Register for Holidaze, win $20,000+ in prizes!


Infrastructure Protection: AWS Security in Q4 2023 – Part 3

We hope the last 2 blogs around AWS security series offered valuable insights into the latest releases of AWS Security features/services, particularly in the IAM domain and detective controls . Continuing the series, Part-3 around Infrastructure Protection in AWS that were released in the last quarter.

Infrastructure protection is a great challenge for organizations when assets are mostly digital. However, AWS is a way forward in optimizing its features and help every organization and its teams to utilize its services most effectively, extending its support for every new leading technology. On the other hand, it becomes easy for these enterprises to safeguard against potential threats and increase their chances of survival with enhanced security protocols. Here’s an overview of how AWS infrastructure protection can help you in every way possible.

Security Recommendations for Infrastructure Protection – Provided by Amazon CloudFront

You can now better protect your CloudFront distributions with AWS WAF security recommendations in the CloudFront console. CloudFront conveniently displays additional security rules for your distributions based on elements of your CloudFront configuration. Meanwhile including path patterns or your origin type. Simply select the rules you’d like to enable and CloudFront automatically adds those rules to your AWS WAF configuration, which is a part of infrastructure protection.

CloudFront has launched one-click security protections to handle creating and configuring AWS WAF for you with out-of-the-box protections. Further, you will see additional recommendations based on your CloudFront configuration.

For example, if you have configured a cache behavior with a WordPress path pattern, you can enable protections that block malicious request patterns associated with the exploitation of vulnerabilities specific to WordPress, PHP, and SQL databases.

In addition to help protect against HTTP floods, we’ve added a guided workflow to rate limit requests when they are coming at too fast a rate. The workflow starts in monitor mode to capture metrics, tells you if your rate was exceeded. Subsequently including how often and by how much, and allows you to adjust the rate or enable blocking without leaving the CloudFront console.

CloudFront security recommendations are now available in the Web Application Firewall (WAF) section of the CloudFront console. These can be used to configure new or existing CloudFront distributions thereby optimizing infrastructure protection. Standard pricing for AWS WAF applies. You can estimate the price of AWS WAF security protections using the built-in pricing calculator when making your selection in the CloudFront console.

Infrastructure Protection Wing Supports JA3 Fingerprint Match

AWS WAF now supports JA3 match, enabling customers to inspect incoming requests’ JA3 fingerprints. Customers can use the JA3 match to implement custom logic to block malicious clients or allow requests from expected clients only.

Customers could already use WAF match conditions to inspect the contents of request headers and compare its origin against the provided criteria. As customers strive to enhance their security measures, they have asked for SSL/TLS inspection capabilities, so they can detect specific fingerprints within encrypted traffic.

Now, WAF customers can use JA3 match to analyze unique TLS handshake characteristics. Moreover, JA3 match allows you to inspect SSL/TLS fingerprints in the form of 32-character hash fingerprint of the TLS Client Hello packet of an incoming request.

The fingerprint encapsulates information about how the client communicates and can be used by customers to detect clients that share the same pattern. For instance, you can create a rule that inspects the JA3 fingerprint. It triggers a rule action if it matches a known malicious fingerprint associated with previous attacks.

AWS Firewall Manager supports referencing of Security Groups within Infrastructure Protection

AWS Firewall Manager supports referencing of security groups. This is as part of its security group common policies. With this feature, customers can update the inbound or outbound rules for the Firewall Manager primary security groups. Thus, these are to reference security groups in the peered VPC. This allows traffic to flow to and from instances that are associated with the referenced security group in the peered VPC.

AWS Firewall Manager is a security management service. It enables customers to centrally configure and manage firewall rules across their accounts and resources. Using AWS Firewall Manager, customers can manage AWS WAF rules, AWS Shield Advanced protections, AWS Network Firewall, R53 Resolver DNS Firewall and VPC security groups across their entire AWS Organizations.

AWS Network Load Balancer (NLB) availability and performance capabilities to enhance your Infrastructure Protection

AWS Network Load Balancer (NLB) supports Availability Zone DNS affinity, disable connection termination for unhealthy targets, and UDP connection termination by default.

Availability Zonal DNS affinity: This capability resolves DNS such that clients resolving the NLB DNS receive the load balancer IP addresses in the same Availability Zone (AZ) they are in. In addition, It enables customers to build zonally independent application stacks and improve application performance by reducing latency. You still can build your application across multiple AZs for redundancy.

Disable connection termination for unhealthy targets: NLB terminates established connections to targets that fail health checks by default. With this feature, you can choose to maintain or terminate active connections to targets that fail health checks. By disabling the default NLB behavior, you can prevent client reconnect storms in the event of an outage.

UDP connection termination by default: NLB now terminates UDP connections at the end of the deregistration timeout by default for newly created UDP target groups from today. Prior to this change, UDP connections remained open resulting in the overhead of having to maintain large connection pools for your application. With this new feature, you can gracefully terminate long lived UDP connections improving the performance of your application.

AWS Systems Manager Patch Manager supports additional MacOS and Linux versions

Patch Manager, a capability of AWS Systems Manager, supports instances running Red Hat Enterprise Linux (RHEL) 8.8, MacOS Monterey, and MacOS Ventura. Patch Manager enables you to automatically patch instances with both security-related and other types of updates across your infrastructure protection for a variety of common operating systems. Further including Windows Server, Amazon Linux, and Red Hat Enterprise Linux (RHEL).

Amazon EKS allows modification of cluster subnets and security groups to Customize your Infrastructure Protection

Customers can update the subnets and security groups associated with their existing Amazon Elastic Kubernetes Service (EKS) clusters. This additional cluster management flexibility makes it simpler for cluster administrators to stay in sync with changes made to Amazon Virtual Private Cloud (VPC) resources.

However, EKS clusters run on Amazon VPC networks, providing a performant and secure environment for running Kubernetes applications. As part of this model, cluster administrators must specify VPC subnets and security groups during cluster creation. Subsequently these are used to enable secure communication between the EKS managed Kubernetes control plane and customer applications.

When changes are made to underlying VPC resources, existing EKS clusters can now be updated to stay in sync without the need to create new clusters.

AWS Network Firewall supports egress TLS inspection in Two Regions

AWS Network Firewall supports egress Transport Layer Security (TLS) inspection. In other words, enabling customers to strengthen their security posture on AWS by improving visibility into encrypted outbound VPC traffic. You can use AWS Network Firewall to decrypt, inspect, and re-encrypt outbound TLS traffic destined for the internet, another VPC, or another subnet.

AWS Network Firewall is a managed firewall service in infrastructure protection. The firewall makes it easy to deploy essential network protections for all your Amazon VPCs. With this feature, customers of all sizes and industries can inspect outbound traffic. That is to say – for malicious content, detect policy violations, or scan for sensitive data leaving their network.

TLS traffic decryption also helps customers meet regulatory and business compliance requirements by providing visibility and auditing capabilities for encrypted traffic. For example, financial institutions can monitor outbound encrypted traffic to prevent unauthorized transmission of sensitive data. This includes credit card numbers or bank account information, reducing the risk of data breaches and regulatory penalties.

Egress TLS inspection is available in AWS Israel (Tel Aviv) Region and Europe (Ireland) Region. Ingress TLS inspection is supported in all AWS Regions where AWS Network Firewall is available.

Unified security dashboard for Infrastructure Protection within AWS CloudFront

With the new security dashboard, you can now enable, monitor, and manage common security protections for your web applications directly from the Amazon CloudFront console. It is built for customers that need unified management of their application delivery and security. 

Furthermore, the interactive security dashboard brings AWS WAF visibility and controls directly to your CloudFront distribution. In addition gaining visibility into your application’s top security trends, allowed and blocked traffic, and bot activity. Investigative tools like a visual log analyzer and built-in blocking controls make it easy to isolate traffic patterns. These will also block traffic without querying logs or writing security rules.

The CloudFront security dashboard is designed to make it simple and convenient to enable common security protections, monitor and investigate traffic, and mitigate traffic anomalies and threats. The unified experience centers around high-level workflows. Thus, enabling you to focus on making decisions and taking actions inline without writing security rules.

The CloudFront security dashboard is now available in the CloudFront console. Standard pricing for AWS WAF and Amazon CloudWatch apply. You can estimate the price of AWS WAF security protections or Amazon CloudWatch logs using built-in pricing calculators when making selections. Additional insights and configuration are available in the AWS WAF console.

New dashboards in AWS Web Application Firewall for Layered Infrastructure Protection

Firstly, You have access to new dashboards in the WAF console to enable you to better monitor your traffic. These dashboards are available by default and require no additional setup. New dashboards leverage CloudWatch metrics and highlight metrics such as total requests, blocked requests, allowed requests, bots vs non bot requests, bot categories, CAPTCHA solve rate, top 10 matched rules and more, on a per-Web ACL basis.

These dashboards provide enhanced visibility into infrastructure protection and help with answering questions. The question types are

  • What percent of my WAF inspected traffic is getting blocked?
  • What are the top originating countries for the traffic that’s getting blocked?
  • How do my traffic and traffic patterns from this week compare with last week’s?

To access the new dashboards as part of infrastructure protection, go to the AWS WAF console and click on Web ACLs in the left navigation bar. From there, you can click on any Web ACL to see dashboards specific to that Web ACL. Here you will be able to see two dashboards across two tabs (‘All traffic’ and ‘Bot Control’).

You will see up to two additional tabs if you are using either of the two AWS WAF Fraud Control managed rule groups. You can analyze the dashboards further by viewing them in CloudWatch.

Amazon CodeCatalyst now supports Terraform

AWS supports Terraform within Amazon CodeCatalyst. This launch allows you to provision infrastructure using Terraform within a CodeCatalyst workflow. A workflow is an automated procedure that describes how to build, test, and deploy your code as part of a continuous integration and continuous delivery (CI/CD) system.

A workflow defines a series of steps, or actions, to take during a workflow run. As a result, this launch allows you to add a Terraform action to your workflow, providing a way to create or update infrastructure as defined in a .tf file.

Until now, custom action scripting was required to utilize Terraform within a workflow. However, with the new action, there’s a clear and easy way to utilize Terraform for Infrastructure as Code within CodeCatalyst.

AWS Wickr now provides access to guest users

AWS Wickr allows your Wickr network users to interact with individuals outside your organization. Anyone can sign-up for a Wickr guest account with their email address. You can also participate in secure conversations that are initiated by licensed Wickr network users. Wickr administrators can enable or disable the guest user feature for individual security groups in the Wickr admin console.

Wickr is an end-to-end encrypted messaging and collaboration service with features designed to help keep your communications secure, private, and compliant. AWS Wickr protects one-to-one and group messaging, voice and video calling, file sharing, screen sharing, and location sharing with 256-bit encryption.

The guest user feature strengthens your ability to collaborate with people outside of your organization, while protecting sensitive data. Both internal and external communications in a Wickr network can be logged to a private data store. And you can manage for data retention and auditing purposes.

EC2 Security group connection tracking adds support for configurable idle timeouts

AWS announced a new EC2 capability to configure idle timeouts for instance connection tracking. This will allow customers to manage their instance’s connection tracking resources. It is providing them the ability to configure optimal timeouts to manage connection scale. EC2 utilizes Connection Tracking (conntrack) to implement Security Groups and to enforce rules.

With this new feature, idle timeouts for connections in the TCP Established, UDP stream and UDP unidirectional sessions on EC2 instances are now configurable on a per Elastic Network Interface (ENI) basis. After that, these can be edited from their default timeout settings. Prior to today, all idle connections in TCP and UDP states were tracked for a pre-defined default period.

Certainly, customer workloads utilize their connection tracking allowance on EC2 inefficiently because they have a high number of orphaned or idle connections. For TCP connections, if an EC2 instance does not send or receive a FIN or RST, the connections can stay idle for up to 5 days.

Similarly for DNS heavy workloads using UDP streams, customers can prevent connecting tracking exhaustion by configuring shorter idle timeouts. By specifying ‘tcp-established’, ‘udp-stream’, ‘udp-timeout’ timeout values for the ENIs attached to an instance. EC2 will now purge these sessions at the specified timeout value.

Application Load Balancer can authenticate X.509 certificate based identities with Mutual TLS support

Application Load Balancer (ALB) supports Mutual TLS enabling you to authenticate clients while establishing TLS encrypted connections.

Mutual TLS for ALB provides two different options for validating your X.509 client certificates. Using ALB’s Mutual TLS passthrough mode, ALB will send the entire client certificate chain to the target using HTTP headers. Further enabling you to implement relevant authentication and authorization logic in your application. 

Alternatively, if you are using Mutual TLS verify mode, you can offload the X.509 client certificate authentication to the ALB when negotiating TLS connections. You can authenticate clients from any third-party Certificate Authority (CA) or the AWS Private Certificate Authority (PCA). Also, you can optionally enable revocation checks to restrict access for compromised client certificates.

You can get started by configuring Mutual TLS on ALB using AWS APIs or the AWS Management Console. For passthrough mode, you can simply configure the listener to accept any certificate(s) from the client. For verify mode, you will need to create a new Trust Store (TS) resource, upload your CA bundle and revocation lists. Now, attach the TS to your listener that is configured to verify client certificates.

Amazon Inspector agentless vulnerability assessments for Amazon EC2 now in preview

Amazon Inspector now offers continuous monitoring of your Amazon EC2 instances for software vulnerabilities without installing an agent or additional software. Currently, Amazon Inspector leverages the widely deployed AWS Systems Manager (SSM) Agent. This is to assess your EC2 instances for third-party software vulnerabilities which is a part of infrastructure protection.

With this new capability, you can expand your vulnerability assessment coverage across your EC2 infrastructure with Amazon Inspector agentless. It scans for EC2 instances that do not have SSM Agents installed or configured. For agentless scanning, Amazon Inspector takes snapshots of EBS volumes to collect software application inventory from the instances to perform vulnerability assessments.

Once you enable EC2 scanning within Amazon Inspector, it automatically discovers all your EC2 instances. Subsequently it starts evaluating them for software vulnerabilities. Customers can enable agentless scanning by simply visiting the EC2 settings page. This settings page is within the Amazon Inspector console and then select hybrid scan mode.

In hybrid scan mode, Amazon Inspector relies on SSM Agents to collect information from instances to perform vulnerability assessments. It automatically switches to agentless scanning for instances that do not have SSM Agents installed or configured.

Amazon Inspector is a vulnerability management service within infrastructure protection. It continually scans AWS workloads for software vulnerabilities, code vulnerabilities, and unintended network exposure across your entire AWS Organization.

Amazon Inspector enhances container image security by integrating with developer tools

Amazon Inspector now integrates with leading developer tools like Jenkins and TeamCity for container image assessments. This integration allows developers to assess their container images for software vulnerabilities within their CI/CD tools. As a result, it pushes security earlier in the software development lifecycle.

In addition, assessment findings are conveniently available within the CI/CD tool’s dashboard. Thus, allowing developers to take automated actions in response to critical security issues. These include blocking builds or image pushes to container registries.

Moreover, you can use this feature by simply installing the Amazon Inspector plugin from your CI/CD tool marketplace. Then adding a step for Amazon Inspector scan in your build pipeline without needing to activate the Amazon Inspector service. But provided you have an active AWS account. This feature works with CI/CD tools hosted anywhere, in AWS, on-premises, or hybrid clouds. In short, providing consistency for developers to use a single solution across all their development pipelines.

Once activated, Amazon Inspector automatically discovers all of your Amazon Elastic Compute Cloud (EC2) instances, container images in Amazon Elastic Container Registry (ECR) and CI/CD tools, and AWS Lambda functions, at scale. It continuously monitors them for known vulnerabilities, giving you a consolidated view of vulnerabilities across your computing environments.

By following above all instances and protocols, one can optimize their infrastructure protection to the next-level. To make it happen, RiskProfiler is here to guide you with 360-degree assurance and support.