asking me, Do you want to configure any off the roots? As I said, there are 78 managed rules that different rules provided by Amazon. It's for example, if I just go ahead and choose encryption here, you will find many rules, which have later to encryption. For example, do you want to see? But ideas is enable our this is encrypted or not, whether your cloak ray love is encrypted or not. Likewise, you have different rules for targeting different sources. So for now I'm just going to step escape it because we'll come back and see how the country get the rules. I'm just going to click on Conform, keeping everything as default. So now you can see here in abuse. A conflict has being activated in my account, and there's a new control that is, we just go ahead and get you to the new console. So as of now, there are no rules and not many resources American, except for a few extra buckets and some Walliams and keys. So what I'm going to do now is I'm just going to go ahead and launch a couple off resources , especially an easy two instance and a couple of volumes. 6. 1 4 AWS Config: How to configure Config Rules: So what I'm going to do now is I'm just going to go ahead and launch a couple off resources , especially an easy two instance and a couple of Williams. I have already boarded a couple of instances on day. One instance is having an bad security group, for example. I have opened it deliberately for the world you can see here, Port 22 is open for the entire world like wiser, the only people to force open for the entire world on for another instance, I have deliberately created a couple of non complaints is here you can see here there are three volumes attached. If I go to my wall in section, you can see here out of the four volume three of them are for advice for one instance. On off that one William is encrypted, whereas the other server is also running an unencrypted volume. So what we're going to do now is we're going to aws conflict control on configure rules to take whether my Williams are encrypted, whether my security groups that open to the entire world let us do some rules for I am also so click on add room. And here you have bought the options. One is Amazon provided managed rule. Or if you want to go ahead and use and custom rule that you have configured for your environment, you can choose that also. So in this case, we're going to use and managed to. If you scroll down, you'll find encrypted volumes. It checks whether the volumes that are in that I ST are encrypted. We're going to choose this role for us on. We want to do it for all the resources that are in our account, which, as EBS volumes, we don't want to do that. For all the changes that are happening in our concert, leave it as resources. And if you want to do it only for particular Williams, you can go ahead and put Wally might interfere also, but I would not recommend that you want the rules, too. Be evaluated for all the world engine. Your account may be wrong what That you do that in your some environments. But I would highly recommend you to pour it and put it in all the account or the other way is go ahead and tag your volumes so that you can choose the tagging option, saying volumes with this tag should be checked for encryption, for example, and when my people to production. Then you go ahead and you have one before those resources before picking on next. It's asking you for what is the Caymus idea that you are encrypted. If you go to my obvious volumes, you can see here there's a Caymus I D or an air, and if I select it here, you can pick up your air and also from here. So I'm just going to give as much information as possible for my rule to evaluate properly . Go ahead and click on next and click on add rule. Now we have enabled one route and it is going to take some time for the rule to collect all the information, apply the rule on Give us herself. You can see here the last invocation is not available while it is going to do had endorsed activities. We're going to add another rule and again for CBS. If you scroll down, we want to know whether all the Williams are attached or not. So just going to elevate this rule also, I'm going next adroll so one more rule I want to add now is a little security groups you can see here. There's an restricted s message. You can also do this rule or so to see whether any unrestricted common ports are open. What? This time we want to see whether it support 22 or 4 to 89 is open for the entire world. So I'm going to select this. Do you want to use for a particular I security group? I D or call security groups once again ABT using resources and I'm leaving it as open. That makes it all. The resources in my current will be evaluated for this rule. So go ahead and click on next and click on Add Rule. So the final rule that I want to add Meanwhile, you can see here already. My encrypted wallet check has come back on. All the Williams are in use, so let's just go ahead and add one more rule. For I am, I'm going to select access keys to see whether all the access keys Americans are recent. So I'm just going to choose the max ages 90. So any key which is older than 90 days, would be flagged us a non compliant on how frequently want to check this? I'm just going to say, uh, everyone are so that we get in quick recent on one last rule that I want to show you This is very, very really useful and easy toe Implement and fix is whether do you have any groups without any users? So this is the one checks whether I am group how at least one I am user. Just go ahead and click on next and done. So now we have done finals. 7. 1 5 AWS Config: Identify Non Compliant Rules & Resources: Now we have done finals and you can see here already The results started coming in. For example, if I go to my encrypted volumes on if I scroll down, it will show me the list of resources under scope. You can see here for Williams there on only one is complaint on all three volumes are not compliant because we're evaluating whether our volumes are included with this key on when we won off, the volumes is encrypted. Likewise, if I go back to my rules and check for restricted ssh on their resources in scope, you can find that one off the room is complaint on the other route is not compliant. And if I Then you can just go ahead and manage the source also. So if you go ahead and take on the resource time and what is going to happen, this is going to give me a history off. When this the source was created and when the resources were updated, you can see here. That was a change on 13 December. And if I click on change here, it will show that relationship with them this easy to instance has been there. On if I go ahead and see that has been changes for the sports on these rules were there earlier on. Those rules have been removed now, So that is how you can go ahead and see that the source timeline like white. What I'm going to do is I'm just going to see if I go back to resources on their pick up on PC two instance and I'm just going to say, Look up and let us pick up one off the instances and see what is the source time when the confirmation timeline looks like you can see here. That instance was booted and there were a couple of changes. Let us go ahead and see what was the change. See, I made a name change here. I had a key for name and then I added a tag called us a bad security group. Let us go ahead and see. I made some other changes. The other 82 instance. Let me see if we can find that. So this is the other instance. Let us go to the conflagration timeline and you can see here there are plenty of changes that has happened. At least five changes that has happened there on. But you can see here there's a network interface change on Likewise, there's and public I p address change. It has changed from this I p address to this I p address on the launch day must also change because basically what they did was they just stopped this instance and started this instance. Andi, all these dangers have picked up on. You can go ahead and find out so you can go ahead and navigate seeing what was the source earlier on. What is the resource now? That is how you configure rules in your account on created dashboard for your account. See how many resources that are complained for many resources that are non compliant on, But you can take some remedial actions. In the next lecture, we will see how took on figures but a middle action for this town. Complaints 8. 1 6 AWS Config: Introduction to Advanced Querying: Welcome back. Let us talk about another feature off AWS con trick for less at once Queries What this picture allows us to do is you can dynamically kuwaiti the results of that you're monitoring in your account. Let us say you have multiple, easy two instances in your account on you want to find out which of those instances are compliant on which of those instances are not complying. You can use at once queries for doing that. Think off doing this at scale. Also, if you have multiple accounts and multiple resources, you can just run an SQL query, get the result and push it to some kind off dashboard or some kind of notification system so you can take some actions. So if you don't know how to build your own credit, you don't have to worry about it. Amazon has covered you there. They have given a list of sample queries. Some of them are shown on your screen year. For example, the top one talks about listing all the A C two instances currently running any account, or you want to list out easy to instances that are running a particular air. My, you can use that, Grady also. So this is how the ad, once very that world looks like they have slightly changed the look and feel in the new interface. Latest Go ahead on, try and run a couple of queries in our account and see how this feels on how easy it is. 9. 1 7 AWS Config: Advanced Querying In Action: So I am in the new dashboard If you're in the old port. Also, you should be seeing something like that one squarely on the left hand side. Another way to navigate through this new screen is running at one squeeze here on it. Take you to a place where you can run your query but build your queries. For example. Cure this well, you go ahead and type it on. The sample queries are given here. See, for example, if you want to know the instance types for all the instances, just go ahead and click on copy editor on it brings the credit directly. Here. You can make some modifications or if you don't want to make some modifications, that is just go ahead and run it. I have a least a four or five instances running in my account, so you can see here that are four are running t t t to micro. But what I want to do is I want to take a particular one, for example, this one because I want to do something like I want to see how many off those instances are running and uproot. If I goto easy two instances I haven't switched like the air My called us and set up a prude. My If I go to my my section you see here there's an air, my recesses There's a corpse a prude on I want to see how many off my instances are running this particular air. So I just go ahead and take this Am I I d go back to my radiator. I'm just going to change this am I value here? I'm just going to paste it. Click on run on out of the four instances you can see here to off them are running that here. So that also means that another two instances that are running in my account are not running this year. I can take some remedial actions. Likewise, we can also go ahead and equity across all the resources on DSI. You can sort them safe for them. How many asleep but gets that there. How many I am rules are there. How many of them are compliant, non compliant And you can figure out easily by having this very, for example, you can see here I have about six volumes. There are three security groups on, uh we have rendering by non complaints. Remember that and also be how doing this in one particular account. So that's one important way that I would like you to show. Here is you can just go ahead on run another table really bad. You can start by a complaint on on complaint status. For example, you can see here that are about 10 resources in my account, which are compliant on. There are about 12 resources which are non compliant in my account. So this is how you use the at once gritty feature Onda. Remember the Afghans were the feature also has an A p A. Behind it. So what this means is you can run some automation like Lambda Function, which can run this advance query. Take the Roussel's on, then push it into your dashboard. Say, for example, you are building a dashboard for your psych ops team or your security architect. You can go ahead and say yesterday there were 12 non complaints is in your account to later attend on. Complaints is, and when you click on it, you can go ahead and drill down by saying these are the 10 different noncompliant resources are highly encouraged to go ahead and write in your account. If you have any problems, put them in the comments. I will try and help them with you to get them started. See you in the next lecture. 10. 1 8 AWS Config: Introduction to Multi Account Aggregators: Welcome back. Let's talk about another advanced feature off AWS conflict, which is called us aggregators. In my opinion, this is one of the most important peaches off Libya's conflict. The reason for that is, if you haven't single account on your trying to configure compliance rules in your account on trying to make some remedial actions, your job is relatively easy. But in most enterprises are bigger companies. That is more than one account on. When you want to configure complaints rules across multiple accounts, it becomes really, really difficult. Let us imagine Company, which hasn't mastered account on Under the master account. Let us say that how three organization units one is for Daewoo. Another one is for test and brought. You might have some different sectors. An organization will have multiple organization units, and they might have different names on each of those organization units will have multiple accounts. Maybe they have one account. Maybe how three accounts are more than three or so on each of those accounts will have different types of resources under them. For example, in Devon test, you will be running one type of instance types on in production. You'll be running more instances on there might be in bigger in size. Likewise, in Devon debt, you might have more estate back. It's because people are trying different things different services. But while when you go to production, the number of services might be completely different or lesser than number. So when you want to apply rules to each of those organization units and you want to do it at this thing centralized point so that the rules are consistent across all the places so you don't apply different set of rules for different accounts you want to centralize on. Minimize your security workload as much as possible. So this is where you would typically need to apply your config rules. For example, you need to do it at organization level at the re at the top on all your rules should be propagating toe all the different accounts and give you the aggregation off which resources in production are compliant with resources in testis compliant, which resources in their is non compliant, and you should be able to see all this in the single that food. This is where animals, country aggregators comes in on really helps you 11. 1 9 AWS Config: Aggregators In Action: they just go to our dashboard and see how we can do this. I'm going back to the old AWS country navigation concert because the some changes on the new council and aggregated you. It's not civil. That's off now, so you need to use the old concert to look at this one on on the hold one you can see here . There's an aggregated view, rules and resources. If you just go ahead and click on rules, it will just say you don't have any aggregators so confident aggregator. Go ahead and click on the aggregators on. Basically, we need to make a choice here. When you click on add aggregator. Whether you want to add individual accounts, say, for example, you don't have an organization unit like your organization has three or four AWS accounts. What you can do is you can just go ahead and add them one by one. So I'm just going to enable aggregation here, and it is going to ask me what is married. I forget the name. I'm just going to say, say, cops aggregator on. If I choose this option, it will ask me to give me my account. It is what? The first quantities. I'm just going to created me one here. But you, when you're doing it in the real world, you will be actually giving on real world account number on If you are having more than one account, What you can do is you can just go ahead and create a comma separated 500. Upload this while here on all your accounts will be sent that request. It is not like you just give an account I d automatically it starts pulling and information from those accounts what is going to basically happiness? That will be a request on the other account. ID's from this one saying that this conflict was access to configure rules and compliance later back into this mass stricken Do you want to approve it? Once the child account up rules the request from the parent, then you start seeing the data or the complaints of information here. Until then, the seaQuest would be impending state are the other way of doing it is in going to doing it in my organization, For example, if we were trying to do how an organization of multiple for use that there, you shouldn't do this from your master cognac, White truck, this is and child account on. If I go ahead and click on our organization, it is going to give me an error. It is. See that as well. So because I'm just going to say, create a new role because I don't want to spend my time figuring or proper permissions on AWS fighting for creates and roll for me, and I'm want to choose it so that all future regions are all took a word for me. So I'm just going to choose this option so that tomorrow there's a new region. I don't have to worry about confident getting these rules separately for that. If I go ahead and click on save, it's going to give me an editor. You can see here you must be signed into the master account toe Iraq only for your organization. So if you haven't ou on, if you haven't gone for that, so you go ahead and try it. Since this is a child on what I'm going to lose, I'm just going to simulate how it looks like when I'm adding an individual account. Just go ahead and take one save. So I say said, That's one account on it will say that all the questions bending for convening this logging . And since I have given a dummy account, I cannot go ahead, take it out. If you have multiple accounts, you're gonna do that. Why? Let me just go in here. Once the request has been approved on the other account, you'll have a similar that for similar look and feel. As we go ahead and see on this one, you will see the number of resources on then the complaints rule, and then the resource complaint stated andan on panels. You have very similar dashboard, but it has been aggregated from my people. So what, Mrs Dennis, you don't have to spend time creating this world multiple times. You just bring all the information in one place on going to it on. If you want to filter them, are narrow down, saying, for example, what is my sources in matters or Virginia and find out what is the complaints it is. You can just go and don't have very grand view off your resources. Also, there's also possible so this is one important feature. Go ahead and take it out. If you have any problem, put them in the comments. I'll help them with you actual watching 12. 2 1 Introduction to Auto Remediation: Welcome back. Let's talk about humiliation off your noncompliance in your resources. So long we have been talking about comparing different rules. It might be an air. My, that is not being used by your easy to instance are a devious volume that is not being encrypted, are simple, is an extreme, but it's not having questioning. How do you pull boat in mediating all these non compliance is you can go ahead and do the conventional way off, setting it up to be complained. That is a manual we're putting and fixing each and every one off their you can go ahead on and automate your remediation completely using water remediation off racism documents are some laptop functions which can go ahead and take your noncompliance and speaks. Sometimes it might be necessary to do them manually also. But today I'm going to show you how you can use the confirmation on some automation is to do under the mediation at cloud skill. So how does this actually works? So when you're talking about remediation, let us take about a simple rule who are s T bucket. Questioning is not enabled on. You can see here on the right hand side. You haven't remediated Parton. This is on the old control. The do control also have something similar. But let us go ahead and see how this happens in the world. So So when you click on it, immediate. But then you get a couple of options. One is what Action? That you want to take my Amazon a certain Essam automation documents which can go ahead and do some of the remedial actions. In this case, you have one ready made on. But we're talking about packet questioning, so we need to pass the parameter off the bucket name as the resource i d here. So once you pass in the society, then you need to other important information. That is the rule that it needs to assume so that they can go ahead and put on the remedial actions on. Remember, for each of those remedy attractions, you need a different permissions. For example, in this case, when you're trying to the immediate and extreme rationing, then you need s three put bucket worsening, uh, permissions as well. Let's get back it questioning permissions also. Likewise, If you're talking about stopping an instance, then you need discipline start, stop instances and describe instances so you becomes quite cumbersome. If you want to do it manually, each and every time on creator rule, let us say that you have created at all and given in the information. And then once you click on them saying, What happens is you have an action executed on the background. Amazon is going to go ahead and scan all the resources and trigger the immediate actions on . After it is completed, you'll get on action, executed successfully status on the complaints that is also gets changed after that. 13. 2 2 Automatically Enforce S3 Bucket Versioning: what is happening in this bag around. That is what we're going to see Now let us say that is an abuse of conflict rule that you're creating on. We go to the aid of your service on. Then we go ahead and configure the rule in the background. That is going to be in periodic trigger, that people be going ahead and taking the servers or other resources. And I'll be order in the time on. Once the resource has bean identified, it is go ahead and evaluate the complaints off the true source. So in this case, we're talking about pocket questioning. Let us say we have a bucket here without questioning enabled, So it will be a non compliant status on if you have auto limitation enabled. What it is going to do is it will enable the worsening on. Once the wedding is enable it will go back and update the complaints status back later. This country I'm notified saying that this with the source is compliant. No, let us go ahead and see how we can do this in our dashboard on a port. I'm going to try and show you on the G Y itself to see how difficult it is that too many buttons two placed on what each and every week You need to do that on. Then I will show you how you can go ahead and do that in your account using and cloudformation templates. Let's go ahead and configure some water remediation in our console here on the AWS control here on, let us say, go ahead and add a rule, for example. And you're talking about questioning. I'm going to find the rule with talks about questioning on. Then this is the Deport set up. We don't have to change anything here, assuming that you want to set up this school and if you scroll down, you will find order the mediation actions. So I'm going to click here and then say questioning again and then click on questioning. It is going to ask me, which is the source of the parameter that I want to pass. I'm going to say bucket name and obviously this is not the people bigger, but in this case I need automation. Assume road. So this is rather cumbersome activity off. Identifying the rules identified the permissions on conflating Dejan every fool manually becomes quite tricky. So this is what I want to avoid completely. So I have written and told formation template, which takes the configuration of the rule as well as a remedial actions on the room that is necessary for the remedial action. Everything packages into a nice templates where we're going to deploy this template into my account. Before doing that, I want to show you something. This is my athlete, but our service on If I goto a bucket like April sister 00 and go to properties, you can see here the question is disabled. So there are some buckets where the question is not enabled on there are some other buckets . For example, if I go to the conflict bucket on goto properties, you can see here watching this enabled let us go ahead and deploy this template into my account on to see what happens. I'm going to use the CIA like to deploy the template. You can do the same thing. You can download it and upload it into the G what, also on dime lazy. So I just returned the command, So I'm just going to retake them here so that there's a template name on. I wanted to create a stack names so that I can easily remember it And I'm taking the and so that's when on I want to give the capability to create I am also so we need to add to this parameter as well. So once all the parameters are successful, it is going to go ahead and create the Resources Force. For example, it is going to create called this conflict rule. Then it will also create the rule on then tie up the middle functions with that group. Also, just give it a minute and then let us go ahead and take the console also, whether these actions are happening while the stock is getting deployed. I'm using the visual studio cord as my but deport editor for deploying this was in all those things. And you also have an AWS plug in, as you can see here. If you go ahead and pull the plug in, it will go ahead and list all the permission, tablets and laptop function. So if our stack is getting deployed, you see here the new stack getting showing up here and you can see here this Lambert that this Lord permission doesn't have any Lambda functions. So the fourth chewing appear, But we have a new stack that has been deployed. Let us go back to our account on, uh, I'm just going to go to a global mission. Now on you can see here that is a new stack, that this creation has been complete. And if I go to my resources and you can see here, that is a rule that has been created but also and conflict rule has been created. And this is the name of the group. So I'm just going to copy This could be the same as the one that we were trying to create Earlier rules should have. Who here already? It has completed the first round off you elevation and it was wounded. Someone. Compliance is if you remember. I was showing this earlier on the resource waas un compliant here and there isn't the middle action must also be taken. So let me just go ahead and refresh my screen. Andi, go here on to show you the actual status. The properties we should how some remedial action stick in place on We should have questioning enables There you go. You see here the status off the bucket has seen more from suspended with you to an active listening status. So if I take this object, particularly on Goto my compliance timeline, you should be able to see that it was non compliant earlier. Because I tried this template earliest mature, just working fine or not. Then I put it back in tow. One complaint status and again over the middle action has taken place so that it is moved from non compliant, compliant status. I'm just going to give it a minute so that the new contradictions kicks in and you will find a change which looks like this. So when there was none compliant, compliant state, just go back to the rules. Almost on the buckets have got that which enabled. And you must remember that introduced want biggest not in real time service. So it once an evaluation has been completed and tender remedial action kicks in, the new configuration has to be evaluated. And then it comes into the conflict database and triplex here. If you go ahead and see the timeline that we saw earlier either compliance time when you will find the time difference that this happened. Go here and click on changes. You see that there are different changes that has happened from on Most industry became compliant status. And then I changed it to non compliance shooters from non compliant. It moved into compliance cities again on all the speeches has happened in a very short period of time. And in my experience, usually there is about 3 to 5 minutes off delay from the moment you make some changes on the actual results on it to reflect on every ex con trick itself. So go ahead and try this on order the mediation in your account. On in the next lecture, we will see how to put in another rule with auto remediation in your account. Thanks for what? 14. 2 3 Automatically Enforce S3 Bucket Encryption: we're going to try and do another auto remediation today, particularly the one which is concerning encryption off s three buckets. If you know about STD, it allows you three different encryptions, our side care must or your own keys. So let us go ahead and see how we can enforce encryption by default in all of history pockets, if it is not being enabled by the use it off the market itself. So the automation looks something like this. You go ahead and configure the truth on, uh, once you configure room as we know that that is going to be in periodic trigger on that trigger is going to evaluate your destiny pockets. In this case, it is going to check whether the objects in the bucket or the pocket itself has been encrypted. So they assumed that this bucket is not encrypted. Then the water invidious inaction is going to you can on it is going to enable a mediation off the bucket Kitson once that in mediation is being done, it is going to send the feedback information saying the market has been compliant, which was earlier on blind. So this is the order remediation action once again we have a proclamation template that really which packs in all the information that is putting in the rule putting in the part of the mediation the necessary old configuration permissions so that you can. I had encryption information on the packets, all that it's back. It's into the proclamation template on. We can go ahead and deploy it. So earlier we saw the pocket questioning as an attempted deployment. Now we're going to see the encryption as a template. Deployment here is that you are in for the tour commission template on this time, I'm going to show it through it. Do you like? So once you're in the court permission service, just go ahead and click on create resources, but I'm going toe uploaded template. So if you don't know did it go ahead and ensure that you put a choosing the correct template that you found here. We have that one click on next, and I'm going to call this as auto limitation. This is going to be the ruling. I'm just going to click on next on. We're going to kill some permissions for for commission so that it can go ahead and created this very I am foods as well. So that is great for Ah, a couple of minutes so that all the necessary resources gets created. Meanwhile, if you want to know what is happening, you just go ahead and click on events. You'll see all the things that are happening. So you go back to a stack and four decks, you can see it still in progress. So conflict rule has been put in place. We haven't. I am Roll on that We are having the Iran policy getting created just going toe Refresh my screen again on you can see everything is creation complete. If I go to my stack and for you have complete let us go back to our producer Country concert Onda just going to brush my pits to see if we have a new put in place. So when the rule is kicking into place, I just going to take this back. It s example Bucket. And if I goto properties, hopefully you'll catch it when the rule kicks in so you can see here there is no encryption right now there is no a years or gamers or any encryption, so just going to leave it as it is. Let us come back here. This is the new rules that we have created Destiny. But get solar side encryption enables. And you also have an immediate action. Right now you can see here that I know I am broke. Were noncompliant resources. Let me just put when that scroll down, you can see the three buckets which have encryption enabled on. There are a few more buckets which don't have encryption enabled on. You can already see that that isn't remedial action has been triggered. If you have been following the cities, you know that interviews conflict is not in real time. So So it's going to take some time for the feedback Look to kick in on the latest configurations to reflect here. Meanwhile, that shouldn't stop us to go ahead on actually check the source itself. I'm just going to go ahead and freshly speech. So hopefully this option should be enabled by now you see, that is an A to 56 encryption that is a minimum level of encryption. That bucket can have that it's enabled likewise Can go ahead and check some other pocket as well. In this case, I'm just going to say, let us pick up this country ruled bucket. And this is the country Cool bucket. And if I go to properties and you can see here, that is 60. That is as simple as it is to configure on a room on. Also, ensure compliance is put in place so we can go ahead and test it also. Like, for example, if I go ahead and change it back two months now and click on Save. We know that this bucket is non compliant, but the rule has been evaluated, so we'll just wait for sometime. This is the one figure Boone bucket. Glad we have disabled encryption once again. So the country is kicking in a few minutes on. Then it will go ahead and immediate action. So basically, if anybody is trying to circumvent the rules contiguous and sure that configuration changes capture, I'm getting and force the complaints rules on top of it. So that is how you or come, Emmanuel, others or human, as if it might have happened or oversight that might have happened from your developers or junior resources in your account. So I'm just going to give it a few minutes so that we can kick in again and take it out. So this win a few minutes. Ah, sense our attempt to disable encryption in our conflict rule. But you can see here this has been disabled. Onda just going to go ahead and refresh my screen again. You can see here the rule has automatically enabled that. Although it doesn't show on the console here, the quantum still say's God Rules on complained an accident in trigger, but actually pocket itself. Cast encryption enabled. So this is how relentlessly out of this one pig is going to enforce your complaint standards on your account. Go ahead and try this. If you have any problems, put them in. The comments have helped them with you. In the next lecture, let us see how to protect our easy to service of from vulnerabilities. Oh, are some uncle blanks? It might happen to you using the similar tour formation that we saw. Thanks for watching 15. 2 4 Automatically Enforce No Public IPs for EC2 Instances Policy: Welcome back. Let's talk about another complaints activity that we can do with AWS country this time you're talking about yourself is easy to Onda. Let us imagine an account or an organization which states that all its instances should be behind at that instance or no, not PC two instances should have on public I p address. Basically, they don't want anybody from the Internet to directly connect toe the PC. Two instance That should be in Lord balance. Therefore, and in that instance are some kind off FDA get we should be there in front off that instances on they don't want ever toe having public I, Beatrice attached to our servers. So how do we go ahead act satisfy this requirement? This is what we're going to see now. So let us imagine we have AWS configure rule that we can put in which is going to trigger and periodic evaluation off the rules on it is going to look at all the city instances that are currently running in your account. It might be in one region. Many regions are many different accounts to go and find out a list of all the institute senses that is running on, it will make a list off all instances that how elastic ivy or public idea tress attached that. So So if that is going to be the case, then what this rule is going to do is it will automatically tell off that instance on Send back and feet back then that the complaints off the status has been changed from noncompliant to complaint. Back to the AWS got big. So we are going to do this Complaints activity right now in our account. So we have two holes already. One is were securing your destiny pockets using support encryption on. But we also looked at doing some questioning. Now we're going to go ahead and secure are easy to instances. I have spun up some dummy instances you can see here There are about three instances running in my account right now on the two off them. For example, this one has on public I p address. As you can see here on this one. The 2nd 1 also has in public i p address. But as the 3rd 1 doesn't have any public i p address just in private idea just and all of them are running in our gun. Let us go ahead and use our court permission template, which is going to ensure that no easy two instances in your account are having public I p address. So they just go toe. Ah, wrote permission. Go head on and at the stack. So once again, we will enable for commission to create some I am rules so that it can go ahead and do the radiation on it is going to take a couple of minutes for all the resources necessary to go ahead and get creative so that you just refresh my screen here to see what your sources are getting created. We have eight of this country rule already created little school and check with that is the case. If you see a rule something like easy to know public, I be It is easy to instance with no public I pee on, you can see here that is an automatic limited action saying, aws, is it you stop instance. So let's go ahead on and see one of the resources that have been identified. There are four resources as we know that we have a five actually speaking so still the rule must be still kicking in. So it s identify. Two of them are compliant and two of them are non compliant. Onda, Uh, this easy to instance. You see, if I can see that this easy to instance users a public i p So the order remedial action has not kicked in. So in a short while, once the information template completes the re election should also kick into place. Let's go back to stack. Creation has been complete little. So give it a moment. So there's still the action is not Get in, that is wait for a moment. Meanwhile, we can also go ahead and take our resources. Also, if memory election kicks in, we ensure the see a couple of more servers turning off. You can see here one off them with the public. I p has been turned off. Another one is still running. I'm just going to wait for a woman so that you can see here. We caught it while the action is being taken. Please. It is in stopping state on in a shot that will also going to stop state. So the memory inaction has started kicking in on then it is going ahead and finding that there are a couple of instances don't compliant and putting them on enforcing, even if somebody goes ahead on data just in public. I beardless off launches and new instance within public I p address this rule with enforce that those instances are turned off again and again. So that's how you ensure that no instances are having public if you think that this action is extremely, that you don't want to stop those instances, but you want to do a core, and time are two, some of the activities we see that in the next lecture. Until then, go ahead and try this. In the next lecture, we will see how began enforcing good security practices like, say, for example, you easy to instances should be running a particular version off air 16. 2 5 Automatically Enforce AMI ID Compliance for all EC2 Instances: they come back? Let us talk about the next stage off security or TC. Two instances in your account. If you're running a huge fleet off busy two instances managing them with secure Highland Air. My is quite a tough task on that is possibility that one or two instances might be running an unsecured Western open community. Am I or am I, which is not being patched? Are your security has not validated that my and even approval for that I. So how do you go head on? Find outdoors one notable instances by I. D and find out. What is that immediate action that you need todo so we can do that with AWS Kwan. Pick once again on the house or formation. Also for that. So let's go ahead and see what is happening on the background and AWS wanted. You can go on and create a rule which is going to evaluate on your deceit of instances that are running in your account, and you can configure it to search for a particular in my idea. In this case, let's say we're going to search for Amazon Lennox are Red accent toys, Lennox or anything that you want to monitor? I give the institute incenses running. Then you can go ahead and set up a lot of the traditions. Action. Say, if this is my idea is not approved by my Cyclops. Steve, go ahead and stop those instances on to send the compliance date is to be a squat big. Let us go ahead and deploy this in our ground. We have an templates ready for this with will put in the conflict route on little while We're complaining it is going to ask us the a my i d that you want to monitor for as an input parameter. So let's go back to our easy to console and you can see here there are a few instances that you just reverses. All of them should be running. I'm deal. You can see here that a couple of them are running in a fully and my I d on the three off them are running in community and life just human. For some reason, I'm not able to expand this page. But you can see here there's a last tour running in the same air. My i d and the other three are really different I So we need a my i d for our purposes. So if I go to my mind, you can see here that is in particular a my idea that has been approved by my sick up steam . So I'm just going to copy this on defy, go back to my instances also and filter it. You should be able to see two instances, one leave. So when my automation finishes completion, there should be two instances running on on the other instances should be turned off so little school friend and deploy this automation and see what happens. So once again, we're going to upload this template. So by D point, it has a value for my i d just going to remove it on, then updated with the one that I'm interested in on. I'm going to say that any sense which is running this my leave it on all instances should be forward off just a proof where I am permissions, people create stack. My country rule is in place that let's go back to my country concert on the pressure beach so we can go ahead and through the resource instance that you can see here. The part that are fighting since has already picked up. But being pulled back to my rooms on, uh, this is the one group that has bean getting deployed right now. And you see here the religion is not completed it ourselves and nobody infection. Let us go inside this room. That should be five senses in school. It is already found out that two of those instances are complaints cities on you can see here. You can also have multiple care. My ideas on you can have a comma separated, but you also. So let's say your countries having one air my four. They were count another day of my for a product count or another air. My for no application wise, for example, your Web sellers can have a different my current. Prior to an application are your database servers. So in those cases, you will have my people in my ideas so you can go ahead and add multiple in this column for validation, just going to refresh the space to see if, uh, the annotations and the media actions have been chicken, Please. On remember, conflict is not a real time services, so it just takes some time to kick in. So if you're going to take medical permission, simply do not expect the results to come in. As soon as the proclamation gets completed, you can see here it has picked up those bio instances and understood that the three instances which are non complaints, cities in a shot while it is going to figure the the immediate action on you could see some big here on day. It should get a powered off or not going up. It should be stopped in the shot. While I'm just going to go back and use it does here to see if the revolution has taken into place and you can see here already, the three community and my future running on this page has already been stopped here. So my remedial action has also kicked into place on that. It's going to take a few minutes for the complaint status to feed back into it is going dashboard just going to wait for a couple of minutes. Now you can see here the middle action ist kicked in on the action is also been updated. I'm just going to replace the screen again to see if the complaint status also gets updated because in a show after sometimes when's the evaluation is completed in the city starts off better. It will say the complaint status has been moved from non compliant, compliant. And remember, we're going to evaluate the Rule one leaf or running instances on. You can also go ahead and write and test this room. For example, if you go ahead and update this air, my I d. For example, as you're a Peruvian, my all the other senses will get turned off. I believe that that's an exercise for you guys to go ahead and try it out. And the next episode you see how secure your 82 instances in a much better way than going head and hardcore your my ideas. 17. 2 6 Automatically Enforce compliance to AMI ID by Tags for all EC2 Instances: then come back this country over decision on security or easy to instances that are running in your organization. In the previous demonstration, we saw how secure them based on air, my ideas. But if we have been doing a lot of Arab years work, you realize that there are people here, my ideas that are getting created. For example, Microsoft releases patches every 15 days, so you will have new air mice happening every 15 days so it becomes cumbersome. Toe, keep on updating. Your rules are taking board. Instances that are running in particular is my i D. So that should be a better mechanism off doing this. So the way that I would recommend to go ahead and do this is you have a set of air mice with certain tags. For example, the one common tag that I prefer using is there's a court approved or second approved are something like hard and they're my equal to through a Boolean value. So we are going to monitor instances which are running and particular Western open air. My on that am I should have a particular tag on. This is where tag based control becomes really important you should not are alot other team member toe update or edit your my bags. So once you have that cool and place, then you can go ahead and say any easy to instance that is not running and approved here. My tag will be turned off, so we're going to continue our AWS con trick on this side of this country room is going to look at all the two instances that are running in your account on bond. Look at the A M Mice that are running. Who are those easy to instances on check with a tax on those? Yeah, In this case, it is going to look for a tag Caldas SEC Ops approved on. If the value of that take up the fruit tag is true, then the visiting instance would be left us running if the city instances running some other am. I are. If the tag is not there, then it is going toe. Stop those instance on update upon fixed. It is back in the club so little school can and do that. We haven't told formation template we can put in the rule as well as the tag values and key values here. You can see here it takes a parameter on the people Value has been set. We can also go ahead and change it also before we go ahead and do the deployment off the torch formation template like the score and see what incenses were running. Currently, we have about five instances running in my account. On you can see the three off them are running a different air. Mice to off them are running a particular fear. So even if some developer boss, I had an axe attack manually saying that does take up food. True, that is not going toe help because the air might itself should have the tag. So in this case, I have this particular air might, which is eight a f d. Which is that the island fire? I have attacked for that. I am, I would say, Is them sick? Ops approved. So this is what we're going to use in our court permission template. Let us go ahead on deploy this one now. So here this little attack value that is a key calling value. If you want, you can have multiple ones to come, are separated or so so in this case, I'm just going to do with us one key and value pair. But that is going through a stack. Name on the letters. Approve. Visit a local mission to Hello. I have run. So we have a full completion here already. It is Goto Page. Both rules, and I will explain some of the other rules in the next lecture. Meanwhile, let's go ahead and check whether our a podium my dad has bean kicking into place. You can see here the proclamation is still not complete. So we have and not set option here. So we just refresh the page. Hopefully we should see some of the election fever for that as well. We'll have just quickly check whether the stack has been completed. You have creation complete. Come back here. You can see here. That is an approved in May by tag at everybody actually wants to take into place. Let's go ahead and see what are the resources that are in school on Daz. Usually help on that. We have two instances which are in school. And if I go here since name is starting with 069 on 08 e behi two instances already being powered off. You can see here 069 and 0 80 Left acid is because they're running a prude air. My spit has the tag on under this leper or this engineer went ahead and that his instance. That is not going to be left alone because you need to have the tag on the air, my itself. So that is how this is going to work. So the image building activity will be warned by the SEC. Kopstein on they will approve or disapprove any air might that is going to be used in your account. So this way the control is always made in by the sick up steam on the engineers or developers in your team can choose which might need to run. They know that they will know that if you're not running the approved here mice that instances are going to be turned off by this automation. So we still have one more running. Let me just go ahead and repressed the page to see if that is also stopped. That rebuilt we have on the three unapproved, untidy am eyes having powered off. So that is how do you go head on and security or visiting instances in your account based on tax also. So this will scale asked. Many air might you're creating. You don't have to worry about updating. The ideas are taking with a real moment is launching the character. So as long as the bags are much, do you are instances, I'm going to be safe and secure. If attacks are not matching there, be turned off, are stopped as usual. This isn't automation. You can take it to the next level. For example, you can on. So for stopping the instance, you can send a notification to the developer. If you have a tag saying warning for the sea to instance, then you can go ahead and notify them Are if the particular the user is constantly creating multiple instances with an unapproved air. My, you can go ahead and Howard Animal Devi with the counter to say that this user has triggered this meeting violations. Then you can go ahead and remove the proof that this for that user also so as the automation is a completely uplift to you, you can go ahead and choose what level of security controls you wanted your compound. So that's it from me on this lecture. See you in the next one 18. 2 7 AWS Config: Tribal Knowledge Common Rules & Best Practices: welcome back. In the past, few lectures were seen multiple rules for security or restaurants. You're easy to services on. There are a few other rules also in your aws going a country control. The last time I checked, it was set on 70 plus rules, and Amazon is adding a lot of rules. Anybody know when then? So which one should should you go ahead and use in this lecture? I'm going to show you some of the most common rules that I have come across. Being very helpful on this should be the bad minimum that you should have configured in your account so that you can have good confidence to say that Yes, I have done the bad minimum a case to secure my account. Of course, you should go ahead and toe the things as well, but these are the minimum ones that you should definitely consider. I am in my interviews concert on that I have a pre enabled a few off them so we can go ahead and check about one of the most important thing in my opinion, is that I am password policy. This will enforce that that are setting rules that are should be applicable whenever and user in your account is trying to reset a password. New password is said, for example, that rules like a maximum age. What is the use, how many passwords that they can be used with the minimum length, whether they can use symbols or not uppercase and lowercase. So go ahead and use this password policy so that your users are using really good passwords . Course there isn't a multi factor authentication. You should use my directed about a division also for your combs. Another important a rule that I would highly recommend to go ahead and take it out is I am Groups has users. You don't want to empty groups in your account. You should have some users and you're gone, for example, for just for this demo purpose, I created a couple of groups here you can see here There is in the Dominican group with no users, soldiers saying on compliant that I said That group has some users, so if you just go ahead and click on the start line, I quoted my resource timeline on you can see the relationship you can see I want to use is that they're so I have created one more backing there also and then usually thrown up. So that is another rule that I would Heidi the command for you to go ahead and configure. Another important route is restricted. Assess it. It goes ahead and checks. Whether you are a security groups are having access. For example, the security group is having an A port 22 which is open for the entire world. So that is what this our rule, is going to check. This is going to be a tricky 12 popular immediate, for example. Sometimes you want to have a particular I p address open. Oh, are you want to open only to your cooperate idea? Others said, So you can write a laptop function which can look into the security group rules on remove this particular group, which opens it to the entire world are you can just go ahead and say do side the I P addresses approved on this end like that that one extreme action that was see later is going ahead and isolating. The instance are accelerating the use of itself if they keep on create over creating violations in your account. So go ahead and use this security rules as well. So the other rule that I want to talk about is but that your access keys and rejected or not. For example, I have set a maximum eight of 90 days. If you are in high abusers and they're using access keys for the development poppers or some other reasons, you want to make sure that they're constantly rotating that I am access keys. In this case, I'm sitting at 90. Maybe, uh, your company policy might want you considered a lower number. For example, every 35 days you want your developers to create that access keys so it is quite configurable on. The tricky thing is here you cannot do in order imitation because you don't know what the devil but is using the access keys for If you go ahead and rotate them that automation czar that my workload might get destructor. So you probably want to do an auto limitation by triggering and notification to the developer saying, Hey, you're access key is, uh, aged. So we're going to just disable that on, then go ahead and create a new one Are you're not going to do it. Another are two days here. So that that is a kind of an automation that I would recommend for the standoff my uncle blames is on. Do you can go ahead and check whether you're asleep? Buckets are having a public access blocker in a little bit. You go ahead and see how we can enables this rule. I make sure that none of your s three buckets of public or if that is in public access to act created in your account or that is an object it on public access for the shattered axis . How do you go ahead and so that there is a one more rule that I'm highly the commander? You guys got bigger in your account on that. This is quite a friendly interface. You can just go ahead and choose or something like the AP. Also, this is another rule. If you were cost conscious on account, you can go ahead and see whether you are elastic eyepiece associate ID with any easy to instances or not. So if it is not the case, it is going to trigger some modification or even release the elastic I p. Also so This is not, uh, cost saving measures that you can do on the devious William encryption. That is another interesting one. So you have this previous volumes? I think I have this rule enabled in my account. See it? Here it is on that you see here none off the obvious Williams that I am currently running with five instances that we were experimenting Cuba minutes back is running and approved. I am Assaidi here. I'm taking whether the my previous Williams are being in Cupid with this game. Assaidi or not, if that is not the case, it is going to mark them as a non compliance for you. Want to enforce the encryption in your account on make sure that any of these women that is not encrypted and you go ahead and set this up. Likewise, you can also go ahead and check whether any Wadhams that not passed in your instance also. So these are the at least of basic commonalities that ever seen in most sophisticated a contra started it. Once you get from reality with how to configure this rules and photo ordered immediate them for different types of resources, then you can go ahead and do that next step. For example, there are some deport rules here that might not satisfying your most important requirements . In the next lecture, we go ahead and see how to configure some custom rules. Madonna's creator. The whole development kit for us, which will help us to create our own custom rule on find out resources which compliance do , though custom ruler Night on, then take some immediate action. Until then, thanks for watching Happy life. 19. 2 8 AWS Config: Introduction to Custom Rules: welcome back in continuing the city's off AWS conflict. Let us talk about custom rules. In the previous lecture, we saw that there are a lot of managed rules on. We went ahead and configured a few off them for securing or estate buckets on easy two instances. And there are scenarios where the building rules are not enough. For example, for some reason, you're running and database in your account or an easy to, and you want to make sure they're running on optimized EBS volumes. So there are two things that you need to check whether they are running in database on. Then they're running and optimize devious volumes. So this kind of complex and others cannot be modeled in the managed rules that Amazon provides. You need to go ahead and write your own custom rules on, then implement them. So in this case, how do you go ahead on right your custom rules to satisfy your requirement? There is another requirement. For example, say you want I defy all the rules that are in your account, which are having excessive privileges which are having style. Permissions are rules that are not being used for a very long time. These are all things that are not covered under the manage rules ass off. No. Maybe they might cover it in the future. But until then, you need some control mechanism so that people don't use the old rules on do some mischief . So Amazon has got you covered. They understand that not every scenario can become capture on the managed rules on they have went ahead and had a feature toe alot custom rules to be configured in your account. Also on, they have written a decent applaud article as well off how you can go ahead and develop your own custom rules for a conflict. Basically, what you're going to do is you are going to write your laptop function, which is going to have your business logic off evaluating which resource on Then what is the complaint stayed for? That source is going to be on. They have also returned some boiler templates, for example, how to interface with the AWS confit. What is going to be in compliance status has to be reported on how a non complaints it has to report it. So you leave the heavy lifting off for how the management off rule have to work on. Then you only focus on the functional side off. How the rule are, what the rule is exactly going to do. So that isn't block article, which is quite the warblers are now how the package itself has to be installed and configured. They have not given detailed information on how to do this. So what I've done is I have taken simple scenario. As I explained earlier, we're going to find out the rules that are in the account which have not be used for the last 30 days. So let's go ahead and take this scenario and see how we can model this in AWS conflict using custom rules in the next lecture. Until then, actual watching. 20. 2 9 Monitor & Flag Unused IAM Roles using Config Custom Rules: come back. Let us go ahead and configure the custom rule which will help us identify unused. I am roles in our account. When I say unused, I'm going to let it limitation off saying if the role has not been used for the last 30 days, I want to mark that road as non compliant and I want to get notified whenever such an event happens. So what we're going to do is we're going to configure and custom rule in this case specifically, which is going to trigger and lambda function. On this land, a function is going toe. Fetch all the rules that are in my ear abuse. I am account Andi. It will evaluate whether their role has been used in the last 30 days or not. Amazon has an AP for last access date or last used eight. We wouldn't use that FDA data and find out if the role has not been used. We will A paid it as non complaint and pushed the data back into AWS conflict so that your psych ops team are your developer. Teams can go ahead and exam actions may be the actions can be something like you can notify the owners off the rolls toe check whether the rules are still required on. You might want to quarantine them first on. Then you can go ahead and delete them later also. So let's go ahead and see how we can do this in our account before we go ahead and start writing the court or the doing the perform ation that is acquired for this. Let us quickly go ahead and see what the steps that are required here is a get a particle that is going to run us through all the steps that are required. You're basically going to run a couple of commands, which is goingto get the prerequisites up on running on. Then we can go ahead and deploy. Before we do that. Let's go to over console and see There are right now. There's one Lee, one managed rule in my account, which is for taking the access keys as we rotated or not, and there are no other rules on you can see here. There's no talk formation template or any lambda functions, which is 11 to 2 rules here. So what? We're basically going to do this? Amazon calls it something called as a rule development kit are DK. We're going to install it. It isn't. I don't based life. I really So you should have done in the operating system that you're going to run it from the heritage endorser of laying eggs. Make sure you help. I don't preinstalled. So let's get started. I'm going to blow the suppositories so that the Lambda function also comes through our local reports. ITRI So just pop it. This command which will go ahead on the clone, this repository locally and once they clone it, let us get into the directory itself. So this decrease called us several s I am rules On under this, we will find Ah, read me fire images and the Lambda source on. If you go ahead on, go to the Lambda source, you will find and fine which is called us a monitor unused. I am wrote this by a kind of business logical finding or home longer role has been used on then sending the information back toe in a news conflict. But this alone is not necessary. But this alone is not enough because we need some constructs off informing aws convict this is the Lambda function that needs to run on the Lambda function has to be conflicted on at specific intervals. So for that, we need some by don't liberalise. That is what is going to be installed here at the step. So before doing that, let us go ahead and create our development environment. Andi, I'm going to create a small electrical ism mystic in four sec on and we're going toe all our role, I monitor I am rules. Make sure this role name on the fight on function that we just downloaded are having the same names. If you're going to change, it makes your boat off them are same. So there's just copy this and said this global variables here they just go back. One directory we wanted. Why don't virtual environment if you don't have I don't b and B that is what your environment, where our development is going to happen. You can run this if you don't have what it is going to install it for you. If you have it just gives the results saying that the requirement has already been satisfied. So we're going to jump into this director that has been created now. So all the necessary beina. These are going to get control here and you'll see there is a new directly created on. That is what we're going to use. So being CD to the directory on then might do it it. Now we are in this virtual environment. Whatever we install here is not going to affect operating system is a typical Why don't constrict now. We're going to install the rural development, get our de kay. Let's go ahead and do that. So to make sure that you have installed the correct one, you can only windows you can just press article on it is going to give you this prompting You want to configure the profile You want to take the access key and secret key or not. So if you go back to the get help I take, that is one of the fundamental prerequisites I have mentioned on. You need to have the minimum permissions that it's listed here. For example, you need to have permissions to put in. I am role Stryker Tor formation trigger one big rules and although set sort of things So you're air w c a lie that you are going to on this automation from sure how? Those privileges. So once you made sure that you have those privileges, let us go head on. Do Ardika in it. So what? This basically is going to tell Alec A. Is that you are going to use this profile on this account on this other privileges you have on whether those privileges are not good enough for conveying the rule or not, it will be informed the I get locally here and you can see here that if you if you don't have in back it, it will automatically go ahead and create a packet for you also know account by the court will be affected that will be used. So we're almost set here on Finally, I'm going to create a rook local route at room. But we set this variable name earlier here on the same variable name is going to be used on them. I would return the Lambda function for I don't 3.7. So I put in the value here. If you're going to use the latest question like white on 3.8 or whatever said it, just wishing go ahead and make sure you're updating the Lambda Code on this wish in the world. So appropriately and remember, we are talking about I am rules. So I've just changed this one to roll here when I'm just running this code because we're going to check for I am my rules. So we're basic rule is going to be an abuse. I am holding role. So my local rule has been created. That one next step is I need to copy the score into this directory. Now, since I'm using a u I, I can just drag and drop. That would work. But if you're using and see late, you can use the copy command. Also, I'm just going to copied from my see it like so basically just copied it here on. We basically need to copy it up. My bad. I we basically need to copy it here. I just remove this one because this move into that directory. So if we go here, we should have the entire cord that is necessary. So just copy commanders worked successfully. So you can see here. This is the entire command. If your room where I kept on saying about having 30 days as the minimum actually was two period. You can see here underlined number 34. I have mentioned as the max a news Two days is going to be 30. If you want the room toe check for a pursuit time. Say, for example, 10 or 15 years. This is the place that you go ahead and modify. So now we have configured our rule. Also, we have configured the Lambda function that is going to check for our rule. So all you have to do is going ahead and deploying. So the very simple step due to deploy is our decay. Deploy with the rule game. So what is this is going to do? Is it is going to create a proclamation template with all this information on senator account on going to deploy it. So we are inside the directly. Let me just go back on. Go ahead and deploy it. So you need to do this from the parent directory from this level. So once you do that, it backs up all the necessary information. If you see, it would have created that zip fly which would have been sent as the Lambda Board. So once this deployment is completed. Let us go to our court formation stack and check it out there. So for a fresh now that should be in Rhode wanted her unused. I am rolls. There isn't create in progress. If I go to resources and you can see here, that is an Lamba wrote that it's getting created on the Lambda function is also create complete. If I go here under refresh my screen, there should be a role here on the same lambda function that we saw some time back would be configured here. So this is the place in modifying. So this is all done here. I'm just going to quickly check. This is complete. So let's go ahead and check in our AWS conflict console when should have a new rule here, probably and refresh it again. So we have a new rule on the complaints. That is, it's not kidding, probably the elevation still going on, so we'll have to give it a few moments. What have done is I have created are some rules in my account which has been created which has been created a different ages so that we will have some non compliance is you can see here. It has already checked out quite a few rules on some off. Those rules are 27 days, 21 days old. Let us go to the next page. You can see here that is the role here, which is not being used at all. So that is why it says no record off usage on that is another rule for this is another service will probably so that is not used for almost a year. If I go back to one patient, but three, you can see your quite a lot of service souls that I created for setting up this a condom organization. We just never been used are not being used for a very, very long time. Andi, I created some dummy role to trigger it to. Probably What we can do is we can just change the time, period, toe smaller number so that some off the custom rules that I created will also be triggered for no one complains. I don't see that you conceded just unusual rules, so I just created it about seven days back and just it is still showing us complaint because we're checking for 30 days So in any case, we have shown that how to write the custom rule on how to deploy it into your account, all with simple few steps by creating. And I'd like a kid and you look laptop on deploying it using cloud formation. Because this is a cloud formation, you can go ahead and deployed in my people. Accounts are in different regions are in Ah, your master, the condom. Then go ahead and finish the information from different quantities or supportive with using interrogators that we have seen earlier. I would highly recommend it to go ahead and forth the support, actually make some improvements and makes him pulled request. If you have some improvements on this are appreciated on. Don't try this on. If there is any issues, go ahead and put them in the comments. I will try and help them with you. In the next lecture, we will go ahead and see how to configure and custom rule. Check for excessive privileges into your policies and permissions for himself. 21. 2 10 Monitor & Flag Users With Excessive Privileges: interest lecture. We're going to see how we can use AWS custom rules to find old. I am users who have excessive privileges attached to them. When I say privileges, it might be some style privileges for action, like, for example, and if you're taking STD, they can do any action. Whether it is put bucket or make objects or delayed objects. Delete buckets. It could be any action that is an action Poland star are. It could be in resource cold and start. For example, if you take a service like street, they can do any activity on that, Sir. Resources that as a necessary service itself. So we want to and identify the users who might have more privileges attached to them by means, often back policy or attached to them. Or it could be in manage foreign. See also that would be attached to them. So that is what we need to identify here. So we're going to use on guest, um, rule on. We're going to configure it abuse conflict with periodic trigger on. This is going to trigger a lambda function, which is going to have the necessary of business logical finding or what is going to be this excessive privileges. It is going to be started when he had action, Our star privileges at a resource level, our style. This was everywhere as well. So this lambda function is going to get that information from my producer. I am usually FBI on. Then it evaluates everything and puts the information back into the conflict. Let us go ahead toe or get a political to see how we can do this in our own Occam's. So this repository has the lambda function. With the business logic off, evaluating the complaints and non compliance on, we're going to clone the support century locally on once again, we're going to use the rule development ticket provided by Amazon to create this rule on beer. Deploy it years in close formation. So let's just go get started by cloning this reporter tree locally. So I'm just going to copy this before we go ahead and turn and just want to quickly go ahead and show you that this rule has not been configured in macron. You can see here that want to rules in my account, which we did in the previous lecture for monitor unused. I am rules appear not done that Go ahead on ejected. Come back here and likewise include for mission as off know that our notes stacks which are having the user keyword Likewise in Lambda that I know functions right now. So let us get started of by cloning this locally on once the cloning is that I'm just going to get into this directory on. Then I'm going to set some global very well. So what is going to be my development environment directory on what is going to be my rule name? So once again, the this rule name has to be the same after Lambda Function that you have earlier created so that it makes it easier for to just copy and pasted. Once we had done, I'll let you know when exactly that's going to happen. For now, let us at this global variables, Onda. And if you don't have, I don't in Europe laptop or the environment that you're running, make sure that you've installed fighting before going ahead and doing the next step. Because we need a virtual environment to run the rule development kit. Because the article itself Estella been fightin. So you need fighting so if you don't have what you'll envy, just go ahead and install it. If it is already installed, it's just going to come back and say that requirement has been satisfied, Then is, uh we need to get into this which will envy environment, which is the delicacy that we created earlier. Once we go into the in midair environment will activate it off course. We need to go into the directory. So now we have activated it, so you can see here it is perfect provider directory name. Then we can go ahead and install more development kit. So once you start the rule of blanket, you need to have a WC alive with the necessary permissions to create a rule and put some four formation depression. I am rolls on. If you want to make sure your insulation is gone successful, just type of our decade will give you the prompt with this information and you're confident that you're going down your Seelye on our indicate clearly. Then you can go ahead on initialize your local environment. So what this is going to do it? This is going to create in a cloud conflict bucket that it can push the court and one figure some rules. So what we have basically done is we have run through all the steps up to here. So finally, we're going to create a local rule on and here, you see here were using the custom ruling. So if you change something automatically, this will also get updated here. So since you have using variables, I'm just going to copy paste this one. So now we have an additional directory that has been created here. If you go back here, you see another directly under that which will have the ruling on This is the bite on library, which is going to hire our information. But we want to replace for this one with the one that we have from here. So if you are using a do what you can just go ahead and copy place. This one are if you are using and see, like just go ahead and use whichever way it is comfortable to you. So I'm just going to change the name so that it picks it up automatically. So we're all done here. So that was the next step. If you see him, copy the conflict rule cold here on we have done step number two and all You're left out. It's going ahead and deploying the whole itself. So I'm here to do is dedicate deploy rule name on, Made for the formation stack to be deployed. It is good order for Mission Stack. We should see a new one. Yeah, Warning that uses excessive privileges and like going in here on the resources you can see here. The Lambda function has already been created on the Lambda Hole has also been created. So let us go and check it out on Dhere. We have that one. I went to school head on, the one we saw for cool that I want to highlight here. Ihsaa. The main function is under this one is statements include full star. Hello or not? If you want to make any changes off how the rule is evaluating for complaints and on compliance. This is where you will want to make your changes. Here you can see I'm checking. Whether the action is having an aloe statement are if there is an resource on if that resource is having some start policy, our style in the policy itself to make sure or to make it easier for us to test whether this policy is working or not. I have given some sample policies. Or so if you go to sample events here on, I created a bad policy. Even so, what I'm going to do is I'm just going to take this bad policy. Copied this in memory on. We will wait for the stack to get completed. So Stack is complete. And aws convict, let me go ahead and refresh the page. So we should have one more rule appearing here. If everything is complained, what we're gonna do this? We go ahead and check one user Are multiple users with that roll on that ass that religious . So here we have monitor user's with excessive privileges. Let's go ahead and take what you just said in school. If they're all the users that are in my account on, this is the one I was testing earlier. You can see here that is an inland bad policy. This is the same bad policy that I had attached to that user earlier. So I just show you in why I am also including users and look for one complaint user on you can see here I have written to policies, wonders and very bad policy. For example, for this resource, I have given an action ist star on. Duh. In this case, I have ah mentioned all resources on then. I have mentioned that for, uh, history getting a list I o for all the kids. This user can go ahead and get the items. And also lister items indoors. Buckets. So this has the bad policies. You don't want people to have start permissions on, do you can go ahead and test it out. So that is one rule. You can find out the same information from care. If I click on the user here on, then if you see here, there's the inland policy and bad policy. You can find out what the quality information is and why the rule is saying it is not compliant or so. So if you go to a source timeline, he didn't show you. If somebody has changed recently, you can go and and find out. For example, this role This user did not have any policy privileges earlier on. Then this bad policy was attacked. Students usually accident point in time on the rule as he elevated, saying, You're just not complained so as the next steps. What you can do is you can take this information, notify the user, saying what you are having this bad policy on What is the person's justification for having that bad policy on D? Ask them toe we walked those privileges. Or you can attach in quarantine policy saying that this user is having excessive religious with they shouldn't have, and then you can automatically quarantined them so that they don't make any mysterious activity or any unauthorized activity in your account. So this is how you configure custom rules in your account. If you have any trouble, go ahead and put them in the comments, help them with you on asked me a community. I would highly recommend you to go ahead and forth this reporter tree, make some changes. If you make some improvements for integrating, it s Ennis. Are adding some quarantine privileges. I would really love to see all those improvements coming in here. Until then, thanks for watching Happy learning 22. 3 1 Automatically Remediate AWS Cloutrail Disabling: Monitor, Alert, ReEnable: Welcome back. Let us talk about automating your cloud Security, especially cloud trail flow Train gives you and visibility into what is happening in your account. He tracks all the A p A cause that is made in your account, whether it is and I am user or a group or assumed role or Federated identity every call that is made your account is locked into your cloud trade. So if that isn't malicious activity or someday someone wants to cover their tracks, the first thing that they need to do is go ahead and disabled Cloud trail, as in security operations, engineer or security architect, your primary and foremost concern is how to stop somebody from disabling it on you. Fitness disabled How to get notification off the activity on auto enable it or the enable it as soon as possible. So this is what we're going to see now. So the first thing is, you need to have a trailing your account. So go ahead and configure it. If not what one of my videos that I have done before on how to enable cloud trail in your account. So this is what we call it, doesn't detect whenever somebody is going ahead and disabling clover Trail, we need to lock that activity. So that way I understand it. So once we understand that somebody is trying to disable it, there will be an event even if they tried to delete. And even that we've been told what's given? We're going to catch that hold, watch event on, then send that notification. So we have gotten alert on we're going to send that alert in tow two different activities. Oneness. We're going to use an SNS topic so that we can notify the sick ops team so that they can start investigation on. We're also going to use the same event to trigger Lambda function on. What does Lambda function is going to do is it is going toe the enable your logging, that is, it will automatically enable your cloud trade so that even if there is a malicious actor trying to disable that, it will just keep re leveling it and not allow them to disable it permanently. All this automation off configuring the Lambda functions SNS topics on told what you went rule for the triggers and the necessary rules and permissions have been wrapped into a nice tight formation template, and I have documented all the things in my get a particle. I'll put the link in the description. You can go ahead and take it out on that template that is going to drive. This is also in this. Get a practical and we're going to use that to launch this automation. That a couple of prerequisites for getting this up and running. One is having guard duty enabled in your account. If you have not done it, go ahead and do that because this is really important so that it's not just gives you information are external threats. It's just monitors your account and use a lot of information about it. So just go ahead and click on and they will got to did with automatically in Everett number that isn't cost associated with guard duty. So if you are just learning purposes, just go ahead and disable it after you enable you can go ahead and do that any time. Also, likewise, another important security requirement is having security hub. You can see here there's a 30 day free trial. Go ahead and enable it. If you want to see how it works because if you are going to look it on enterprise security , have alos uto centralize all the notifications from different providers. As you can see, here in the bottom, you have notifications from guard duty, Inspector Macy at access and laser. It is not just this account. You can configure it to the notifications from different accounts. Also different regions for centrist centralized place. So that makes it into a single plane off glass for you, too. Look into all the notifications of security ones that is happening in your car. So I'm just going to enable it to Michael now. So the final thing is going ahead and launching the template itself. So if you go back to the ghetto particle, you can see here that template is there. So here's where you need to provide the say cops email address. So I'm going to provide my email address. Go ahead and put in this point that you have access to while my four commission template is getting deployed with all the automation of the older vessels are getting created. I'm taking you to my club trail dashboard as off No. In Virginia, which is the primary region. I don't have any trails in a world. I just deleted it. Let us give or no trailer name. Some would operate for all regions. If you want to just restrict the amount of events or reduce the cost that is happening in your account. Just go ahead of Jews, right? Only events. I don't want to log, Caymus. Humans just is going to be the most. I'm just going to quickly run through all the steps. That's it. Let us go ahead and create a free. My trade is created. Now, if I just go ahead and click on here. You see here logging is enabled on def. My proclamation Term plate is completed. Go to resources. You can see here. There will be an lambda function on. There will be 21 is for code watch events that one for security. Help! Let us go one by one. What happens is when you When I tried to disable my clothes, pray I will get a notification through my floorboards. Givens on. Then I trigger Lambda function. The other way is this is near really track that other ways in ways to get you part. Where your god you. Do you find out that the PLO trailers disabled on Then it will send a notification to security. Help, Security Help! It also triggered a notification toe. Lambda Tau the enable it. That is why you see two lambda functions in your car. This is the whole of the function. Go ahead and test it out. But we're not going to do anything. I'm just going toe subscribe to my notification here. I'm just going to click on subscribe so that we get an email when we're trying to disable it. What I'm going to do now is I'm just going to go ahead on disabled now. It's asking. Wait. Asked me my foot confirmation going to say yes. I want to disable it on Once I do that, if I go back to my mailbox, I should be getting a new email on. I have timed it. It takes about a minute for the he went toe happen on. Then send a notification and Lamberto get triggered and sns to send the No A female My account. You get an alert from blowtorch saying that trail has been disabled. If you can see here, this is my house ready. True enough for you has disabled the crate, which is called us a city automation trade for you. You can see here. This is a training on that has bean going to be disabled on we find it here. This I'm going to not your first displayed. I'm just going to open another page on you. You will see that it has been automatically enabled. So that is how the automation kicks in on automatically goes ahead and sends a notification on also enables the cloak rain. So if we go toe over guard duty on day, if you go to our findings, if we need to filter rated by finding type, you can see here when I just refresh it for finding type. You find that clover trail disabled. That alert has come on all the material relating to the alert off when it was done on all the information is there gives you count or so? Let it take over what is happening in the security hub. You can see here already there is one findings and unusual suspicious activity. We can click on this and find out the same alert or it can go ahead and click on findings on then the active alert is already listed for you. If you want to do another filter, what you can do is go ahead and click on filter. There's a type full day here on, then under equals. I'm just going to put this string here. I put the same string and but the description also so you can go ahead and try it. This is the exact finding that security have will notify you when you have a tragedy you met. So this is how the entire automation works. Go ahead and try it in your account on automate your sick AWB's activities and produce the workload so that you can focus on other high activity. 23. 3 2 Monitor & Automatically Revoke Unintended IAM Access: welcome to another episode off security automation. Today we're going to talk about remediating unintended. I am access. If you have been running AWS account for quite some time, you might be provisioning users through some automation. Are you might go to the Council on Fruition. The users in those cases, How do you control who is having access to create another user? For example, you might have a developer who wants to onboard another team member as soon as possible on goes ahead and create some users off his phone or her one. So how do you keep control off those activities? How do you know whether this user is authorized to create other users or not? So if you have clothes rail enabled in your account, you'll have all the access to the A P evens that are happening in your account. On specifically, you can look at I am Evans in your account, and you can feed those I am events to include watch rude or in AWS. Amazon went bridge, and when you send those givens, you can filter them, saying, I want to look at only I am Evans. I don't want to look at all the events. So he went Bridge can send this event to a Lambda function on the Lambda function can look at that message saying, OK, Bob was created and user on Bob's part off unauthorized to group. So let me go ahead and alot that action If Bob is not, but often alteration group Caldas admits, then I will reward his privileges so that Bob cannot create any more users in your account . This is the automation that we're going to do so that anybody who is not supposed to have an I am access will have that accidentally walked. If they try to utilize those privileges to help us through setting up this automation in your account, I'll return and get a particle which walks us through all the required services and set up that is required to achieve this automation. What we're going to do is we're going to set up different services in the reverse direction . First, we're going to set up on that deny policy which will get attached to anybody who is not supposed to have those privileges on. We will need a Lambda function toe Castro's deny policies or evaluate those actions from then I am events. So this lambda function also getting created. And remember this lambda function is going to take an action. One leaving the user is part often group by default. This lambda function is going to look for a group called us admits in your account on If the user is part of this admin group, then the laptop from should not take any actions. You can go ahead and customize this ah group name in the Lambda function using the environment, we're able also So to trigger this lambda function, we also need an event ridge route that will also be created for you. By the proclamation template on this even bridge rule will be triggered. One leaving and I am even happens. We will look into it when the women truly itself. It's created on this given urged rule is going to get the message from CLO pray so the clover trail is also required in your account and that will also be created along with the S three buckets on the rules that are required for your cloak prey on your lambda functions . You have a couple of options off deploying this template in your account, you can deploy them through CD game. That is. You can just flown the repository using the Git Clone Command and then install the dependencies and go ahead and deploy. If you know CTK, I'm highly recommended to go ahead and do that because it's so easy and simple to do that. If you don't know city gay, not a problem. As I keep saying that is in close formation template, which is given out in this directory, it just crawl up. You have a syndicate or out directory on inside that you have the cord formation template also in here for you to download on Use the Geo IRC alive whichever way you're comfortable with for testing the solution, we're going to use a user called us bad user so you can see here that is in Group called admits. If you don't have it, go ahead and created our use an existing that men also. So I'm taking you to my account here on in my I am terminal. I haven't bad user who has I am full access privileges with the Children have. So we're going to use this. Use that as a demo user on right now, he is not part of any group at all. You can see here. But as I have another group called us at Mons on there is the one user there. So whenever bad user is going to go ahead and do some, I am activities, we want to stop them from doing any more activities. That is what we want to achieve right now. So let's go ahead and deploy the local mission stack. So let us approve your commission toe, create some I am roles in our account and click on Create Stack. Let us get to the resources and see what actions are getting triggered. You can see here it is going ahead and creating. And I am role for our Lambda function to run on. Also it is creating and deny I am policy. Let me refresh my screen here. So the deny I am policies created. Let me open that. So this is the policy that is going to be attached to any user who is are not raised toe have I am privileges. So any action 11 Tito I am will be denied for that user. So this policy has been created and We also have a cloud trail of bucket where all the events from Clover Trail is going to be stored on. We will also have Anclote recreated. There you go. You have a cloud trail on. I'm waiting for the Lambda function. Here is the Lambda function. It is going Check it out. Number is getting loaded here. You have all the necessary court. I would highly recommend you to go ahead and check it out. If you have any improvements, you can make the lamb. That court improved also. So this is the admin group name. But you go ahead and customize it. If you don't have a group which is called us admits or if you have admits is leave it as it is. Andi. So we all have it set up on the even trigger which is from he went to bridge or cold Watch Rule has still not being provisioned. Let us go ahead and proficiency with that. That has been done. So I'm looking for even true Here. Here it is. So here you have the even bridge pattern room where I spoke about getting all the calls from Oprah. So we're looking taking the trail from a p A trail from CLO Trail on beer filtering only, for I am really relevant events on also were saying one you and, uh, identity creation or I am Activity is done by and I am user. I want to trigger my lambda function. For example, if you have an automation on git, creates user through cloud formation are accorded deploy or court built, then you will be using and service role. So in those cases, this automation is not going to get triggered. We'll even another user, for example, a developer, our somebody in AWS console or C L. A. It's going to create a user. Then this automation is going to trigger so you can go ahead and customize it are you can completely remove it for any. I am able givens to be triggered, so we got our even bridge. Also, I'm just going to refresh my screen to see if the trigger shows up here. Yeah, you see, here the club watch doing trigger. It's also shows up here, so we're almost set. So what I'm going to do now is I'm going to log into another process, using the bad years of credentials. And remember, this user is having only permissions for I am full access. They don't have any other permissions. So if you just try and ah, navigate to any service, basically they should have access denied. So what I'm going to do now is I'm going toe head over to I am service and let us go ahead and create a new user. And remember, when you said oven automation like this glow trail takes a boat that three or four minutes , so start sending the first level events, so you would want to give the cloud trail enough time so that automation starts kicking in on whenever you attach a policy. Also, the policy action is going to take a couple of minutes because every time you policy is requested, it is going to be cashed, and it will be the first when the next week was coming in. So it's almost real time, but there is going to be a slight delay there. So I'm just going to call this as a test Tommy user on the letters just to say that, So we want to have ah, programmatic control Lexus on. I don't want to give any privileges to this dummy user. So I'm just going to go ahead and click on Create. So we got our new user created Just dummy user. So what I'm going to do now is just going to wait for my monitoring to kick in on dyin identify that there isn't even that has happened on then that does he, whether the privileges, what bad news that has been revoked or not. So we can see here. That is an event that has happened on it has been successfully completed. What I'm going to do is I'm just going to check in the club, watch logs to see what is the one that has happened and what action has been taken. And you can see here. This is the event requested. If you want, you can go ahead and look at the entire event request. Also, you can see here there isn't user that it's called us just dummy use that s been created. Andi here it's checks whether bad users is admin or not. If it is not admitted salesforce on because I am religiously walked, it stays true. So I'm going to go ahead and refresh my screen for bad news that you see here there's only one policy. If we refresh my screen, that must be one more policy attached for this user. Here you go. So if I go back to this Ah, bad user console. Now we have another privilege. It has been added, That is, they deny policy. So I'm just going to say this Don't me to user again consular access and click on next and next and next. We should get an error on the speech now. So there you go. You can see here test dummy to with an explicit tonight policy. So my automation has kicked in on no longer. This bad user can go ahead and create other uses for his demands Are for any nefarious What was this? So that is how you create automation in your account and remove unintended. I am access in your account. Uh, in my opinion, as a next step here, we're remediating it by adding and deny policy. But I call it as an extreme remediation here. You can go head on, do a couple of other actions are So for example, what you can do is you can notify your sick ops team on. Find out what other actions your this user has taken. For example, bad user. Might our done some data for being are on some activities by modifying other groups of all those kind of things so you can go ahead and find out all those events running aws conflict on try toe. There was those actions. Or see if those actions are approved or not. So you can do a lot of other actions based on the human that has been triggered by I am level. So I would highly go ahead and focus reported Tree make a pull request if you'd make some improvements so we can all learn from each other. I see you the next episode off security automation. Until then, thanks for watching. 24. 3 3 Automatically Remove Unused Security Groups: Welcome back. Let's talk about another security issue that must be affecting both off us. If you have been running easy to instances for quite some time, you might know that you love creator some security groups for them. Or it might be for your Lambda functions or any other resources that requires and security group on all appear off time. If you're running them in multiple BBC's or in multiple regions, or it might be even be multiple accounts, it becomes very difficult to keep track of all the security groups that are being used in your account, especially when you are Decommissioning applications or when you're changing the security group rules to adapt to new requirements. Some of the old security groups that still retained on a period of time this world security groups become so long that is very difficult to manage them at a better off time. And then you need to sit and spend some time to find out what is being attached to an instance where it's not being attached to an instance. What belonging to which we PC on all those things have to be done. When I was faced with a similar situation, I decided to automate the entire removal of security groups completely. I wrote the Lambda Function, which can do this for me. I've documented all the necessary steps for deploying this lambda function in your account , using and told formation template on all the information in this city is in the get home article here on this land, A function that we're talking about is going to do a couple of functions. One is it is going to make a list of all the security groups in the region it is deployed on. Then it is going to find out security groups that are attached to an instance so that we don't remove any security group are we don't try to remove any security group which is have passed through an instance. So we remove them on also remove any security group, but that we don't want to delete. But we still want to keep it in Iraq on, for example, you might have created them for some reason. On it is not as to another resource, but you still need them so you can have an exclusion list. Also on once we've done that, we left out with someone more of security groups that needs to be deleted on that will be deleted by the summer function on. It'll send you in a lower, which will have the list of all the security groups that have been deleted. I'm also added and cloudwatch Evans to this lamp that function so that you can configure it to run automatically every seven days. You can go ahead and customize the duration. Or you can go and customize the duration of the Lambda function itself, for example, and I approve vision for it for 10 seconds. If you have a bigger account with a lot of BBC's and a lot of security group, go ahead, expanded to suit your requirements under cloudformation templates under this acidic a dark out, and this is a good formation temperate. You can go ahead and deployed using the G Y or cassia like, however you feel comfortable. I'm using CD case, so I'm just going to deploy it using CTK. Another helper function that have written here is just for testing this purpose. I wanted toe create some damage security groups. If you go to test data, you will have a file called create the security group on inside this, you can just go ahead and update your VPC idea and run. This volatiles should create a tree damage security groups that you can coherently identity multiple times. I already have about 12 security groups in Macron. It is what this is looked like. I want to retain the 1st 3 on delete all the ones which have perfect with security, why and me number. So this is all the things that I want to be more in my own, basically. So let's see how we can do this. So, as I said, everything is going to be done with the war formation, the deployment off, lambda, the requirement of when I am at the permissions for the Lambda function. I'm the total. It's triggered everything. So as a friend, we don't have a day off those resources. So let's see how we can deploy that. So when you're playing with the syndicate is going to ask your permission. Whether you want to do this because we're going to create a my roads on that I am wrote might have expensive permissions are permissions which are not desirable. So it's asking you deliberately. Do you want to create, make decisions in here count when they confirm it, then it goes ahead and creating cocoa mission Change said, puts that into your court permission service. So in the short wine, if you go back here, go to our cold formation service on duh fresh being be able to see that you can see it's already started building the resources. I can see that our first I am rule has been created on. It will slowly go ahead and create my lamp, a function also a needle. Also create my clothes which trigger as well. When this is getting created. Let us go ahead and run the dummy script so that they're being added another three dummy security groups earlier, before there were 12 off them. Now we should have 15 off them, so they just go ahead and see whether we can find all of them. Yeah, you can see there's 15 out there, so just go ahead and check out Linda function. Now I love the function, is there? You can see it. It's it's already proficient. They're just going say down under function on our trigger is still pending. Probably get loaded in a short while later Super set up for some time. So you see the court here on this court. This is where I am excluding my security groups, for example, and turning a security group setting with zero for F one. If I go back here, I should have a security group called zero floor F one and then descended three that we're excluding. So I just so put in the information here. Now, let me just refresh it to see over told. Watch triggered has also been added. Yep, you can see here. There it is. On it is schedule for running every seventies. So the quickest way to test it is you can go ahead and can you do in a second variable or you can just creating Dummy, You went here. So we're just going to collect all the security groups. Find out which are a past which are not attached on. Then exclude some off them on delete the other ones. So if I scroll down here, you can see there out of 15. 12 of them were not attacked, and all of them are deleted that these are all the ideas. So if I go back here. If I don't refresh my screen, you can see her 15 out there. But well off them. Ability. Lettuce suppression. See, that is the case. So you see, the ones that excluder are retained on dressed up All the old security groups are gone. So you can run this in multiple BBC's while people counts or in multiple regions go here, that try it. 25. 3 4 Proactively monitor & fix bad or overly permissive S3 Object ACLs: they come back today, we're going to talk about security automation, especially securing your s three buckets against week bucket policies. In the recent news, we have seen a lot off activity happening where the bucket has not been secured with appropriate permissions on customer data has been exposed to the general public, which it should not be the case. Is it possible toe look at policies whenever they're getting updated on the mediate them with their weak policy Or if they're not satisfying your cooperate requirements, is it even possible? That is what we're going to see as an automation safe. So we haven't s three bucket. And let us say there is a developer who is accidentally or inadvertently or are not the rice making changes to your pocket policies. What we can do is if we have cloud reconfigured in your account, you have access to all the AP activity that is happening in your account, including the S three EP EA calls so we can filter out Evans only specifically saying in this case, a put bucket policy even and send it to Amazon event bridge so the even rich can filter out only the specific events triggered a lambda function. But in this case, we're going to go one step further and configure and step function on what the step function can do is it can look at the policy on DSI. What is the current policy and what is the new policy on it will evaluate the new policy against You're pretty defying the security requirements to say, for example, if there isn't start permission for everybody. It was denied the policy and roll back to the previous policy on the new policies Restrictive are more secure than the previous policy. Then it will approve the new policy. So this is something that we can do using all these different services. Clo trail event, bridge step functions on AWS conflict also, But we're using confidence, confidence going to keep on checking your pocket for your current policy and a new policy on. We will use Lambda Function to come back whether we want to go back to the world policy or just keep the new policy itself. So I have a return ticket her practical, which can titles through all the requirements that we are just speaking about a here. So if you just crawl down here, you can see the environment set up in this gator by article. There is a total formation template which is going to provision these resources. It is going to create and sample bucket for us. But we can go ahead and modify Onda uh, play around with it instead of disturbing your existing buckets on. It is also going to create on a cloud pray at regional clover trail so that the cost is also less. If you are already using a clover trail, you can go ahead and configure the same clo trail for your events. I'm finally a step function which will create a few Lambda functions or join the background on the Lambda function was going to check Whether you're policy is complaint or non compliant on it is going to leverage aws the conflict. So one of the prerequisites as mentioned here, is having aws conflict already enabled. Andi, according configurations off your resources, especially these three. Is that the source we're talking about here and finally we want even rich are told watch roots so that it can listens to flow train. Heavens on especially we're talking about input bucket policy events And the interesting thing about the Enbridge is you can just go ahead and try it down to say, for example, I don't want to do this automation for all the buckets, I want to listen for only particular packets that is also possible. You can write some filter cases on given parades will only triggered your Lambda functional step functions one leaf or even Swingley from a certain pocket. That is also possible. But in this case, we're going toe I listening for all I would like a policy events and finally I am roads. Minute I am rolls for step function. So deployment when we come to deployment once again, I am a big fan of City Gate. Keep repeating that. So if you are familiar with it to go ahead and clone this reports ITRI on, then you can install the requirements and then go ahead and deploy it using the syndicate Deploy Command. But once again, we also have a standard of information template, which you can just download it on, uploaded to your console or your see, like also when it comes to investing in Rome, where we just created a demo bucket. Here we're going toe Goto demo bucket and output sections off your information you'll have a link for uh a bucket. You are are the pocket name also and I have also included and sample week policy on example restrictive policy also. So before we go ahead and test things, we need to make sure we have aws config running in your account enabled and according things on. Then we also make need to make sure that our new bucket is also appearing there in the configurations. So I before I went through the remaining things I just wanted deploy the tor formation template. Then we can come back and see how we contested solution itself. So they just go to a worker exclamation, Let me upload the stack. No, my stack is uploaded and we just go over and kicked next. So let us give the information permissions to create I am rolls going to create stack. Let us go toe resources section So this stackers are going to take some time to get deployed because you're talking about the rotary event. Rich step functions Onda another bucket also So let us wait for sometime until old activities taken to place So we already have some resources that has been created. We can see. And I am role for the state machine. Yeah, Well, s three bucket here for, uh, our cloak. Really believe this one is for now. This is going to be our sample bucket, and this is going to be over. Cloak. Real bucket. You can see here. This is the data even to trail I d. On. Ben. This is the policy for even trails on the rule for Evan trails. This is the Lambda function that is getting creative. Let me just refresh my screen by now. What you have done, let us check with the Lambda Function is completed. You have got our Lambda function created while my subconscious created. Let us go to the even rich rule on Check it out. Here. You can see here. We're listening. Toe all cloud trade Evans on then, specifically from the service s three Amazon AWS on. We're looking for a event name, which is going to be put back it policy. So if you're in where I earlier spoke about listening for a particular bucket, then you can just have one more filter saying resource type or bucket name is a B. C. Puckett. Then you get this, ah, rule triggering one leave and even to support that particular pocket. So that is how you can filter down or narrow down the amount of humans that you're processing through your filter. I think the stock is completed. Letters go without foot Section as I spoke about earlier. This is your link for Coe Trail. So here we could your cloud trails and then the trail section you can see here there is a new trail that has been created on. If you just go down here, it looks for a particular bucket on. You can see here one off the bucket has been added on. It is looking for any light humans in this bucket. So whenever you're adding and bucket policy, it is going to trigger on good bucket policy. He went for this pocket on that would be captured by our He went to bridge and sent to Orlando function. So that is our cloud trade on. This is our monitored market system pocket right now. And if I go to permissions on, if I go to pocket policy, that is no bucket policy. right now on. Let us go. Also go and check out one fig to see if one figures that started recording this bucket. So our bucket name is something like this. I'm just going to copy this bucket name on. You have resources here. Still, the bucket name is not being recognized as one of the new resources in my experiments, I found out that it takes about 3 to 5 minutes after the source has been created for conflict. Oh, start recording the configuration off that resource itself. It's not really time. It's close to real time. So if your own where if you just go down to your testing the solution, I can. And I also mentioned that there said usually delay off the 3 to 5 minutes there. So why, it is the hour soup trying to recognize there is a new results. Let us go ahead and check our state machine that I'm calling it as a policy evaluator mission. So that ISP open it, Onda, Uh, this is the evaluation sequence here. So whenever that is an event, what is the function is going to do is it is going to check whether it's the new policy sport Minister, which is going to evaluate against your corporate policies. Security policies, if it is too permissive, are not. It is going to elevate. So it is going to get infinity value business policy except acceptable or not. If it is acceptable, it is going to say policies compliant and it is going to end the television off. This a logic. If it is not acceptable, what it is going to do, it is going to get the previous bucket policy from AWS conflict on if it is going to check for some reason that it might be possible that your previous bucket policy is also permissive. Sometimes if you have a very bad policy in your account on, then you can go ahead and apply another bad policy. So you don't want us a function to be consistently try getting itself into an infinite loop off, restoring a whole bad policy and interrogating the loop again. So it is going to check whether the previous policies also back on. If the previous policy is also bad, it is going to say the mediation it's failed. If the previous policy is good, it is going to restore the policy on, Then it is going to check whether the limitation has been successful or not. So if it's successfully remediated, it is going to say policy is compliant now and then it is are not complaint, depending upon the scenario off the previous policy. So that is how the step function has been designed. And if I go back here, I would just given the screen charts for both scenarios here. In this case, I'm successfully mediating. So I will have ah store last policy on technical evaluate compliance and then it will say And just in case, if your previous policy is not compliant, our previous policies also bad it is going to do this one. It is going to check its previous policies, permissive on if it is acceptable or not acceptable. Then it is going to say the mediation has failed. So this way we don't trigger an infinite loop off constantly putting back previous policies . So before we go ahead and test out RST because if you're wondering how our battle to get the previous policies, as I said earlier, I have given to sample policies here. This is your ah restrictive policy. Very secure policy. If you do that, we should have some function triggers and say that the policies complaint and completed. And if you do this, it should try to restore the previous What is he? So before doing that? What I want to do is I'm just going to refresh the screen and see for conflict has picked up my bucket. Sometimes I like the new concern. Let me just go to the new console. Never go. We have a couple of her new packets Oneness, Micro Trail bucket. And this is the auto remediation for Creative. If I can catch it Yeah, on. You can see here as off know that it's no bucket policy. It is empty. Here, let me just close this out. There is no like a policy. So let us go ahead and add and promise you policy are like to start with that Restrict Do por asi first. So I'm just going to go ahead and copy this. Go to my pocket. Here, let me close off the event. Brilliant at Lambda Functions. So we have a very clear screen to work out. So I'm just going to go ahead and place here on remember this about air, and it's already pre configured with this pocket names, so you don't have to typically change anything. You just go head on and say this and you can. It stays that it's clearly states that it is in a sick to policy. And what we had an actually is for this. Ah, route off this account. We are giving a put object permissions for this particular pocket. So that is what we have done here on this action off. Saving this packet policy should have triggered my step function. If I go back to my step functions Onda, check out my executions. You can see here. There's one execution already. Let us go ahead and see what has happened. So it's you bullets. They succeeded. If you just go ahead and click on it, you can see the floor diagram here on what basically hasn't happened Here, let me just click on this one. It is, uh, got that even from low prey on, and it stays. That is an even name, which is put bucket policy on, uh, we're not fight a stick to policy that we added as also being added as an even to data on it is processing and saying yes, this policy is a policy or there will be a status message. Somewhere here is his previous for his policy status. Andi is compliant. And then you can say complaints that this is true on if policies acceptable on the output will also say yes, policy status is true. And then it goes to goes on to say that it is complaint and then cos it so what? What I'm going to do now is I'm going to wait for a few minutes so that conflict can pick up the new restrictive policy that we have updated on. Then, once conflict, it detects the new policy. Then they will go ahead and update and weak policy into the vestry pocket and see whether the restoration is going back to the restrictive policy we have here conflict recognizing the restrictive policy. So what we will do now is, well, change this policy, for example. What I'm going to do now is I can go ahead and add a principle which is going to be starved , which basically means that I'm going to say everybody in the world can put bucket objects so This is what I'm going to do Any good going to change this principle are you can go ahead and that use this policy also, which is going to be using the same start. But it will also have this text. So I stopped modifying that I'm just going to copy this. You might bucket now just going to close this out so automatically Immersion recognises this policy is enabling public permissions. Everybody in the world can get objects here on this show that triggered my step functions one more time. You can see here the step functions has been triggered. Let me open this one First on Dhere it went ahead and restored my previous policy. I'm going to open this one which say's get previous pocket policy in the output section you will find here it has gone ahead and fish the restrictive policy from my convict later. So we have this pharmacy of policy. Let me just refresh the screen in a different tab so we can see here. The policy has been changed. You and all the policies here you see here This is the one that has come back from Con Fake on If it everywhere I was speaking about this event is also going to trigger another. What Bucket policy events. So that is what is going to happen here if you come here and then that you went is identify as the policy is complaint here it is going to do well. Where the restrictive policy and says the policy is compliant on say, is that everything is good here. So there are a couple of actions that you can take. One issue can trigger on ah essence notification after this to see which user is triggering this l big policy. But automation are You can quarantine the user so that the user is not performing anymore activities on your s three bucket and exposing confidential data. And then you can also a wide some other logic into that so that you can a wide, infinite looks. For example, there might be some buckets in your account which might be having very weak policies on You might have some public facing, but it's also for some reason. For example, if you are having in public website on, you want your users to access the assets in your public website. Those buckets will have public permissions. So in those cases you want toe Axum exceptions to this rule so you can try our orders automation on. Then if you have included scored, go ahead and send me a put request so that we all can learn from each other. Until then, actual watching, happy learning. 26. 3 5 Proactively monitor and fix bad or overly permissive S3 Bucket Policies: come back to another episode off security automation. This time we're going to dive deep and securing your s three objects. Earlier, we saw how you can mitigate against four pocket policies. Now we're going to stay one step deeper on find out how you can secure your s three objects from or a sales. For example. Let's say you have a very confidential pocket where multiple people are adding objects. But you don't want the object permissions to be changed from private to public force example. Somebody say's that accidentally, I want to show at the state after another team on day, we'll go ahead and change. The object is hell. You wanted immediate it immediately because it is complaints requirements. So you want to actively monitor against any changes that is happening. Your account, Andhra, mediate those changes as soon as it occurs. So that is what we're going to see. Now let us think of a bucket which is having super confidential data off your account on developers. Changing an object is hell are adding a new object on in start making them private. They're making it public. So what I would recommend is go ahead and configure cloud trail in your account so that you get access to all the S three ep equals. That is either at the bucket level or an object at a level that you might be happening on. Once you have access to that level of data, then you can filter for particulate evidence. In this case, I would say Go ahead and look for the put back an object a c L o r put object itself. So based on those events, you can contract for a particular, but get for all the buckets in your account and then send it to Amazon. Event bridge and even bridge can trigger a step function on. In this case, I'm saying step function because you can take multiple actions based on the event that is happening. If you have one lambda function, then orchestrating within the Lambda function becomes difficult. So if you have a step function what you can do this, you can immediately notify your psych ops team on Also at the same time, you can go ahead and look at the event and say, whether this object issueless pomace ill or it's this public, and I would go ahead and the mediator object from public to private state as soon as possible. And if I'm not able to do that once again, I will inform my sick up steam saying there is some from problem with humiliating this object. I want somebody to go ahead and look into it. So I have written a get a particle which is going to create all the resources that we are looking toe achieve this automation and this get up article also includes the coat formation template which can do that for us. So this cloud formation template is going to create a few resources for us one s and one s three bucket. So this is going to be the bucket We're going to play around by changing the object a season's on. Then we need a cloud trail which is going to be original so that we don't spend too much quest on learning some things. On your also harrowing the trigger creating step function which will also have an s and s stop it linked to it on the Lambda function to the mediator object a seal's finally and even bridge road which is going to listen for ah close trade events on feeder for the bucket name that we're went to create on also some I am rules for the step function and Lambda functions to run. So deployment once again I have returned the entire automation code using city gay. So if you're a big fan of city, they go ahead and clone the supports it, reinstall the dependencies and then go ahead and just use Sirikit Deploy on. That should create the proclamation template in your account on deploy all the necessary resources. If you're not familiar with city gain, go ahead on use. Cocoa mission template that is in the city came out directly. If you go up here, you'll find a syndicate out under that. You will also find the proclamation template. So once we have those resources deployed, then what we'll do is we'll just upload an object, change the object a seal and see how the step function process executes. So let's go ahead and start by deploying that template. Let us give permissions for I am role creation on, since there is going to be quite a lot of resources that is going to be created on this card commission, stack the console is going to take some time to find out what other differences and what resources needs to be created first on once it understands all the dependencies and it is going to start building those resources. So as soon as it starts building those resources, let us go ahead and check one by one and see what is getting created on. Do what? ISS spending still, so we can see here that it's a few resources already identified, so let's just go to a resource section. The two important things that I would like to show eso won is that SNS topic, But you can go ahead and subscribe your email address. In addition to the D 40 minutes, I've given a dummy email address You can see here, that is, and as soon as topic that is created, it is just go ahead and quickly open business. So here we have one topic in four stickups Topic on. I have created a dummy militants for subscription. You can go ahead and add any subscriptions you want, So if you want to do an email subscription, what I'm going to go Sekoff at god dot com. You can go ahead and give your own companies in villages and go and create an subscription . You'll get an email and then you need to substrate for that, uh, estimates notification. And whenever there is in failure in humiliation, you'll get an email on that. Don't think so. That is on SNS topic side. Let me see if I have a step. Function is also completed on the resources here. Just going to find the step functions. So let us walk us through the definition here. So what is going to happen is, whenever you have on object uploaded to the bucket that we just now created, it is going to evaluate whether the object is public or private on. If the object is private, it is going to say object. A seal is compliant. It would just not brave it. It is going toe, make it private on again. Check whether the invitation has been successful or not. It is going to retrieve the values and see whether it is private. Then again, if it is private, it is going to say everything is complain and flows through here. If the automation is for some reason not able to remediate the object and make it private. It is going to notify my sick up steam on. Then it just going to Mark. Uh, you went as failure on. Then you can come and investigate here. So that is what I was shown here testing the solution. This is what is an ah, good floor Looks like whenever an object is private, you get an object compliant and then it ends. Whenever it's not our private, it is going to go ahead and remediated object. And then if limitation is successful, it is going to market as compliant and for some reason, say, for example, your Lambda is not able to execute or your Lambda is not able to reach the S three service for some reason or not able to change the object into privates did. Then it is going to notify Succop steam and say the mediation failed and you get the state . So let us want to go on quickly. Check our even true which eso very find ranges so that we're monitoring one lead this bucket. So this must be my even true. I'm and you can see here. I mean, even bridge and events and rules you can navigate through the console also to go to even bridge. And then if you go here and then you have the rules section, you can come here and see this was the previous discovered. I was playing around with that. This is a rule that has been created by my toe formation. Tempered on. We're listening to the Cloud Trail service on We're looking for events from history on. We're looking only for activity or events happening on this bucket on one leave for these two events. Whenever somebody's uploading an object or changing an object a seal, this even pattern will be triggered on my step function will be trigger here. That is what the target here sees. So if my confirmation is completed now, let us go to stacks on check our status. Okay, create complete. If I go to my output section, you will find the monitored s three bucket. You are Let this go here on. What we're going to do now is we're going to upload an object. So the only where whenever that is input object. Also, my step function gets triggered. So let us go ahead and check what happened in my step function. If there is an execution there, so you can see here. That is an execution here on I don't know. The object is private, so it's marked as compliant on You can see here everything is good. So let us go ahead and make this object as public. So if I go open the subject and go to properties room. But you need to do it at object level, not at the market level. So if you go to property on permissions on, then under permissions, as off No for everyone. There are no permissions here, so I'm just going to go here on say, I'm going to make this object as public. So everyone in the world began list this object and between the subject. So this is going to trigger and automation once again, that is my step. Functions will be triggered and object to a cell will be mediated. So I'm going to go back to Mr Functions here. You can see there is already too. Let this weapon this one. I'll tell you y the other one is also happened. So Mr Functions Airfone doubt that there is an object a seal Onda object issue. It was public. You can see here There's input. Object A seal We did not go on. Put object. If you go and see the previous execution, it will be put Object This time we just put object a seal on. Then there's permissions for everybody as a feed on bright SCP Also untried access control It's also there. So it went ahead on the mediated that object. So if I go ahead and do you get this page? We should see these two permission. These three permissions disappear so you can see here this object permissions have disappeared. We can try out one more time. What we can do is this time so the reason for that before we go ahead and try it out. The reason for the additional execution here is whenever this automation goes ahead and put the new permissions that is making it from public to private, this automation is triggered again so that his weight is going to say no. The object is private so it questo say that everything is fine. I don't have to change anything now So So that is how you remedy it. BK sales in your account I would highly recommend you to go ahead and try it out in your account. On this isn't community triple. You can go ahead and 14th triple and add some features to it, for example, that a couple of features that I was thinking off adding to it. When there are multiple object in your account, you can go ahead and batch those requests, putting it into an sq askew on, then run through them in London. Function in stop synchronously. Executing them. You can quarantine the user O R and roll, which is triggering multiple week a seals in your pocket. So there's a couple of other things that you can go ahead and try it out on top of it. And if you're successfully able to do that, send me a pulled request. I would be happy to have this automation improve the and taken to the next level. Until then, actual watching. Happy learning 27. 3 6 Proactively monitor and respond to failed SSH logins to EC2 Instances: welcome to another episode off security automation. This time we're going to talk about securing your easy to instances against intrusion attempts. If you have easy to machines, you need to give your developers always with access on. Sometimes if it is online expression, you will provide them with ssh based access so that they can troubleshoot that application are fine, tune their application with access to voice level parameters. So in those cases, it becomes imperative that you monitor those such atoms on. You also keep a tab born. The failure is to sit atoms. For example, if there is an intruder within your network, they will be trying to access your sewers with the different use of names so that they can gain control of the operating system. And to some, I'm not the race activities. Or they might be trying with different ssh keys that will give them access to the operating system. If they're outside your network, a sausage logs will have a frequent disconnections so you can have all these three informations on Process them through your automation through Lambda Function or any other automation that you can have on different against those kind of atoms. That is what we're going to see now Let us say you haven't easy to instance running any obligation that you can imagine it might be a Web server applications our database over. What you can do is you can add and club boards. Agent Amazon has a unified told what agent that can be used in both your Windows machines as well as your line X machines with the same configuration. In this case, what we're going to do is we're going to configure the CLOUDWATCH agent to monitor the ssh logs that are being generated by the operating system. So whenever that is and malicious Costa's a user trying to attack your instance based on ssh protocol, then there will be some logs that are generated on. We can ask this cloudwatch agent. Send all this information to your gold watch logs so you can create some custom made truces . Based on this estimate matrices. You can trigger some alert notification T Any lambda function are you can create an essence notification our alarm also. So in this case, what I'm demonstrating here is you can have a lambda function which will trigger and step functions and what is their function is going to do this. It is going to look at that instance and see if there is an abnormal amount off attacks that are happening based on ssh, it is going toe isolated instance so that there is no further attacks that can happen on the instance on. It is also going toe trigger notification to my sick up steam. Saying something wrong is going on on this instance on. Somebody needs to investigate this. So this is an extremely mediation action off isolating the instance, which can take down your application also. But since this is a step function and the demo, you can go ahead and customize ash much as you need. You can go hair and look at the rules that are applied coming into the 82 instance. See if the request is coming from one but Article I p address. You can add a deny initial rule, or you can accept remedial action one leaf or back keys or rotate assistance key. So depending upon your security requirement, you can go ahead and do different kind of remedial actions in this case that I am always going to show you hope so isolated instance as soon as their triggers at failure. So we haven't got a particle which is going to help us are tight through all the different services that needs to be putting together so that we can achieve this automation. So let us see what all the different pieces that are going to get deployed in this automation. We're going to created a more instance so that we can play around with by having SS its attacks on this. So this demo instance is going to have on floorboards agent preinstalled on that cloud. What age it is going to monitor your FSH logs on. We're going to use Amazon Lennox here, Andi Me? How pre pregnant with the configurations so that your cloudwatch logs will send with your instance I d ask the log name. So we also we're going to create a lot group which is going to be the different from what are the law group that you might have in your account on. We are also going to create a lambda function which is going toe look at every metric, the filter that's happening. For example, if there is an essential failure, then this lambda function is going to get triggered on December function was going to trigger a step function. I say say this is an extremely mediation action because for a single failure, also, we have going toe isolate or quarantine the instance by in security group Onda no other access will be A prude wants you out as the security group, so we're also going to create some upload. What's plumps, For example, when there is an invalid user is going beyond a certain threshold. Say, for example, that are 20 invalid user attempts within the last three or four minutes. Then we're going to raise an alarm. Likewise, if there are too many invalid keys Ssh keys that are happening. Too many assistants, keys that are usedto access your server. Then you're going to get another alarm. Unlike ways. If there are too many s in such disconnects, you're going to get one more alarm. Finally, the roles for your step function lambda functions on your easy to instance are also getting created here. So if usually we have on city gay best deployment, if you want to go ahead, I would highly recommend you to go ahead and try that. If not, you have the floor commission template on. We can deploy it. So once we deploy the template letters, come back and see how we can test the solution. So let me go ahead and launch the template. You can see here. This is the air. My I d off my Amazon line. It's too. If you want to go ahead and change the template to use a different am I also that is possible. I leave that to you as an additional exercise. Just go ahead and give the permissions to create I am rolls. So once again, there are too many resources here that needs to be created for this template. So or formation is going to look at all the dependencies and it is going to Mapple, which is a source to be getting created first. And then it is going to do about that list here. So what? The list off resources that is going to get created on June, where we're also going to create and custom VPC for this demonstration so that this is not going to disrupt any BBC or any application that is going to run in your account so you can run this automation in any account that you have without any problems. So we will have a few things created. So meanwhile, let me just go ahead and open my easy to service. We still have the 82 instance. Profile is getting created. So if the step functions created, we can go ahead on and check it out. Here is a step function. Let s go ahead and check it out. What accent it is going to take? They go to the definition section on here. This is my flew off my logic. It is going toe beat regard by and lambda function on that I am. The function is going to be triggered by an ssh failure. So once a step function flows begins, it is going to see whether I want to call it in the instance or not. If it is successfully core and time, it is going to notify in my psych ops team Onda. If that is all these actions are successful, it is going to say that, uh, assistant editor response actions have succeeded. If it is not successful, it is going to go into the failed use case. So this is I think we have on a successful image here, Onda for failures. If you're enter off this use cases, if we just not able to notify the SEC ops team or if it's not able to quarantine you will go into the failed use case here. So we should also have an SNS topic. I would highly recommend you to go ahead. Onda subscribe to that s in this topic. It is a pre baked within a dummy email address. You can see here That is an in force eclipse. I would go ahead, Onda, subscribe to any militancy. Want likewise And we should have a few clothes watch alarms as well. We have four allowance here on you can see here there is an alarm for too many invalid users and too many invalid. Ssh keys on also two minutes such disconnects. So since our state function is going to be triggered by and I'm the function I created at one more alarm saying, if my state function is not ableto well, im se vision is not able to be triggered by my Lambda. Then I want it allowed for that. So basically, if it is failing five times as a summary in the last five minutes. Then I want to be alerted. Likewise. If I am having five SS its failures in the last three minutes, then I would want to be notified. So these are all different alarm conflagrations. You can go ahead and customize them anytime you want. So let's go ahead and see you from our instances come up online. So we have an instance which is running Onda. We also having a big I p address. So let me go ahead and check whether our stackers also completed or stock is completed. So if you go to your foot section I are summarized everything here. This is our monitored instance the same thing that you see here 100 or 24 same instance Onda This is the alarm configurations and you also have get a practical information also available to you. So this is a sample command. If you want to trigger some invalid the key errors. This is welcome and that you will run on if you want to trigger some invalid user errors. This is the command that you will run from your shell or command prompt anywhere you want So before going head and demonstrating the quarantine action, for example, you know, I want to bring your attention here. You can see there's a security group right now on inbound. It is currently allowing one leader BPC i p address. So if you so I want you to edit this one on, then you can go ahead and choose my I p address and then we can save. So now this is a demonstration. So in the real world, you would have your corporate I p address or your Oh, he BBC's I p address Audie might have in past in horse on those i p addresses. So you might want to change it appropriately. Since this is the demo, I'm restricting it. Toa my i p address. So let me just go ahead and trigger and failure. Let me go back to my instances so the security group will be changed from now. We heil ana in bond rule with stays on for 22 from this I p address. So once we triggered a failure, the security group will be changed so that no other connections have allowed from here. So what I'm going to do now is I'm going to connect to this hour through assess it and trigger some three years and see if my security group or quarantining action is completed or not. So you can see here the server is not created with any keeper. So whatever attempt that I'm going to make is going to trigger and failure and that will be captured by my ear. No doubt Agent that is running in your instance on. Then send toe club watch before going to trigger that I can go ahead and show you that one as well. You will have no watch along groups on this is the law group that that is getting created. And if you go to metrics filter, you can see here already there is a law group with the insurance name is created on. Then we can also go and check it out. Some essential logs must already be there. Yeah, that's off. Not that I know for years, so you don't have to worry about it. But if you go to my metric filters, you can see the invalid ssg invalid assess its user on too many disconnect. All those metrics with us have been created So let me just go ahead on try on and trigger and failure. This is going to create a failure off key on that this attempt that I'm going to do now eso going to be on. I'm just going to say that is used this one and I'm just going to add some random number skill. So it's going to weigh have triggered two failures. One was the key failure on the second time key as well as on a bad day user. So what I'm going to do now is I'm just going toe. We'll run some off this command. So here, so that will. Our alarms will also get triggered. So I'm just going to run this multiple times. So let me go to my step functions. Now, since this is an automation that is having too many moving pieces, for example, club which has to pick up the failure on then it will send it to my metric filter On that metric filter will trigger Mylanta on that Lambda will trigger my state machine. So it's going to take a few minutes. Let me go ahead and check my executions. You can see here There is one already being successfully completed on you can see the quarantining action action has also been completed. That doesn't go back to my 82 instance. I'm see here. This is security group here, but I don't want to change this place. Let me duplicate this page. We should be able to see a new security group past You can see here There's an enforcer quarantine security group on. There are no inbound and outbound Basically, what we have done this We have a warrant kind that easy to instance. And there is no more actions that can happen. No more attacks that can happen on this issue. To instance, we have isolated this instance successfully now. So this is how this automation works. If you have an ssh based attempts automatically, you can trigger some. Don't stream action, I say. Keep saying this is an extreme ah in mediation measure off. Isolating that instance immediately. What you can do is you can go ahead and look at sea. Which user or which role is having multiple failures or which I p addresses having multiple failures and take some memory of actions based on doors? Article adamant self so that is the next steps are they will leave that us an assignment for you guys. Go and try it out. And this is a public repository. So go ahead and make some improvements. Send me a pulled request so we all can learn from each other if there is something missing , I'm happy to act that as well. On if you are worried about creating all those resources, I also included the steps of how to chain up all those resources. Since we're doing everything through the information, you can just go ahead on DA lead the stack that should most probably delete all the other informations Or so until then. Thanks for watching Happy learning. 28. 3 7 Automatically rotate EC2 SSH keys for ALL your instances reliably: Hello, folks, Welcome back. If you have been running easy to machines for quite some time, you would have faced another common problem when running a large fleet off easy to machines over a period off time. That issue will have created the machines with an easy to key. When the machine was booted on door skis stuck with those machines and you wouldn't have an easy mechanism or a quick way off rotating those easy to keys. One of the best practices in security is you need to rotate your keys as often as forces when it comes to easy to assess its keys. It becomes very sticky because sometimes you need to log into the server toe, rotate them are you have a lot of servers on different regions and different accounts. It becomes very difficult or cumbersome to write your own automation. To do that today, I'm going to show you mechanism how you can leverage AWS s S M to rotate your teas in a very easy way, which will scale to a number of instances. For example, you can have 10 instances are 20 instances or you want to try it out with the third a number of instances, then you can even use your tags that are attached to your instances to change the keys for door servers. So let's go ahead and see how we can do this for this purpose. I have set up a simple machine here. As you can see, that is on cellar with all this, it's keys. I just wanted the sewer within key, which has been over for with me for a very long time. Now, this is a key I want to replace. I want toe add another key so that I can log into the server and remove the old key or keep it for some time. And then slowly I can sense it them at a different point in time. So how do I do that? So as we're going to do it, it s S M. It comes with its own set of prerequisites. One is that SS, um, agent should already be installed in your server on it should be running since you have the old key. So if even if you don't have the agent, you can go ahead and install them and get it running. If you don't know how to do it. If you go to make it a vertical, we will be able to find it because we have been using SS. Um, quite often. Now that is a first politically said. The next one is having and I am Roll. This I am role will enable system service to run some commands. And you're easy to instance eso again. This I am role is also there in the document where you will be installing the SM agent. I'll just put that link also below the comments or somewhere here in the screen so you can go ahead and do that. So how are we going to do that if you go to edit this system systems manager under ah managed instances, this incident should pop up for you because the agent is running and it is constantly communicating with the service. So we need a new set off keys for that so that we can connect to the server. So we're going to generate or skis on. We're going to use artistic ease on the way. We don't want a pass phrase now, so I'm just going to give another pass phrase on. We're going to quietly generated on. But I'm going to give them the vile them as this month so that we can do at later. Also, I'm just going to call it number 19 keys. So if I go ahead and do something like this, I should be able to find two things. That is, when is a private key? Another one is the public E. So basically, we're going to copy this public E and insert it into our server on Then we can block in winter since November 19 key that we just law created. So let us go ahead and ah, copy this public E and I'm just going to copy only upto the user 80. I don't want to use their 80 part, so I'm just going to copy that, Just going to clear the screen here so we can come back and connect to the server. It is. Go back here and let us run. Come on on. Since we're running an aws instance that that is a lie. Next base instance I'm just going toe choose a platform tape as Lenin on on the second page , you will find runs shell script here. We're going to use a simple command toe. Insert the auto racing keys here. I'm basting the public e and I'm going to send out would to the home directory off easy to user onder the Essences directory. We'll have trace keys. That's it. We're done here. Just crawl down. Selected instance. This is where the most interesting pieces happens. If you want to select instances based on tags, you can do that or, if you want to do it manually also, you can go ahead and choose which instances you want to change it. Or, if you created resource groups then selected this group, for example, you might have created this group for quit year or app. Here you are my batch processing servers, so you can go ahead and choose those instances and rotate your keys. So let's click on the instant that be a running on. You can have a red control. Also, if you want to do it 10 at the time, 20 at the time or if there is a failure, you want to stop immediately. You can do read control. Also on do you have mechanisms to redirect the auto industry but get or cold watch logs so that they can monitor what is happening. And if that is an error or you want to investigate when you last change a key and all those things, it's possible Just click on Run on It should just run almost instantaneously because it we're just running one simple command here. So it just done here. I'm just going to copy the servers, the public I p address. So let's just go ahead. And when connected, a So where? There you go. We just rotated over keys. Onda. We were able to connect to this over. So if you're if you remember the location I inserted the keys here You should be able to find two keys here on the 1st 1 was the B a r ky. That was already there When the mission booted on, we just inserted one more key and were able to log in. So in future, if you want to actually do the proper job off hitting your keys after testing out, everything is working fine. You can elaborate your commands so that you can remove the old Autrey's keys also so that you just have only one file or one key there. If your room where we're doing a double to reelect symbol. That means that it happens to the file. If you just do a simple single one. It just all rights. The file. Basically, he will be having one. We will not rest Aggies. That's a basic clinics come and I will leave that. It's an exercise if you can try it out. Onda, let me know how it goes. Thanks for watching Happy learning. 29. 3 8 Proactively Block S3 Public Access At Scale: welcome to another lecture on securing your s three service. If you have been running many s three pockets, you'll have multiple tools to secure your pockets. For example, you have pocket policies you also have. I am policies where you can define access to certain buckets or deny access to certain buckets. Or nowadays you can even have accurate based access control for your buckets. In addition to that, you also how Caymus encryption in the long list off protection that you have for defending against leakages in your restaurant pocket, Amazon has introduced another new tool called less block public access. There were also written a nice plastic alone way. You can use this feature or value and use this feature on what benefited our force. My opinion is it it is much more easier to go ahead and try it in your account rather than just go ahead and read it because it just takes a few minutes to try this feature in your account. So let us die into our account itself directly. So here I am, in my three service on on the left hand side, you have this block public access when you click on it. It gives you four or five options on. Basically, what it means is, if you enable this option, all public access to your account is going to be denied even any bucket that might be legitimately public. For example, if you're running and website on, you want to distribute some CSS or history man pages or banner places. All those request will be blocked out, right? So if you want to have a hyper secular environment on this is account, why not get wide or regional white? This is account white, so if you enable this, every access is going to get blocked. So do this carefully. But if you're going to do this option, for example, but its which are going to be public already is not going to be blocked. But any new buckets or any new objects that are going to be made public that will be denied access, so you will not be able to add anything public to your account. If you choose this option, that's when you choose this option. We can actually test it out before I go on to the next one. What I've done is I have and market right now. Right now. Let me just refresh the screen. I'm not enabled. Block public access. You can see here just off in my account. I have bucket. I just know created it. But I have also made it public. Also aren simple file called blue Welcome. So if I go ahead and click on this, you are now it opens the page. So let me just duplicate this. Just go back here. So right now you can see here This is public access so anybody can access this you are. So if I go ahead on and enable this here on the click on save settings, it does conform this. So the moment you confirm it, any request for this? You, Earl, is going to be immediately blocked. It is going toe and there is a problem with the chrome cashing. If you want to refresh your compassion, just click on command or control, depending upon which operating system you use. And then the request for a fresh page. And then you can see here, that is access is denied. So let this go ahead on and do this option now. So if I do this option, what is going to happen is any existing objects. Your request will be allowed. So if I go ahead and save this changes conform it on, then I'm just going to copy the same. You will put it into another pro, sir Vento, and then press enter. See here I'm getting the request again. So basically what this means is any existing object which is public. Any buckets which are public will be left. Asset is they will not be blocked. So the third option is an interesting one. If you're going to go ahead and choose this one, uh, you will modifying the old buckets also. So no, it's if you that isn't bucket, which is not public already. Oh, are you're trying to make an existing object which is public, then that looks access would also be denied. Likewise, if you have access points on those access points are trying to make your bucket public. That will also be denied if you use 1/3 option. Likewise, if you have cross account access on those policies and those prosecutors are going to make your book back it public, then those access will also be denied in your account. So this is not the one lead defense mechanism that you have against making your objects public. If you call into your pocket itself on Goto permissions, let's go back to the bucket here. Onda Goto permissions Andi, you have an option with, say's block public access. You can do this at the market level. Also, you can just go ahead and say blah all public access to my bucket on. Then if I just go ahead and confirm this, remember Global sitting. They have not done anything there. Let me just go back to the global sitting here on, then just say save changes. So that basically means that everything is off here on the global settings. You can see that this is the global settings for American. It is off ladders on the bucket level. I have blocked public access. So I'm just going to try on defense this Europe again on I should be getting a page denied . I'm just going to do controlled refresh. Also here on, I should still have access denied. Orlando. This object is public because you just know so that this object has been made public on be denied access. So that is how you can deny public access to your s three buckets at a global level or a packet level or even at an object level by using case years. Go ahead and try this. If you have any problems for them in the comments, I would be happy to help them with you. Thanks for watching. 30. 3 9 Attribute Based Access Control: Proactively Restrict S3 Access based on UserTags: Welcome back. Now we're going to talk about security access management controls. You might have heard off role based access management, but access to resources will be dependent upon the role that you'll be performing for that organization. A typical example would look like if you're a database administrator, he will be given access to all the ideas instances, dynamodb mm cast TVs that are running in your account. Or, if you're a network administrator, you would have something like PPC is not get ways I'm dead connects under your management control. But the problem with this kind of approach is, if you are looking forward to, say, a project called as Red Andi, you are have to give access to databases. Then you will have access to all the databases that is running in that organization are in that region. There is no way to control your access toe only project Reds databases and not for other databases. So how do we go ahead on and do the frightened granular access control so that you see only the resources that it's managed by your projects? So that is what we're going to see now. We're going to see a mechanism that your access can be best on the attributes in this case being a part of for certain project team, are having a certain AG in your I am identity are that I am ruled that you can use will give you access to certain resources. Let us see how we can implement this. It is think off a team who added a lot off members out there on this team is working on two different projects. On first project is project rate and then that another group of people who are working on Project Blue So we want to assign some I am permissions. This I am permissions should give them privileges to resources based on the project. They're looking on, for example, that members who are part off a project red should have access to s three buckets or s three objects which are attacked with Project Red Keys. Likewise, members which Warren Project Blue will have access toe one. Lee objects in the same bucket with a tacky as project blue. So this is what we're going to see. So basically at team member will also have a team name. Attributes called his team unique on on day would also have a project name attribute called This Project Red. Likewise, on the right hand side, you'll have all an object which will also have the same turkeys and magma lose. So when these are matching, access is granted. When these are not matching, access is denied. For that user, likely, you cannot upload an object which is not matching your project. Also. For example, in this case, red roses there are trying to upload an object of which might belong to Project Blue than the upload requests will be denied. Like waste of red. Rosy is trying to access something and product loose permit, then the access with the night so we can say the same thing for blue ball. Also do well also, how and team name, as well as project name on the tags will also be assigned on. The request will also be allowed or denied based on the attributes that are allocated to them. So they just go do over console and see how we can do this. The necessary resources to set up this ah kind often access management is that in this get a particle on once again be Howard friendly cloudformation templates, which can do most of the hard work for us off, confident that I am rules and groups and necessary privileges also. So before we go ahead and deploy the core formation itself, let me just walk through what is going to happen. We're going to create a new Estrich pocket, which we're going to upload some test objects to see whether this actually good based access control. It's working because we need some darkies and there I use on. We're also going to create a new group called Esteem Unicorn. On this tube. Unicorn will have assumed privileges for certain roads. For example, if you can might be a project read role or project moral, depending upon who you are in the team unicorn on, we're going to create a couple of users. One user called us Red Rosy, who is part off Project Red on. We're going to create one more user called us Blue Bob, who is going to be part off the project. Luke on all these users will also be tagged with Project name as well as the team name. So when when leaving these attributes are matching, they will be allowed to assume this. I am rolled. Let us go ahead and deploy this once again we have on a CD Gay Best template. So if you were interested in deploying to syndicate, go ahead and do that. If not, you can just download the permission template from Siddiqui out on uploaded. So that is what I'm going to do now. So know my template is uploaded. That is going to be my stack name. It is approved. I am privileges on the important information Like what is going to be my log in Europe? What is going to be a team name on duh. What is going to be a password? Everything. Issa pushed to the output section off the port formation. So once the stack is completely deployed, you can go to the awkward section and see all the 11th information there. Let me go ahead and refresh my screen. So already some resources must have gotten created. We have some rules that have been created on some passwords are being generated here. You can see here that is in great Rosie password that has been generated. Also, the policies are getting created. You can see the team unicorn default policy. Let us go one by one. Once a stack is completed, it's deployment. No, my stack is complete. Let us go to output section and see what has been created. We can see here. That isn't retro. See, Assume room. You can do the similar thing for for best wilderness, a pub do both. Assume rule also is given on. This is a logging you are in for my account. When you run this template in your account, you'll have a different look in ur Likewise, this is going to be by market name that we're going to upload some objects. So just for testing purposes, what I'm going to do is I'm going to upload something as an administrator so that when we log in Red, Rosy and the blue ball people house, um, finds to play around with when you want to upload it, you can go ahead and use the same files that is shown here on the sample section. You have something like blue welcome and great welcome. I'm going to upload the same files into my estate pocket now. So when I'm going toe up lower on red Welcome. Find what I'm going to do is I'm going toe. Add some tags. These are the most important pieces off information. I'm going to add that I called this team name which is going to the value is going to be team unicorn. This information will also be found in the Get a political If you want to be sure, Project name is going to be project ready because we're uploading a red file. So this is going to be project Red. I'm going to click upload now. Since I'm doing it as an admin upload function will work. The restrictions have not taken into place. But when you log in as a blue user O r, that user, then you will have the validations off attribute. Imagine will happen. So you're going to add team name and this is going to be Project Blue. So now we have our two files. That is done. Let's go to our group now Let us go toe I am. If I go and refresh my screen, I should be having to more insist that it's Ah Blue Bob on red Rosy on defy opened retro. See here under tax section, I will have similar axing red roses, part off team Unicorn on. She is working on Project Red, and she's also member off the Team Unicorn Group. And there's an policy attached occur to really check the policy in a short while. Likewise, let me quickly go and check out Do Bob. Let us. Blue Bob is part off Project name is the Project Blue and whether says she he's also part off the same team as Team Unicorn. So if I go to my groups now, I will have something called us a team unicorn on duh. We have all the three users annoying at Mend red rosy and move off. When I go to my permission section, you see her? Absolutely. That is no permissions except one in line policy, which allows permissions to assume some role. So basically it is going to check whether you're resource that that his team name it's also matching with the identity tag that you have. Then only the person will be allowed to assume a role in your account. So what role they're goingto alot to be assumed is dependent on the project they're dependent on. For example, the role names off the structure team unicorn projects stand. So whether it is blue or red, we live in the project Name matches. They would be ableto assume that particular role. Likewise, If you are an admin, you will be ableto assume the admit role. That is what we're taking here. But the team made men equal two years. For example. If I go back to my users on Goto annoying Edmund annoying Getman will have a team. Madman, You asked. Yes. So let us go to our rules. I'm going to search for Red Rule. This is a team unicorn project Read role on under tag section. You'll have your project name as Project Red on the team name Aston Unicorn, along with other tags also. So what permissions are given here? So this is a red role, so care you will have list buckets and head back. It's because that if you're going to see it and the this is going to allow us to see objects in the control, not are retrieving them or anything. So if you're going to do something validations through console, we need those permissions. But when you're trying to get some objects or put some objects, this is what we're here. When you're trying to get some objects, this validation checks are going to come into good job. So no, it is going to check for my team name on Duh. Whether team name is matching on project name is matching, Then it will allow me to get some objects. Likewise, when I'm trying to put some objects also, it is going to check whether ah door dags are matching are not so. Now we set up way. Understood how our group was set up on how our users are set up on whether what role they can assume. So let us open the access for red Rosy in another poster because I want to keep this. I've been account so I don't want to log out here. So it is, uh, useless. You are in another pro self, so we're going to log in its red rosy on the password for Red. Rosy will also be here given here. So this is the password. So by default, this user does not have any privileges at all. If you go ahead and say, for example, I'm going to choose easy to hear this user will not be having any other access. This user has only access only when they're part off the group on. Only when they assumed that role they show this console. But if I go and click on running in senses, it is going to give me an error. The same thing that happened for any other service that I can choose. So let s go ahead and assume this role. So the easiest way to assume a role is just copy this urine. Oh, you're gonna go ahead and click on this which you are just going to ask you the same information that we will get. So once your cookies are set, you can just go ahead and put in this Europe so automatically that contract he will be taken on then the role name that you are going toe you want to assume will also be given on the display name, so just click on switch road automatically. It will switch role here, See? Here it says Now you are part off Tim Unicorn Project Red Road. So they just go to our S three. So it's now on. Since we're using in the console, you will be able to list all the buckets but you will not be able to see the contents of any other. But because you as you can see here, there's an access here. For example, if I go ahead and click on this bucket, it is going to give me an error. So the one leader bucket which has been created part off this for a project, then that only that bucket is accessible for this user. So we also have ah bucket name also hear that secure private bucket. So this is the bucket name. Just going to copy this. So we have the bucket name here. I'm going to open this bracket. So you see here we uploaded to fights Project Ah, do welcome on the project to read. Welcome here. So I have logged in us Project Red Rosy. So I should be able to access this project. But meanwhile, I'm just going to go ahead and take it out. See what happens if I go ahead and click on open. I should be technically getting an error. But if I go ahead on do the same thing with the bread welcome. I should be able to open it if my access to images are working so well. Uh, that is how you create actually good base access control. So let us go ahead and try and upload some objects now to the same pocket. So now I'm going to upload a file called a city came out, but I don't want to give any tax. Let me see what happens. I'm red rosy now, and I'm trying to upload without any tags. And I get an error here. Like, let me just go ahead and try and do the same thing again. I'm just going to upload. Now, look, this time yourself no dags. What I'm going to do is I'm just going to try and see if I can upload the tag, the name off any other projects or let us just leave out one bag. I'm just going to say T Munich on. I'm going to live over the project name tag and see whether it works or not. You see, here there is one more error. So basically, unless you're all the tags are matching, all the necessary tax are matching. You will not be allowed to upload any object. So this time I'm just going to add put the tags Onda. Uh, if I do blue here, it will not allow me. So I'm just going to go ahead and say, Read on, click on save and click on next week on upload. So see here I have successfully uploaded an object here, Acidic a out. And there isn't sexist there. So I can repeat the same exercise with Blue Bob also, and Lioubov will also have similar provisions. He will be able to see all these objects. For example, he will be able to see a red welcome file. But Global would not be able to access the file because his attributes are not matching. So that is how you give attribute based access control at cloud scale. You don't have to worry about who is actually access to which resource and then how to tie it down. As long as the tags are matching on as long as you have written policies so that nobody can change your tax or modify it or act themselves, then your attribute based access control should grow. When new teams are coming in, a new projects are getting created. A new resources are getting created. You don't have the airport. Um, your permissions will automatically scale to cover those new resources. Also, go ahead and try this on guy have deliberately left out the annoying admin role permissions incomplete as an exercise. Go ahead and try that. Or, if you are able to take it into the next level, make a full request to the repository so that we all can learn from each other. Thanks for watching Happy learning. 31. 3 10 Attribute Based Access Control: Proactively Restrict Access To EC2 Based On Tags: welcome to another episode off Security Reimagined for the cloud. This time I want to take a journey and securing the easy to service. Let us say you have multiple applications that is running on the clout, and you are having different teams supporting each off those applications. You want to prohibition fine grained access control so that no other teams can look into the resources off other teams or not accidentally manage them or turn them off. Let's say you have a team off unicorns on. You are making them on two different projects which were expecting to be successful. Let us say the first project team is called this project. Read on. All the users in the project are having a tag, which is called US project name, because the project read on. Then there is another team, which is called US Project Blue. What do you want to do is you want to assign some permissions so that it will scale automatically to all the easy to resources that is happening in your account. But they will have only access toe their project resources only. For example, in this case, Project Red Team will have only access to easy to instances having the same tag. Likewise, Project Blue will also have access to the resources that are having the same. So if we want to imagine it, let us say and usually call this a red rose Easy. Here on Dredd, Rosie is having a tag name, esteem name, which is, we're having a value off team unicorn, unlike Wise, another tack, which is having a key as project name on the value as Project red. So what we do is we go ahead and mash this attributes with the easy to stag values and back keys on if border matching Red Rosy will be having access to manage that instance, maybe it is for stopping the instant starting the instance or creating a new instance. Likewise, if you have a blue book on having the same tack name like the name is same, a steam unit gone on project name housing having a value as project blue. Then Blue Bob will be able to manage those instances which are matching the same tax. Let us go ahead and see how we can have fine grain control on you. Also check out whether Blue Bob is ableto access any off the Project Imperial Project. Red Resources on the project Red is able to access project boost resources or not, We haven't get a particle which is going to walk us through all the necessary resources. But I am rules and policies and the condition keys. Everything is required is documented here. So you can go ahead and spend your time reading about it for the blindness resources. We have a couple of options before we go ahead and see the deployment. Electricity? What? We're going to deploy here. So what we're going to create is and I am group on this I am group is going to be called this team unique on on within that group, we're going to create a user called this Red Rosy on Reginal C is going to be part off the project. Red on, We're going toe. Create two demos hours. Also, 17 is going to have the name as a project read on and then another web server is going to be named as a project blue on. We're going to create some grouper. I am rules so that every member off this team unicorn will be ableto assume the role. It is depending upon that project names. So this is a this other resources that we're going to create. Andi. Everything is rolled into a nice cloud formation template. You can go ahead and have a look into the template. If you need to modify some things or change some values, you can go ahead and try and do them. When it comes to deployment, you can do it through CBK. I just don't know the court here on. Then go ahead and install the dependencies and deploy them are. You can deploy through the clot formation template that's available on this directory here . So let's go ahead and deploy this court and see how, whether this act tribute based access control, it's working or not. So I uploaded the court him just going to say, interviewed based access control for PC to on this is the air might that I'm going to use for the Web servers If you want to use a different hair micro, I didn't try it, but that is not the main intention off the score, so I'm just going to leave it as it is here. Let us give some privileges so I am. Roads can be created. So the sources have started getting created lettuce goto our social stab and seeing what is getting created. So we have on a roll for Lambda function. The reason for that we have a lambda function here. Ihsaa proclamation does not natively support tagging. I am users, so if you want to tag, you're I am users in your account automatically. Then you need a camera function to attack them. So that is why this tempted comes within. I'm the function, which goes ahead, and that Axl's users as and when they're created. So we are getting a new BPC or so in which your ah Web servers are getting launched so that it does this template that's not disrupt any off your existing sources, so you can go ahead and deploy this in your account without any problems. So once the group gets created, we'll go ahead and get to the group and seeing what users are there and we have a user. Let us go and check out the user, assuming services still creating progress. But anyway, let's go ahead. So the tagging is still not complete. It's going to refresh once again. Okay. The rosy user has been created successfully, so we should have some tags. Now. Here we go. We have ah, tag name as a team name Unicorn. And then we also have a project. Name is Project Red for Red. Rosy on Retros is also part of the team unicorn on. She's inheriting some privileges as being member off this group. There is no individual permissions attached to this user. As you can see here, this is that as from the group So that is one of the important security principles that I would recommend to. You guys never attacked any principle permission, That is it Never had a permission toe users directly the user should inherit the permissions from a group are from a rule that the user can assume. So in this case, the user This part off the group called Team Unicorn, that is Go ahead and check out unicorn here under users. You'll find that. Is that it? Rosie User on under permissions. We have this permission. Let us go ahead and check out this permission here. So what? Basically this condition key here stays is if you're resource tag. That is any easy to resource or any other source, Or I am resources having a team name on as a principal back. That is that users team name, border matching. Then you can go ahead and access it. Likewise, your project name should match with the principle that, in this case, principal tag is nothing but red roses. The project name on Dredd, Rosie's team name. So that should match with any resource that she's tryingto access. In this case, the action is assumed road. So basically, if these two packs of matching then red Rosy will be allowed to assume a project Red roadkill, that's the start. So basically, when the project name matches with the project name, then you'll get a bread roll here. Not no other fools. So basically, she will be able to assume that a team unicorn project Red Rules That rule will also be here. We go ahead and check that out. So the project read Role is here on under the tagging section, you will find a team name team unicorn. Unlike wise, that will be a project name and Project Red on here when we go in the permissions is quite an extensive policy. I would highly recommend you to go ahead and put it in another note power to go ahead and look into it. So let me just try and navigate a few off them. This is the reason for lettuces. This different is either resources that require different levels of permissions and some off the actions support tax so that you can look at the attributes and then validate them some off. Those actions does not support tax, for example, describing or getting the list off. Easy to instances that's not alot bag matching. So you there is no condition keys given here on this statement here. We're talking about creating volumes and running instances on we are going back much in here. So this, this particular to actions are supported by tag mating. So when they were trying to create in William O are created, instance, which of both actions are tied together so that act matching will happen. So in this case, an easy two instance should have a team name on a C two incidents should have a project name on the user whose requesting that should also have the name on project name and both are matching both actions are approved if they're not matching those actions that tonight. Likewise, we're also checking for mandated Yankees. So whenever user is trying to create an instance mandate, really, the user has to provide these to attack names of these two tag names that that not that the user were not allowed to create an easy two instance on likewise that use it will be allowed to create tags which are matching for their project name on the team member Lee, for example, Red Rosie cannot to create an instance with the Project Blue tag, for example. So now we have looked at the policies and permissions which allows us to achieve those fine grained access control. Let us go ahead and see our whether they are easy to instances have been launched for us. Let me check. The stock is complete. Okay. If we go to the output section, we will have our project of do instance I p address and then the project. Red instance I p address. So a funeral you analysts here on. Then let us go ahead and log into red roses with console and see what she can access and what she cannot access This is the passport for her account. So so remember, this user has only privileges to access that easy to service. If you try to navigate to any other service, that will be most probably an error. So I'm just going to go toe easy to service on this. Users should be able to list both the instances that are running right now. But as I have not switched to the role, this user has no privileges at all. Although she is a part of the team Unicorn group, you need to assume that role so that you can go and fetch some data, access some data. So the easiest thing you can do is go ahead and click on switch role. Here are you also have the You are here. You can just copy this since we have already locked and we can just put in the You are here on that. It's going to fill in the same values that you need to put in here when you click on this one. So let us look on switch role. So now, once I click on switched role, I will be able to go to easy to console on to see the two instances that was running and over here in Ohio that just go back to Virginia, where the instances are supportively created. So here you have two instances one, it's a project red and Project Blue. And remember, Red Rosy is a part off a project or red team. So what I'm going to do now is I'm just going to try and administer the Project blue so over, although I am able to get for it fits the metadata, for example, I can go ahead and see the tags and everything. But if I go head on and try and stop this over, I should be getting an other because my tags are not matching. So I can not to do anything to the server at all. So I can go ahead and stop this over because this is matching my tags. Let's go ahead and try it out. You can see here the action is immediately approved on and stop even just happening. So this is how I restrict the access to my servers so I can go ahead on and, for example, let me just to select the blue. So we're here on then if I go ahead on that, try and edit this tag. Here, let me go ahead and flying the project name. Let me see if I want to change this tag and see if I can get ownership off this one you can see here. I cannot change the stack. Also show that I can go ahead. And what if I just over so I can do nothing to this ever? Basically that as if I can go ahead and edit this stack. That is also possible if I go ahead and change this one to blue If I can go ahead and tenuous. Want to go that you wise? Particularly weird here. So I need to just find the same, but in somewhere. Yeah, that it is. You can see here if I go ahead and change the red one toe blue. Also that it also not acceptable. I'm just going to put it back to read and then click on Save, and it is going to accept that request. So it is going to match your tags for each and every request that they were going to make. Let us go ahead and try and launch an instance Now I'm just going to run through the console here for the last bridge. Let's see, I don't have access through listing all the am rules. That should be fine. Not a problem. Aan den. I also will not have access to listing some security groups, all the security groups. But one thing that I want to check out is adding taxi. Remember, this is a space where you act tax. I'm I'm deliberately leaving the place empty luncheon instance. Since I have not given any tag, it stays that I'm for. I don't have AH access to create security groups also, so I can launch it in the existing security groups only. So let's just go back and choose on existing security group. Let's go ahead and lunch, and it should give me an error saying, I mean this editors did not elaborate and very clear on the AWS park, but basically this means that I don't have the necessary tax because the initiating launches is but not validated. So I just go back to my review screen and let us go ahead and edit our tags here. I'm going to add a T name. I'm just going to say 18 Unique on at another tag. Let me just be playful and tried. Toe do another project. Name on me Say Project Blue here I understand this is not my project, but I'm still want to go ahead and try and lunch and it is going to give me another once again. But if I go ahead and change the project blue to project Red Onda, click on our launch instance I will have a new server coming up. So you see here that is a new service launched later score to view instances, that should be one more instance that is coming up now. So that is how you provide fine grained access control for your easy to services. If you find any improvements or you think you can do it better, go ahead and focus supported story at your court Onda. We can learn from each other. In my opinion, there are few things that can be on a spot off. Improving the score one is adding a breaking class policy so that you can have an admin role which will who will have more privileges who is not restricted by those Dag permissions on you also can have those permissions extending to EBS volumes, security groups and am eyes on also assistance keepers. So you have fine grained access control toe all the services which are supporting pack based condition keys today. Oh, go ahead and try this. If you have any problems for temin documents, I'll try and help them with you. Until then, thanks for watching. 32. 4 1 Learn how to create fine grained permissions like a PRO: welcome to another lecture on security. This time we're going to talk about creating policies whenever I say policies. Quite often people are afraid are they don't want to do that because it becomes too complex for them are there are too many options on it is very difficult to write a fine grain policy today. I'm going to introduce couple off tools which are provided by Amazon, which is going to make our job really easy in writing and fine grain policy. You can really become a policy in injure when you practice with these two tools. Let us take a simple scenario on see how we can achieve that scenario with two tools that we're talking about. Let me take you to my console now. So here I haven't s three service open and there are many buckets that are there in my account on. Let us imagine a scenario where I want to kill access toe 11 particular pocket in my account toe a particular user only in this case, the example, but that we're going to talk about Is this a process 010 pocket on? I already also have some market level policies or so, For example, when I were, somebody's going to try and put an object. They have to give ownership toe my bucket corner. That is going to be this account now, so that is already want restrictions on the packet side on. I'm also going to make some restrictions on the access site that is going to be Who's going toe access it, that it's also going to be restricted. So that is what I want to achieve on for this scenario. I haven't used for this blue blob on new book. That's not how any privileges at this moment you can see here on the permissions it's empty on Group is also empty, so as off now this user does not have any privileges. So what is it to do is that I'm talking about These are all things that you already know about? There is something called US and policy generator. This website allows us to create really fine grained policies for multiple AWS resources. For example, if you just go down and choose this one, you have sqs policy as three policy VPC I am on SNS. There are few more services. Also, they're not covered here. So this tool is helpful for certain things, but not up up to the mark. So there is another place value can really go ahead and choose fine grain policy. This is one off them on the next one that I was really excited about to show is the policy simulator. Whenever you write a policy assigning to a user our group or role, what you can do is you can come here as an administrator or a person who is creating that policy. You can go ahead and similar it same policy as that users on see what is going to be the access that is provided. And what is the access that is going to be denied on all those things can be done through this console here. What off them are available? A Publicly, if you loved in the sessions will come into picture. If you're not locked in, it will just throw an error. So let us first go ahead and create a policy for our bob user so that he can access that single pocket. So this is where the really interesting piece comes. And once you click on create policy, we come with this usual page on most of the times. I usually recommend you to go ahead and choose the Jason if it is already written. If you are not doing it, then this is a nice place where I also build my policies. So in this case, we were going to do it for yesterday. So I'm going to select vestry here. Similarly, you can choose for any off the other services supported by I am policies today, for example, easy to our care Mazar. But I might restore anything that you can imagine. It's here. So let us select yesterday on for this user. I want to give all access toe that particular pocket. So I'm going to select all as three actions here. But the restrictions is going to come into picture when we are talking about resources. So in this case, I want to restrict that you said toe one particular pocket. So I'm going to click on add air and here, Andi, just asking for my pocket name. That is all I need to provide here. So I'm just going to copy this bucket name from here and go in and fill in this values so automatically this value is swilled in. If you have the air and off the bucket, you can go ahead and pre populated, or so that it's also not a problem. So click on, add on, then click on review policy. So I'm going to call this as one bucket policy. So once this policy has created, let us go ahead on attach it to our user. So that comes up here so we can review add permissions. So now our user bob has on one Lee one bucket. If I go ahead and log in another console, for example, I can do Oh, that untested real time. But that is quite cumbersome. If you have too many users, it is not possible to log in as that user and test what each and every scenario. So this is where the policy similar comes into picture. So I'm just going to refresh my screen so that the policies will kick in so you can go ahead and select. Users are groups are roles in this case and want a user. Blue poor are select that user blue bob on automatically all the policies associated with the use that will be listed here so I'm going to click on this one. It gives me the list off omissions that is associated with this policy. So how do we test it now? So here you go ahead and choose a service which you want to test. In our case, it is going to be a history that you I slightly funny. If you are not able to see your service, just go head on and resize your screen are do something funny so that you can get it or get a bigger monitor. But I find always quite tricky to find the service that I want to choose Black. It is still here, so they are selected as three. Next is I want to select something like let us it whether this user can get an object or get object a c l o r list my pocket So I'm going to select that by default. If we just go ahead and click on run simulation, it is going to give me an error. The reason for that is this user will not be able to get optic from all deep pockets. He will be able to get it only from one bucket, so We need to tell the policy simulator which bucket? We want this user to be simulated for. So when you open this, that's an option. Here. Just remove this one on. Let us fill in the air and off the bucket. You can see here there is a greater to feel which gives you an ah, nice hint of what needs to be filled in there. So let's go ahead and copy over a bucket here and and let us fill in our bucket air. And for this one, unlike wise, forget object. Also, we need to go ahead on fill this one as well on this one. Also remember, the buckets isn't sometimes take a few seconds to get into action. So let me just close this when this is not required on. Remember, we don't have to include the resource policy, because if we when I say the first policy, the bucket also has some policies. So do you want to apply that or not? It's a question so that this quest removed that on. Did I feel in all three? Yeah, we have all the three here. Just remove this one and click on run simulation now so you can see here all the denied values have bean changed toe allowed. If I changed even one off them, let us say I want to get object on removed us to a star. You'll see that this will be this particular one will be denied. So this is how you play around with the policy simulator to find out what this user can do and cannot do, right? Really fine grain policy. Fine. Tune it on. Once you are comfortable that this policy is achieving what you intended to achieve, then you can go ahead and deployed toe real production user. So in this case, I took a job as an example user, you can set up some dummy users so that you can test your I am policy spot. So go ahead and try this. If you have any problems for them in the comments, I'll help them with you. Until then, thanks for watching Happy learning 33. 4 2 Use AWS Secrets Manager to secure database credentials and retrieve from lambda: Welcome to another episode on security. This time we're going to talk about securing a databases that might be running in your AWS cloud. If you're running ideas data basis, then you will have known that you will need and user name and password to connect to your data basis and storing this user name and password. And applications have always beena painful thing to do, because if your application go to court gets committed in get up or some other reports a tree that you might have, then you are having hard coded credentials, and it becomes very difficult to change them over a period of time. What if you can move those credentials to another place so that your application can use those credentials when they need it on? You can also change this credentials without going and changing your application code. This is where AWS Secrets manager comes into picture, but you can securely store your credentials on you. Also ordered Who is accessing those credentials on? You can also rotate them using and loved a function. So let's go ahead and see how we can use this in the real world scenario. In this case, we are going to simulate an artist, which is going to run in my SQL instance on. But we're going to simulate the application being and Lambda Function, which is going toe access that database so the access is going to need and user name and password. We're going to store that user name and password in the Secrets manager on the Lambda function. Whenever is going to access database will contact the secrets managers saying, Give me the best password. Give me the database. Credentials on the access will be validated using an I am policy on. Remember, the secrets are encrypted using a blues Caymus keys so that lambda function or any obligation that requires access to the secrets. We'll also need permissions to decrypt the encrypted secret and secrets manager. So there's two layers of control you. Just because you have access to secret manager doesn't mean you can go ahead and see the secrets there. You also need access to the Caymus Keys that are used to encrypt them. So in this case, the Lambda function is also going tohave an A p a gateway in front off it. So when we deploy the solution, we are going to get all of the four pieces that you can see here. We're going to have an A p a gateway. Through this AP a gateway our users is going to contact the Lambda function on the Lambda function is going toe because the secrets on once it gets the secrets on, then it goes to connect to the database, gets the results and publishes is back to looking on. And we're also going to configure one more Lambda function in the Secrets Manager, which is going toe rotate the secrets every 30 days on it will publish the new secret to your database also so automatically your database credentials also gets rotated. All this functionality is a packed into a nice confirmation template which is available in this repository. You can just go ahead and deploy this template and try it out yourself. So that is what we're going to do now on Since it requires and ah rds database, we are going to spend some time waiting for the resources to come online. So let us get started, so have uploaded my completing it this morning on here is going to be my date of his name. you can go ahead and change it, and this is going to be my database user name. Also, this sense, this is going to be a demo. I'm just going to leave it as it is. If you want to go ahead and change them on, let us give the permissions for a clot formation to create the necessary resources. So, as I said in the beginning, since we're bringing up on ideas instance typically in my experience, it takes about 10 15 minutes for an artist instance to completely come online. So meanwhile, we also can go ahead and check the secrets and also the Lambda functions that gets deployed on the AP gateways and everything that gets deployed as part of the resources. So we already house from our sources that has come up. You can see here that is, in my ideas. Instance, a secret has been created letter. So go ahead on dejected secret first. So if I have a link for that here, we apparently don't have a link here. Let's just go and search for secrets manager here. So we have the secret letters, go head on and check out the secret on it you can see here. This is part off the stack that we just now deployed on. Duh. We also will have this configuration enable In a short while, Once the stack completely goes ahead and finishes, all the chocolate are supposed to do so as off. Now there's, uh there's a default encryption for this secret on the seekers encrypted. But there's he here, So let us go ahead and check in the proclamation whether the other resources have been completed, let me suggest a first this pain show that just go ahead and check with the rotation as, ah profession Court has been triggered. Not yet. So we have. Ah, this is still pending. Meanwhile, let us go toe over Lambda Service. We should have at least are 2 to 3 land of functions here. This is the lumber function that is going to manage the number of connections because when you're having a secrets manager, you're the number off request that you can do the transactions per second or two foot per second for your secrets. Manager is throttled. It is not at a very low number, but still you want to keep count of how many connections are happening at any point in time so that your database connections are not throttled and your application doesn't lose out. So there is another Lambert function which is going to keep track of how many connections are there to your database on this is your proclamation. Flotation Lambda. This lambda is going to rotate your secrets for the pre order in the period in time. So in this case it is going to be 30 days. So if you want to go ahead and set it for a different rotation period, you can go and customize that. It's also possible. So I leave that to you. So let's go ahead and check. But that it must be one more Lambda for the application called itself. I'm just waiting for that tow. Get deployed that that scene this is stupid. The stacker still running so you can see it. This is the date of this instance rotation Instance that this creation is still in progress and remember, once again we are deploying this in a separate VPC so that your existing resources are existing. Account is no longer or no way disrupted. We also creating an actor gateway for the Lambda Function to communicate back to the secrets manager and also your ideas data basis also in the secure where So I would highly recommend you to go ahead and look at one all the resources this template is deploying it for you. Andi, if you're wondering the lad, uh, connections for the data business also store that is this morning the animal devi table. It's also created for you. While the total number of connections at any point in time is stored by the Lambda functions, every time you make in connection to the database, the dynamodb table will be fetched and see whether the maxim connections have been reached . If the maxim connection is not reached, the new connection is allowed. If the maximum connection is reached that the questions dropped. Little also opened the ideas service. We must have one database running here. This is the rotation instance and you can see here all the necessary configurations backed into the temperate. So you don't If even if you have never launched in ideas, database or you don't know what consolation to use hope to set up on success manager, this would be the best point toe start experimenting with it on. This is the interesting thing. This database is not public, but still, we will be able to create from an A p a gateway. So they pick it was going to trigger the Lambda function on Lambda on the back end is going to talk to the State of Grace and fit some information on true it back to us. So our database is up and running, so let us hope that ah stack is completed. Still, that is a couple of Lambda functions because there's one more lambda function which is going to insert some dummy records into our database itself so we can play around on the console. So we have the A p a. You Earl on the database at my name at the school here and said, You don't just complete. So when I put this you are into my processed now and making request. What is going to happen? The Bagram is as the soil here. The request is going to go through the a. P. A gateway. That is a You are that we saw our style put off the cloud formation that is going to trigger Lambda Lambda is going to get secrets, connect to the database. Come back here. So it is straight out. That should be something like a three request to coming in. So you can see here as selector three items from RDS Staples. So what I'm going to do is I'm just going to refresh my screen. There must be one more lambda function for testing purposes. So this is the Lambda function. And if I go to the logs off the function, we will be ableto see what records were fetched on what secrets was used to to fetch knows , records. That information there will be there in the lodge just going to make it for medical. You can see that this is a request being made to the database. Onda. Uh, here it looks at the air. And for that secret on these are the treat of course that were returned by the database that record oneness, John record to is Jane and then Bob. And then it is closing the connection here. So this is what I was speaking about. You have this a secret. Also, if you want to see it in a better way, you concede here? Uh huh. it's any with the same thing. If you want before matter to call, you can put it into adjacent editor. Just a Jason Value there. So this is the password that was used to dynamically to connect to the database and check out details if we go back here to the sick. Our secrets Manager, this is the database. This is our secrets manager at this. Go ahead and check the value off the secret itself. So you see, I just refreshed my page on my profession. Confrontation is also enabled. Here it is that for 30 days on, do let us go ahead and retrieve a secret value. You can see it is the same thing that if I just copy this for work, quote my clock formation Here on, you can see the same thing here. Uh, not mentor for missing cloudwatch logs. So that is how you access secrets in your secrets. Manager on You can put your database credentials or even your operating system credentials or any application credentials in secret manager on enabled probation automatically. So now every 30 days, I don't have to worry about rotating my database password because automatically this lambda function that is a test here to a six minute. It's going to change the password on also updated in my database also. So that is not going to be any disruption to my application or application timing out because my database password has expired or somebody forgot to change my password. I'm having a security problem. I would highly recommend you to start using secrets manager for storing your passwords. That is another way you can use the AWS parameter store with the encryption keys, but that does not support the automatic rotation. Are Pritchard, Amanda Lambda Functions for rotation? Do you need to write a of custom court and write some other auditing functionality? Also, I would highly recommend you to start using sick. That's my nature photos Purposes tried out. If you find any improvements, put them in the comments or send me a pulled request. Until then, thanks for watching 34. 4 3 Use an outbound VPC proxy for domain whitelisting and content filtering: another lecture on security. This time we are going to look at how to secure your out bone traffic from your PP C's. Whenever I mentioned securing outgoing traffic, the most common notion is let us put up in that instance, or Anat Gateway so that ourselves are not shown to the public on. We can hide those numbers. But the problem with this approach is your servers are not being stopped from communicating toe bad. What Net or some malicious host, And they might be still for downloading some malicious malware on corrupting your environment. You have no way off for filtering the content that yourselves can reach. Enter by your level or an I P address level, and you still need to provide these proxy services for securing your servers. It might be for a legitimate reason, like downloading patches from Microsoft or Red at or some other winter that you might want to don't know it from. So how do you go ahead and and provide the legitimate access, but at the same time protect yourselves from reaching out to us back networks? So that is the problem we have on. I'm going to secure you a solution which allows you to have the best off the board. The world's where you can achieve content filtering domain. Wait, listing on proxy ing services So we haven't get a particle which has going to help us in achieving the solution. So before we go ahead and start deploying the solution itself, let me walk you through on what is going to happen. So let us say that we haven't bpc, which is highly available, spread over two availability zones, as you can see here. So the typical design will be like you will have public submit on. Do you will also have a private sub net. So when you have a public seven it what we're going to do now is we're going to deploy and proxy instance on. We're going to use the open source squid proxy on that is going to act as our proxy less domain for drink blessed while white listing the UN's as well. So it was going to provide all those three services on. We're also going to put it into an auto scaling group so that it can scale up and down, depending upon the traffic that you have behind the proxy instance, we're going to add a network load balancer so that all our private instances or the secure incenses on the private sub net can talk to the proxy. It's And so this way you are a proxy instance I p addresses not also exposed to the plant. And you can also have not balances from each of the availability zones so that they can find out which proxies available and then redirected traffic appropriate proxy. So this is on the remaining on the boxes solution itself. Since we're going to do this as a demo now, I don't want to use you are use your existing BPC. I also created an A sample BPC template on the repository example VPC will deliver the exactly PC equipments for us on also will deliver and private incense from which we can do some testing. Since this instance is going to be private, we will not be able to do s assets toe do the sdm or to see the you are filtering or the content for drinks working. So for solve that problem, I have also delivered and passion host somewhere there on the public's cabinet from which you should be able to connect to the client. Instance also so basically we will have to templates. One template will deliver the network stack on the second template will deliver the proxy instance under network load balancer stack. So before we go ahead and delivery let me what you through my account you see here there's only one vpc We are going to use it We're going to create a new VPC on since we need to connect to those instances I hope created And it's a such keeper on my I'm going to call me Keep it s proxy. If you don't have one, just go ahead and create one on right now I don't have any templates on my account. The stacks are not deployed. So let's get started by deploying them forces the networks tech. So this is going to be my network stack. This is the same thing that you find in the ghetto political. It is going to tell you where vpc passed in host on a private instance on once it is completed, we should how some outputs off the public i P address and the private I p address off those instances. So I'm just going to call this network stack on. You can do this as production or change any off this values. This is not using anywhere. But this is where the important pieces this is a key name that we are going to use to connect to those instances on this is the air my I d off those instances. So click on next, Get going, create stack. So since three important resources are going to get created, I time that it takes about 3 to 5 minutes Time for a stack to come up. That is for BBC's plus two of Web instances. So meanwhile, let me just go toe my easy to instance, that, uh, instances speech, it does keep it. Really? Here, let me go to my GP C section. So we should see a new BBC here, you see here, that's an element BPC. So I'm going to add this window here on Let us go to our security groups can see what all security groups have been created. So you can see here These are the security groups that is created Onda Web security group. We're going to pretend this as the Aston Security Group now on. I have opened it for the Internet also so that I can connect to it right now. It's it's asset. Is that going to be a demo on this? Is the private security group at our instances going to recite on on from where we're going to do the testing on. I have allowed Port 22 access only from my Web security group. You can see here it's the same value for my Web security group on so here. So once we could This is going to be the bastion from once we connect your bastion, Then we will be able to assess its two or private instance also. So our security group is done on all the road tables, and the subjects are necessary. Things are all done here, so we don't have to check anything there. It just goto our instances and see if our instances are ready. So we have two instances up on running. Let us go and check our proclamation. Temple with the stock is complete. We have it complete on under the output section. We have our past and public I p address under private instance I p address also. So our first step is done. So let us go ahead and launch our proxy stack. So this is going to be my squid proxy which going to deliver the content proxy services. So I'm going to say so. These are the three stacks are three you others that were going toe white list. So whenever that request is coming from the private instance to any off these three domain names, it is going to be approved automatically. You can go ahead and add any numbers that you want. You can go if your family with a squid proxy you can connect to the instance on. Go ahead and trouble. Shoot them. So how do you connect to that? Is also having assess its key for that instance, if you go ahead and add your key name and if that is present in your account, you will get be able to log into the ssh to the proxy instance and changed a squid proxy it . So this is going to be the port that we're going to communicate with. And this is the instant size. If you want a bigger instance, go ahead. And what if I that so? This is where the interesting piece comes Remember why we deployed a new VPC? So we're going to use this newbie PCB just now deployed on. I'm going to choose the public. Submit first on Dhere. I'm calling my public subjects as Web subject, so I'm just going to choose those two. So that is done. Once that is done, I'm just going to do the private cabinets. Select those private sub nets. So that is also done on what is the sea idea? And so I want my endeavor vpc to communicate toe do this a squid proxy. So I'm just going to give my entire IPCC a DEA. You can see here the i P addresses here, so I'm just going to type on the same thing we going next. So when the permissions to create unnecessary rules and privileges, Onda this stack is going to take some time because there is going to be a network load balancer Onda, a squid proxy instance and some user data that needs to be configured on top off the squid proxy. So this tactics a vote approximately six minutes, in my opinion, are get completely daily word. And once it is Delhi word on the output section. We will have the proxy. You other off the Nicole load balancer so we can use that information to send traffic to our squid proxy. Meanwhile, what I want to do is I want to do a sausage to my private instance and keep it ready. So let us go back door stacks on the network stack. We have the outputs information, so I'm going to connect this instance. This is going to be acting as my bastion. From there. We're going to connect to this one. So that disconnect to this one flushed. So you remember I have the proxy key on. Then I'm going to connect in this instance that we just know set up. So probably Mikey is locally having bad permission. So I'm just going to change my keeper missions. Let me try it again. This time, I should be able to get connected. Yep. We got connected. So typically, this is going to what I'm going to do now is highly not recommended. So what I'm going to do now is I'm going to copy my proxy key to this server. Usually you will have and are some other mechanism to connect your without reconfigured your bastion Worster with your keys. But since this is going to be a demo, I'm just going to expose my proxy key, which is once again is a bad practice. Do not do that. I'm just going to get the proxy key. So this is my proxy key. Technically, you should never expose your secret key any time. So I'm going to clear Poppy the key here. Of course you can do SCP or anything like that. But I find this pretty quick for the demo that we're doing here. So I'm just going to change the permissions. So that s estates would not complain that the key is to open. So we have the key. So let us go and connect or private instance you can see here. We got connected to a private instance on If I do something like a girl de being door are it should hang their You're not what? Basically, this hour does not have any access to the Internet or outright world right now, because the proxy in since it's still not configured on it just hangs there. If I do any off the other domains also, if I can do something like called a google dot com Also. But remember, be I'm not white list at google dot com Even after setting up the proxy or to Google will not work. But it will not hang like this. It would rather throw us and other Macey's saying Access is denied. So I'm just going to stop this here on. Go back to over stack and see if my proxy instances completed. Still, it's running. Let's go ahead and check water sources. It is getting created. So we have our role balances set up on the auto scaling group is still and work in progress . Meanwhile, if I go back to my iTunes instance, let us remove these filters so that we will see the or born a proxy server also getting created. You can see here the proxies running. So in short, while issued how this is that quarter complete, Yeah, we got our staff complete. If I go to my output section, this is the most important command here. If why run this on my private instance on toe call for the external world and it should start working. So let's copy this command. Go back here on the private incense Later. Set it up So I'm going to do the cul de Vienne 0.40 Now, once again And remember, guys, when you're trying to set up on Hess TTP proxy you need to be doing it s and true chooses not as a normal user. So let me just for jump winters truth user here on I'm going to run the export command again. Let me just do it again. So now we have set up the export later school head on and look at the debian dot org So you can see here the website is requested earlier it was hanging by to get some response saying that the website has been moved Likewise If I go ahead and do call for interviews dot amazon dot com, you can see here you get some requests. Likewise. Let me just go ahead and try on Google here, so it should give you me and access denied page. Now you can see here that access to Ned which earlier But though the proxy what happened was that traffic was not flowing anywhere Now we have bought the proxy so that request is being forwarded on me get There is a request from the proxy itself. You can see here on Gold Watch Law Group. You have the logs from the sweet proxy that is coming in here on this is the information from the proxy instance itself on. You can go ahead and check what websites we have requested. Here. You can see here that isn't local host request. There is a dip in our requests and an Amazon up dot com records that we sent to a squid proxy. All that information is available here so you can go ahead and configure some alarms or fine grained mattress is all that is possible. Go ahead and try it out on. You can see there's own people. Alarmed that has been set up with the CPU is too less for a very long time. It's going to give you an alarm so that you can set up when smaller instance also, but it's also possible. So this is how your content proxy actually works. It forwards that equals gets you back. The response on if the domain or the U other lists not supported, then it gives you an access to the U Penn Go ahead and customize the access tonight wage on your squid proxy configurations. So go ahead and try it out. If you have any problems, put them in the comments. I'll be happy to help them with you. Thanks for watching. 35. 4 4 Use AWS IAM Access Analyzer to Identify Unintended Resource Access: welcome back to another episode on security. This time we're going to talk about a new feature that is called as I am Access analyzer. Once you go ahead to your I am dashboard and enable this feature, it is going to ask you to create an report on as part of this report. What you're going to get is and comprehensive list or findings in your account off the different resources under the source policies that is in your account, which might give you the user our resource overly broad permissions on it might. For example, if it is an s three d source, it will light into favor that the extra resources going to be public or if that is in cross account access, what that resource. Also, in addition to those findings, you also have the ability toe monitor those access on remedy it. Those access also in summary, the benefits provided by access analysts are You can constantly scan your account for the oceans off policies that might be there on. He keeps on updating itself, so once you enable it, any social policy that might get modified also gets incorporated into its system. So you get the new findings so that you can humiliate them on on the back end off this Amazon uses something called us in silk over engine. That is what they call s automated reasoning. There's a nice block article. Also, go ahead and put them in the link so you can check it out. So this involves engine is an automated mathematical logic. So it goes ahead and finds out. What is the policy permissions on? What are all the permissions that resource policy allows that user are that resource to to So how does this work is? It is going toe. I want you enable it, Whether it is in the account level or as an organization unit level, it is going to identify all the resources to which a policy can be attached. For example, today you can imagine a policy to when I am role or s three bucket or lambda function or came in service or even ask your service, for example, even for an SNS. Also, you can attach in resource policy, so it is going to identify all those two source policies on it to start going to analyze your source policies and find out who has access to what in your account, and it is going to create a summary off that in your account. So let's go to our account and see what it can do. So this is a black article that they have returned about. I am access in the laser on it talks about what? All the different things that they can do. Let us go ahead and get our hands dirty and do it ourselves. So once we go into our I am console the new features available on the left hand side, you go to access and ELISA on. Then let us go ahead and create a new analyzer. So I'm just going to call it or some lesser. For some reason, I'm just going to create a lesson. So what this is going to do is it is going toe gather all the policies in my account on runs, a mathematical logic on my policies, and it is going to provide a list off all of its findings here. So you can see here the scanning off your resources complete. So in a short while, I should have the report also available. So let me just refresh the page. She'll be have the findings here. So you can see here. There's already a couple of who findings for my bucket, A spark off, another demo. What I did was I created on a bucket and I also made the bucket deliberately public. So that finding has already come up here. You can see the sister finding. Let me just go ahead and open it on. Let me also open the STV service because the I am access and later service is tied very closely with another. Find another feature that is here that is called us an s three access analyzer. If you have not enable I am access and less in common, click on this. It will say Go ahead and enable access analyzer in your I am page so you can Once you do that, you can come back here and see your findings here as well so you can see how quickly it list a couple of my pockets. One is in public. The more bucket that I just created sometime back on it is showing the access control list saying it it could be public here, so let us go and check out this bucket itself. If I go to my bucket, you can see here And the permissions is public On an access control list I have given publicly stop checks and read permissions also so automatically at the account level it is going to find out all the buckets that are public on what a series that I would have made it public also on gives you a list off everything here. So if you are know that your bucket is supposed to be public, then you can just RK with are you don't have one to look into the passport every time you come here, then you can just make it as OK. So let's go back to our account and see what other findings out there on. By the way, if you have what it mediated bucket, for example, if it was not intended to be a public on, then you changed Your access is here, so that is listed here. You change them, Not anymore to be public, you can go ahead and risk, and on the findings will also be updated. So let me go back to my findings. Onda. Here you have an organization role on this organization's role can assume on identity in my account. Basically, this account is an organization account. So I enabled an organization role so that some global rules can be applied. So this is the entity that is the other entity that can assume on a roll in my account. So it goes ahead and find those kind of informational so far that quite often, if you are working with enterprise that will be more than one account on. They will be requiring cross account access for provisioning resources are my, for example, might be came a ski they want to access. Then you'll have some cross account STS assume role or care of minors access. All those kind of things would be there on those kind of findings will also be here. So that is what this finding is all about on if you want to go ahead and humiliated, you can generically go head on. Duh remedy it them from here. So if you have remediated them, all those findings are going to come up and show up here as off. No, I have not done anything to remediate them. So that is where all the findings are asset is shown here. So if you have any other permissions which are expensive in nature for example this bucket is much more restricted. But I just made in particular a seal for example Um let you open the other bucket Also, this is the pocket April sister 010 In this case, the market itself is not public. But what I have made was I made the public to read a bucket permissions. So this is very small. A seal you cannot request The access for this bucket are you cannot list the objects will get the objects. But you can get what permissions are configured on. Respect it. That is workers allowed here. But even that kind of granular permissions are identified. Onda listed out here you can see here it says get back. It is hell. So that's all the permissions on Since it is global, it is identified unless stated here. So go ahead and use this If you are using it in a production account, I'm sure that will be much more interesting findings in your account. Since this isn't demo account I use for doing all these demonstrations. I don't have any findings. But if you go ahead and do it in a production account, you will find some quite interesting things on. I'm sure you will have interesting conversations with the developers who wonders rules are pockets tried out on Put them in the comments on what you find in your own account on. We'll all learn from each other. Thanks for watching. 36. 4 5 Automatically respond to DDoS Attacks with Web Application Firewall(WAF): Welcome to another lecture on security. This time we're going to talk about securing your AP eyes. If you've been running applications on the cloud, it is possible some off the applications might have AP ICE on those AP ice might be exposed to the Internet behind an A p a gateway if it is in AWS. So how do you secure those AP eyes? For example, if you haven't maybe eight available on the Internet, it is possible that some malicious host will be sending some request, which they have no interest in fulfilling on. Sometimes that will be a flood off. Request on that front off request will make sure your service is not able to satisfy the legitimate customers that might be waiting for your So is to respond. So when when you are services satisfying this nefarious request, your cost is going to continuously increase because the Lambda function is going to constantly scale to meet the increasing demand. Whereas you're not having any business value. How you different against laws? The DDOS attacks that just happening against your FBI. This is what the application firewall comes into the picture when you configure the application firewall and friend off your FBI, you can do something like this. You can create a rule which will enable you to look at the records that is coming in on def . That request is having certain patterns. For example, if you're just an SQL injection or cross site scripting, forgery are. If the two minute it was coming from a particular I P address without any acknowledge packets are more information package, then you can drop those kind off requests. So whether because in fire or allows you to configure a lot of rules, some off them are called les managed rules that are provided by Amazon itself, and some of them are provided by third parties. If those are not satisfying your requirements, you can go ahead and write your own rule. Also, that is also possible. So once you created rule something like and a great limit rule. Say, for example, if 20 doesn't request are coming from one particular I p address within five minutes, then block that I p address. So for some time on, then you can make sure that your services available for your legitimate users on your cost is also controlled on you have high availability for yourselves. So how do you go about doing this in our account? It just takes flight to 10 minutes maximum to set it up in your account. Let us go and do this in our own console. I don't have a public facing a p A, but Amazon has got discovered. That isn't sample pet story, a p A that is available. We're going to use that pet store FBI for doing this web application testing. So just go ahead and keep on built and you can see here it creep. It recommends you to go ahead and try it out. So click on, OK, just crawl down to the bottom on and we want to make it public facing. So I'm just going to say regional. Andi, look on import. So my sample court is getting imported on that. I'm just going to deploy straight away. I don't want to test it. I'm just going to deploy my FBI and I'm going to call my stage as test. You can go ahead and do it as say, for example, products. Well, there's something wrong on going to call this. It's broad stage on the description is up to you. You can go ahead and fill it. So now my ap is deployed. So all I can do is if I could just copy this. Put it into my pro sir on, say slash face. I should be getting some response. So my idea is deployed and it is available on Internet. Anybody can make Adidas request or Frederick question if I just go ahead and do 123 you just go and get it. So now I need to protect it. So I need a web application, firewall, sitting and friend off my a p a. Get with. So just go ahead and going figure in my life. So let's go ahead and click on Create were Basil. I'm going to call this flood prevention because we're going to try on and prevent the DDOS attack coming from a single I p address to our a p I. So this is our MP is deployed in wedding? Yes. I'm just going toe live with asset is on what resources were trying to protect. So I'm going to choose our pets store FBI. I'm going to click on add Andi just going to select this one and then click on next. So this is where the rules coming that the management that I spoke about our here. So these are all the different managed tools that are available, and you also have some capacities. So if you can figure these rules, that is 1000 500 police use available. So each rule consume some capacity, and then you can choose which rules you want to apply, which rules you don't want to apply. So if you don't like any off the default rules, you can go ahead and can fickle Quentin. Figure your own rules here. Andi, as I spoke about earlier, we're going to build our own fruit on. I'm going to call this as fraud prevention. Route on the type of the rule is going to be rate based rule. How many of the quest I want to look at because my baby is new. That is not going to be too many requests on the world. So I'm just going to say something like you wanted request. So what? It means this if somebody is making 200 request to my FBI within a five minute period, as it mentions here that I p address will be blocked for X amount of time. So what is the action when the rule is matched? This is where the blocking happens. So click on add rule. So we have said our rule. Andi, just go head on and summit our rules. So our rules almost set. Let's go ahead and click on create with a seal. So if everything is configured, our rule would also being taken into place. So there is Ah, nice bug here and there. You Why? When you click on create a CIA, it just doesn't take you to the previous page. So that is no hair and click on this and make sure we have ah one figured it correctly. So it is goto associative aws resources for apparently it's not taken the lips, that store, so just going to add it again. So finally, it just took a couple of minutes for the story. A potato appear here so that our rule has been set. Okay, we are all set here. So now we're going to simulate a DDOS attack on our A p a. Now for doing the DDOS attack. What I'm going to do is I'm going to use and easy to my next machine on inside Atlantic's mission. I'm going to use a software called us Apache. What bench? This is for you, typically used for low testing your applications. So we're going to configure this a pretty workbench on our land ex machine on make some Dido's request. So they just go ahead and get connected toward machine on and install it. So these are the commands to install a party. What? Bench on. But this is where I put in the AP. Get with your world. Let me just put ah, perhaps our i. P. Also here so that we can use it later. So I'm going to take this if you are in on going to put it here and remember, we need to add slash pegs. That is where the request of satisfied. So let us get connected to our solar now. So I'm going to do some work at legal head on and install a party. What pension call. So if it is already installed, it's just going to say requirement is satisfied. So let me just set this global variable now that it's attack you early on, then I'm going to make a request. Andi, by this request, if we get a successful response, that means that we have access. Were able to access the FBI from this over. So you see here, this is We're getting the same response. So let us start our DDOS attack. This is a command. What this command is going to do is it is going to make 3000 requests to our FBI on that is going to be 20 concurrent request. So I'm just going to run a couple of times. And remember the web application firewall is going to check for in five minutes aggregate period on since our a p a is sending two less data party. What? Bench completes the request and a couple of milliseconds. Now you can see here the total request time picks up worse about, uh, 18 Milliseconds Planet Request. And it took totally took a vote. Totals 77th request for a second. So I'm just going to run it a couple of times so that the half will pick it up If we run this in a few minutes time. Our wealth should deny our request effectively. It has been closed toe a bluff minutes. Let me just go ahead and do a cult request. You can see here. The message is forbidden, as you can see here in the sport. Um so let me just try again on you can do the same thing from the brother. Also, if I have done this from my local laptop when pulled on the pros and also you will get the message for present. So that is how on a great based Web application firewall works. So I would highly recommend you guys to go ahead on and try this in your account. If you have any problems, let me know I am trite. I can try and help them with you. Thanks for watching. Happy learning. 37. 4 6 Detect EC2 Instance Credential Abuse: Hello, folks. Welcome back. Today, we're going to talk about another security later topic, especially the one concerning adapting and roll toe. Easy to instance, think of a Web server or an application server, which requires access toe some other resources, like an S three bucket. The most common way is toe attach a role to the 82 instance so that it can go head on and communicate with the history or some other resources. Sometimes what happens is people create more than necessary privileges for that role on attach it to the easy took instance on. This creates problems in the security world. For example, if this in Web server and if there is a zero day attack, anybody outside your network or outside your account can come from myself. Observer on use the easy to instant meta data that is the role that is attached and generate some temporary legal and chills on gain access to other sources in your account. For example, in this use case, the Observer is there and it is compromised. Then the hackers can get and political and chills on gain access to U. S. Three bucket. If you think this is something that doesn't happen to your account or something that happens very badly are this is a complex attack to execute that it will not happen. Then think again. Because recently what happened was capital one found out the hard way. They had an instance which was compromised on the role that was attached to that instance. Waas used to create a temporary credentials on the hacker, was able to explicate that our boat A So you can see here about cost 100 million people that I was breached, that it's a plenty of analysts happened. Andi. They have also given some official documentation or methodology of how exactly this happened. So you can see here you can use the command that is shown here. You can use the call command on use. The I am security credentials on, followed by rolling him excel. I have I'm not going to show you the actual attack itself or how to compromise and Web server You what? You can go ahead and read it. It's all documented very well. What What I'm going to show you is if you have an easy two instance on the role with excessive privileges, how it can lead to unnecessary consequences is what we're going to see now. I have a demo instance here, which is running and Web server on our. So there is an role that is attached. You can see here the role Amis s free access for easy to instead of giving access toe one pocket or the one particular pocket, I have deliberately given access toe and there s three servers. That means that I can access all the buckets that ethnicity on. I can have a lead on right or delete other buckets. Also given more privileges than what is necessary for this role on let's assume that the hacker has already compromised this instance on their able to execute the easy to instance Call command there. So here I am, in the access with the server. So I'm going to execute the call command. So at this moment, I don't know what role is attached on the server. So by this, this is a standard perfect. So if you execute this commanding list, you though a role that is attached with the silver so all I have to do is next step is just some thinks it now it throws out that necessary information for me, you can see here there's an access key here on. That is also an secret key along with the station talking. So all I need to do is that how another terminal on guy need toe export These values or scorn figure my Arab. You see a light with these three values that is access key secret key. On token, I will be able to get access to the S three buckets. Although I'm not quite off the environment, I'm going to use this A terminal for the set up so as off. No, this terminal does not have an X three access you see here it gives me an editor. So I'm just going to go ahead on and configure my access key, secret key and talking. Let me copy that access key now, and I'm just going to put it all here so that we can run it all together. There's an extra quarter lettuce. Remove that next course the secret key on for token. You need to be careful here because there is new land characters. We need to have it all in single line. So I'm just going to place it here and then fix it. So now we are all set with our command. So I'm just going to copy all these three commands and then I'm just going to run it in my terminal now. So once this is said, I should be able to list the buckets in my account. If I do the same command that earlier which you saw that I did not have access to any buckets. Now I should be able to get access to the bucket that is running on the Web server. So you see here how easy it is if once you compromise the server you don't need other potentials, you just leverage the role that is attached to the server on get access toe on the buckets or any other resources to the point to note here is do not create roles with more than necessary privileges. Or don't ask me that supports several if it's an application trying to the up to application specific bucket or to the particulars region or even particular account. So if you have any questions on how to do this in your account, go ahead and put them below in the comments. I will try and help you with them. Thanks for watching Happy learning 38. 4 7 Automatically respond to EC2 Instance Credential Abuse Part 01 of 02: this time we're going to talk about how the quarantine on already compromised. Easy to instance, when you're running an easy two instances and Web server, sometimes you want to kill access to the S three assets that you have that might be in. CS is R sum from J pegs or some images that you want to distribute to the website. Then you will have every instance rule, I've asked you. It's easy to instance that is quite often the practice off, attaching an instance road so that it can access other sources also. So what happens is you give more formations than what is actually required on people. So forget to tie down the instance role so that it accesses warmly, very specific set off resources. And recently what happened was one prominent bank in the U. S. Got compromised because their Web server was running with them. Easy to instance, role, which had more privileges than it had to be on. Through the instance roll. The hackers were able to explicate some data, so this is a scenario that we're trying to different against. So let's go ahead and see how we can do that. Let us think often easy to consent, that it's been compromised already by a malicious host on they're going to trigger and credential request using the instance role. So this is gone as credentials exploration in the security world. And whenever a hacker or somebody are not raised, request making and torrential with it. Easy to instance, rule your A P a in point or your cloud trail is going to detect that. So, using this information, what you can do is you can send this information toe guard duty that is basically guard duty is an a forward intrusion detection and intrusion prevention system provided by Amazon . So all this information can be afraid. Are all this information is already fed into guard duty on once you enable it guard duty can detect this kind of instances whenever credential exploration happens on it can push that findings into an Amazon went to bridge. So whenever you have this kind of a particular finding, which is called us and credential exploration, you can take some remedial actions. For example, you can push it toe on a SEC ops topic on then the Cyclops topic can send an email notification to your security team so that they can start investigating that incident on. Meanwhile, in stop waiting for your sake up seem to come and investigate. You can also trigger some functions on a step function on. You can quarantine the easy to instance immediately on also quarantine the role that is attached to the easy to instance. For example, because if you are running it in an auto scaling group or there are multiple instances having that role, you want to quarantine that role as well. And not just that. Easy to instance that triggering that finding. So this is what we want to do now they just go ahead and see how we can do this in our account. We haven't get a particle which is going to walk us through on the steps that are required to achieve this automation. So this automation also includes and local mission template one is there to templates. The first template is going to deploy the automation solution on to trigger this ah, scenario often compromised. Instance. We're going to launch and Web Server, which is going to have an instance rule attached to it, and also we're going to use the Web server as the demos over toe assimilate and credited exploration. So let's go ahead and they see you how we can deploy this in our account. So what I'm going to do now is first, I'm going to clone this repository locally. And once we clone it, we have some environment. Really? Was that we need to change so that we can deploy this in our account. So this is that you are a clone, this reporter tree. I'm just going to copy this. So let me clone it locally and then get into the, uh, corsetry on when I do the LS you'll find and folder called as a Helper Scripts. So I'm just going to get into helper scripts on Inside this you'll find a deployed or message. So if you have a visual studio code, basically you can go ahead and add your folder also so that you can do and we should editing also, or if you're not having issues to deal court and you're doing only cli, you can also deploy. I can edit the deployed on SS file manually also here. So the two important fields that I would recommend you ways to go and take it out is we are running and told commission template. And if you're familiar with the information, that local mission template has to be uploaded to someplace so that it can be deployed on Duh. So we needed s three bucket bad. This department can happen, and this is a Sam complete. So Sam will transform the template before it goes ahead and deploys in confirmation itself . So we need the bucket name. So make sure you go ahead and change this bucket name to something that is in your account and you have ownership over it on then. If you want to change the service name or the template name, go ahead and change that. Or so you don't have detained any off those things. But another feel that I would like you to change this field, which is the enforcer Cops, key managers. If you have your own teams, the military's or something like this so you can just go ahead and editors say, for example, and then let us just go ahead on save this. I'm going to get out of this a port city and just going to go ahead and do deploy. So if when you're cloning the supported three. Usually this will not have execute permission. So I just want to add execute permissions also to herself, I hear. So now we're all these commands that I'm running here all available here So you can see this is what we have done. And I'm going to deploy this template right now. So, as I said, this is a Sam template on the same template is going to get packaged locally and then sent to your s three bucket that we mentioned on from that it is going to deploy my cloud formation templates. Let's go to our AWS account and see if there's a new template that is getting deployed here . We can see here There's a template which is called us Incident response. So here we go ahead and see what all the resources that are getting creative on remember, we need tohave as a predictor. Said the guard duty should be enabled in your account. So here have mentioned it. So God et should be enable in this region. So let me just go ahead and check for how God duty enabled. If not, I will go ahead and enable that also so under sittings, I will have. Ah, you can see here. If you were bad duties running, you will have. You will not have these options. It stays in already. My duty is running. So I excuse me an option to suspend and disabled it. So that means that guard duties already landing in my account. And you can see here There's quite a lot of four findings that are running because I was doing some experimentation with Cloud Trail on gives me and, uh, Mrs including has been disabled by this. Use it. So let us, for now, ignore these findings. They just go ahead and see what resources are getting created. Now you can see here there's and Lambda Function, which is going to quarantine my role that is getting created. That is a step function. Let me let me take you, walk you through the step functions that is created here. Just go to the definition section so that at three actions, usually if you have been following me, that would be a step function, which is to going through a sequence of steps, ABC. But this time this is we're going to different against an intrusion that has happened in your account. So we want to do it as soon as possible. So as a part of the difference, you mechanisms, what we're doing is three actions. One is we're going to quarantine the easy to instance and take a snapshot off the 82 instance so that any hacker will not have any a term made toe destroy the evidence that is , in the instance itself. So we are going to take a snapshot aan den. Another action is we're going to attach and security group to that instance so that no other traffic happens. Whether that is a better exploration or furthermore connection from this over to another source, nothing else happens. So we will attach and Security Group, which will not allow any communications until the state cops teams comes and investigated. Finally, we're going to quarantine the road. What we're going to do when we're talking about quarantining the role is we're going to add and deny policy to that role so that that rule cannot make any move request for any other FBI's any AWS. So that is what this to function is going to do. And once all of them are successful, we'll get the result. Otherwise, if anyone off them its way, the step function is going to give. An execution has failed. So that is what my step function is going to do. And we also should have on you went to bridge rule. I'm just going to try and find it here. Yeah, here it is. Just let me open it. You see, Here it is going toe Listen Toe Guard, Duty Service and particularly it is going to listen for this particular finding whenever there is a finding off instance credential exploration that it is going to trigger and finding that finding is going to be sent to my step. Function on a step function, get executed whenever doesn't matching event so that I do. They are downstream actions. One is, as they said, the step function on. Also, that is going to be SNS topic. Remember, we just given the military's mr at gmail dot com that the military's will be getting on email whenever that is in finding, so you can go ahead and change imbedded or so so so if you want to add more, Emeritus is also if you go to we are a sentence service. You should be able to subscribe to that. No pick. Let's go over here. This is the guy didn t s in this topic on day. You see here there's a pending subscription for the sea militaries. You can go ahead and add additional subscriptions or so if you want. So most of the pieces are there now. What is spending is we need an instance to attack or simulate. We don't want to use and live Instance. 39. 4 7 Automatically respond to EC2 Instance Credential Abuse Part 02 of 02: So for that also, I have got you covered. We have on another template for testing the solution that is, another temperate called is compromised. Instance that is going to get created in your account. We're going to create it fresh, easy to instance, with some rules which can be used to for a simulation and simulating this deployment. Just going to copy this on Run this command also so that we have one more template. I probably did not copy it correctly, So that legal I just made an error while basically get so we are getting one more ah instance or template that is getting deployed. Let this go back to our information and see the 1st 1 has already created complete, fantastic later school head and see our compromised instance. So what? This is said this is going to create and fresh bpc on DA on easy to instance and I am rolled This is that going to be the I am rule? We will come back and check this I am role in the future. Right now, this role is having an easy to assess um policy on also have s three. The only policy basically you can run some commands like AWS has three unless I get some objects from certain pockets. Only since we are doing a demo, I have not given too many permissions this role in real life. You might have worked for missions that pastor's role, which can simulate uncompromised synaptic. So let us wait for our easy to instance to spin up. Once it is spun up, you should be having an I P address on the Oakwood section. We have instance, profile, role getting created Onda remember one more thing. So when this is running lettuce just quickly into a little bit off verifying the security breach, God is once again is going to take some time for identifying the kind ofan Even I can't reporting it back to a finding. And then he went itself. What I'm trying to say is just not going to be real time. You just try to explode. Rate that data on. Then if you go ahead and immediately see the card duty corn, so you're not going to see the finally immediately. It is going to take at least a fight with generous what May experimentation has shown it. Sometimes they're finding takes as much as 20 minutes for the first finding are. Sometimes it takes five minutes with the first finding, and then it is going to take some time to trigger it and show it on the console itself. So if you're not seeing it immediately, just give it sometime. It does happen. But once it happens, it's going to keep on adding the count off the findings, saying, if it finds out the same finding happening 23 times, for example, if the same I am rollers and multiple instances and the hacker is compromising the same instance three or four times you'll have multiple findings for the same captivity. Let us go ahead and check our easy to instances completed and deployment still in creation and progress. I'm going to wait for the instance, too. Come up online and still in bending state. You can see here the security group is currently ah, compromising sense security Europe. Let's go and check the inbound rules as off. Now it is open to the world. So once off automation kicks in once it's well, there is a fine thing we should find the security group changed into in quarantine security group on this role that we how right now also will be astute and deny policy. So those are the two things that were expecting toe happen. So we have the instance up on running. Let me just go ahead and check. Ah, if the stock is completed Fantastic. So we can go ahead and similar the next actions. So we need to connect with Instance on If you see here, I have not created and keeper. So parenting to this instance is going to be interesting because if you have been following me, you know that you can connect to an Amazon line extensions using SS a manager if you have a schism permissions given here. So we'll heard. Click on connect And then you have your easy to instance Connect Concession manager. So I'm going to use a station manager here on it is going to give you a Shelagh. Let me just jump into a bash excel on, then let us go ahead and run the remaining steps. And if you're interested in knowing what is happening in the background, you can just go ahead and check out user data field. Also, what commands that we have ran on your console. On that, the same things will be in the log file or so, But anyway, I'm just going to run them again. So we need the rolling. So we're going to run this command here and find out what is the role that is. So we have roll named statistic or parties are rolling. So this is the role name that is asked in this instance you can find the same role. Name care. Also mistaken for six. Easy to compromise. So we found out the told him it is assumed that we have the hackers. Now, we'll just tryingto find out what is attached to this instance and what privileges are there. So what we're going to do now is a phone or the role name. So we're going to create a session. I'm using that a session with Dr Old name. So if you basically do an echo station right now which is shown here, it will give you an output which looks like secret key access, key and token. That's what I'm going to simulate now. I'm going to say echo the decision and you can see here that is an access key that is in a secret key here. And there is also talking lettuce. Copy this credentials on goto a note back so that we can go ahead and edit it there. So I'm just going to copy this whole thing. Onda Goto, my editor here on What we're going to do now is if you go back to our top political, what we're going to do is we're going to take this values that its access key, secret key and token on. We're going to simulate an AWS estate ls command and try to see we can trigger and God you be finding. So I'm going to take this month here. Uh, this is my access key just for this one. So we don't make that enter. This is my secret key on this will be my token. So now we have our access key secret can talking. So let me set my local variables first. I'm going to copy place to my acroski and secret key on. Now I'm going to copy place to my token also. So now I want to verify my values. I said correctly. So I'm going to verifying my identity so we can do that by using this command on, if we have only done correctly, we should be getting on a roll name correctly. Here you see the role in Mystic so as an hacker. Now I have an working STS identity so I can do something like delivers, actually. Ls remember this role has privileges, toe. Oh, get a list of bucket objects also, so I can go ahead and read objects inside the bucket. Also, if I can build something like AWS three history ls And then I'm just going toe go ahead and list objects in this bucket. So just seeing the showing, all the inputs. So this action is basically now I am a hacker who has access to Andi s three bucket that is in my account because the credentials in the easy to instance are compromised. So this action offer triggering and request will trigger and duty. Finding on that guy duty finding will trigger my even bridge on that even critical Also trigger and step function. So it let us wait for a few minutes so that the God you tick and find anything can happen on then the don't reimagines. Then we'll go ahead and check whether those when Indian actions that we're expecting to happen will happen. So since this is going to be an automation so I'm just going toe unset this identity a later If you are doing it in your primary terminal, you can just go ahead and set it those variables so that that does not get in the way off. You're working. So let me go to my guard duty on, uh, refresh my screen to check if there is an a credential exploration. You see, here there is only a stealth I am user finding so far all of them about a few hours ago. On off them is talking about inferential ex filtration. We should be seeing one soon. Demi go guys, We finally, how the finding that we have been waiting for and it took about 23 minutes for the finding toe happen. Let this go ahead, Onda, check whether ah, our step function has triggered on. Then we can go ahead and continue from there. So I'm going to go ahead and check the execution here on. So far, the execution has not happened. Let us wait for a few more minutes because this is going to go into our event bridge on the event rates will trigger the step functions. I'm just going to wait for some time for the strip function toe trigger. We can see here. There's an execution that is running here on day. I'm going to check out What is the progress off this execution? There's a snapshot that has been triggered. I'm just going to go ahead and check whether my snapshot has been triggered. You can see here that is in accordance in an instant snapshot that has been triggered. Likewise, my instance will also have on security group also a test you can see here There's a security group attached which has no inbound and outbound rules. Likewise, if my execution is complete, we should also have this role within deny policy attached to it. They just go ahead and check the deny policy. You can see the other SEC Warren. Thank Misty, deny policy. Let us go ahead and check that you can see here or deny permissions. Let us go back to a step function and see if there is old execution states up in complete. So the snapshot is going to take some time. As you know, that snapshot is, uh, takes a few minutes for the snapshot to complete. And once the snapshot is complete, you will also have a green state there. So that is how you go ahead and quarantine an instance which has been already compromised through this particular mechanism. Off infiltration. If you have a better way of doing ah response for this candle for scenarios, go ahead and put them in The comments are Santa pulled request. With your improved core, we can all learn from each other. Until then, thanks for watching Happy learning.