Giao diện
🔒 Security Posture
Level: Advanced Solves: Thiết kế và implement comprehensive security strategy cho enterprise AWS environments
🎯 Mục tiêu (Outcomes)
Sau khi áp dụng kiến thức trong trang này, bạn sẽ có khả năng:
- Thiết kế Defense-in-Depth Strategy với multiple security layers
- Triển khai Security Hub cho centralized security findings aggregation
- Cấu hình GuardDuty cho threat detection và automated response
- Áp dụng WAF Rules cho application-level protection
- Implement Auto-Remediation cho common security findings
- Xây dựng Security Monitoring với dashboards và alerting
✅ Khi nào dùng
| Security Tool | Use Case | Lý do |
|---|---|---|
| Security Hub | Centralized findings | Aggregate từ tất cả security services |
| GuardDuty | Threat detection | ML-based, managed, low overhead |
| WAF | Web app protection | OWASP Top 10, bot mitigation |
| Shield Advanced | DDoS protection | High-traffic, critical apps |
| Macie | Sensitive data discovery | PII, compliance requirements |
| Inspector | Vulnerability scanning | EC2, Lambda, ECR |
❌ Khi nào KHÔNG dùng
| Pattern | Vấn đề | Thay thế |
|---|---|---|
| Enable tất cả không tune | Alert fatigue, noise | Start small, tune gradually |
| WAF block-all approach | Block legitimate traffic | Monitor first, then block |
| Auto-remediate production | Unexpected changes | Manual approval for prod |
| Ignore low findings | May escalate | Review và accept/fix |
⚠️ Cảnh báo từ Raizo
"Một team enable GuardDuty và Security Hub nhưng không set up alerting. 3 tháng sau review, phát hiện 500+ critical findings đã tồn tại từ ngày 1. Security tools vô nghĩa nếu không ai xem."
Defense in Depth
Security Layers
┌─────────────────────────────────────────────────────────────────┐
│ DEFENSE IN DEPTH │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Layer 1: PERIMETER │ │
│ │ • WAF, Shield, CloudFront │ │
│ │ • DDoS protection, Bot mitigation │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Layer 2: NETWORK │ │
│ │ • VPC, Security Groups, NACLs │ │
│ │ • Network segmentation, Private subnets │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Layer 3: IDENTITY │ │
│ │ • IAM, SSO, MFA │ │
│ │ • Least privilege, Role assumption │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Layer 4: APPLICATION │ │
│ │ • Input validation, Output encoding │ │
│ │ • Secrets management, Secure coding │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Layer 5: DATA │ │
│ │ • Encryption at rest/transit │ │
│ │ • Data classification, Access controls │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘Threat Modeling for Cloud
STRIDE Framework
| Threat | Description | AWS Mitigation |
|---|---|---|
| Spoofing | Impersonating identity | IAM, MFA, SSO |
| Tampering | Modifying data | Encryption, integrity checks |
| Repudiation | Denying actions | CloudTrail, logging |
| Information Disclosure | Exposing data | Encryption, access controls |
| Denial of Service | Disrupting service | Shield, WAF, Auto Scaling |
| Elevation of Privilege | Gaining unauthorized access | Least privilege, boundaries |
Cloud-Specific Threats
┌─────────────────────────────────────────────────────────────────┐
│ CLOUD-SPECIFIC THREAT MODEL │
├─────────────────────────────────────────────────────────────────┤
│ │
│ 1. CREDENTIAL EXPOSURE │
│ • Hardcoded secrets in code │
│ • Leaked access keys │
│ • Overly permissive IAM policies │
│ Mitigation: Secrets Manager, IAM Access Analyzer │
│ │
│ 2. MISCONFIGURATION │
│ • Public S3 buckets │
│ • Open security groups │
│ • Disabled encryption │
│ Mitigation: Config Rules, Security Hub │
│ │
│ 3. LATERAL MOVEMENT │
│ • Compromised instance → other resources │
│ • Cross-account access abuse │
│ Mitigation: Network segmentation, least privilege │
│ │
│ 4. DATA EXFILTRATION │
│ • Unauthorized data access │
│ • DNS tunneling │
│ Mitigation: VPC endpoints, Macie, GuardDuty │
│ │
└─────────────────────────────────────────────────────────────────┘AWS Security Hub
Architecture
Security Standards
| Standard | Focus | Use Case |
|---|---|---|
| AWS Foundational | AWS best practices | All workloads |
| CIS AWS Foundations | CIS benchmarks | Compliance |
| PCI DSS | Payment card security | Financial |
| NIST CSF | Cybersecurity framework | Government |
Finding Severity
┌─────────────────────────────────────────────────────────────────┐
│ SECURITY HUB SEVERITY LEVELS │
├─────────────────────────────────────────────────────────────────┤
│ │
│ CRITICAL (90-100) │
│ • Immediate action required │
│ • Active exploitation possible │
│ • Example: Public S3 bucket with sensitive data │
│ │
│ HIGH (70-89) │
│ • Address within 24 hours │
│ • Significant security risk │
│ • Example: Root account without MFA │
│ │
│ MEDIUM (40-69) │
│ • Address within 1 week │
│ • Moderate security risk │
│ • Example: Unused IAM credentials │
│ │
│ LOW (1-39) │
│ • Address in next sprint │
│ • Minor security improvement │
│ • Example: Missing resource tags │
│ │
└─────────────────────────────────────────────────────────────────┘Amazon GuardDuty
Threat Detection Categories
┌─────────────────────────────────────────────────────────────────┐
│ GUARDDUTY FINDING TYPES │
├─────────────────────────────────────────────────────────────────┤
│ │
│ EC2 Findings: │
│ ├── Backdoor:EC2/DenialOfService.Tcp │
│ ├── CryptoCurrency:EC2/BitcoinTool.B │
│ ├── Trojan:EC2/BlackholeTraffic │
│ └── UnauthorizedAccess:EC2/SSHBruteForce │
│ │
│ IAM Findings: │
│ ├── CredentialAccess:IAMUser/AnomalousBehavior │
│ ├── PenTest:IAMUser/KaliLinux │
│ └── UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B │
│ │
│ S3 Findings: │
│ ├── Policy:S3/BucketAnonymousAccessGranted │
│ ├── Exfiltration:S3/MaliciousIPCaller │
│ └── Discovery:S3/MaliciousIPCaller │
│ │
│ Kubernetes Findings: │
│ ├── CredentialAccess:Kubernetes/MaliciousIPCaller │
│ ├── Execution:Kubernetes/ExecInKubeSystemPod │
│ └── PrivilegeEscalation:Kubernetes/PrivilegedContainer │
│ │
└─────────────────────────────────────────────────────────────────┘Auto-Remediation Example
python
import boto3
def lambda_handler(event, context):
"""Auto-remediate GuardDuty findings"""
finding = event['detail']
finding_type = finding['type']
if finding_type.startswith('UnauthorizedAccess:EC2/SSHBruteForce'):
# Block the attacking IP
instance_id = finding['resource']['instanceDetails']['instanceId']
attacker_ip = finding['service']['action']['networkConnectionAction']['remoteIpDetails']['ipAddressV4']
ec2 = boto3.client('ec2')
# Add NACL rule to block attacker
ec2.create_network_acl_entry(
NetworkAclId='acl-xxx',
RuleNumber=100,
Protocol='-1',
RuleAction='deny',
Egress=False,
CidrBlock=f'{attacker_ip}/32'
)
# Notify security team
sns = boto3.client('sns')
sns.publish(
TopicArn='arn:aws:sns:us-east-1:123456789012:security-alerts',
Message=f'Blocked SSH brute force attacker: {attacker_ip}',
Subject='GuardDuty Auto-Remediation'
)
return {'statusCode': 200}AWS WAF
Rule Groups
┌─────────────────────────────────────────────────────────────────┐
│ WAF RULE STRATEGY │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Priority Order (evaluated top to bottom): │
│ │
│ 1. IP Reputation (AWS Managed) │
│ • Block known malicious IPs │
│ • Amazon IP reputation list │
│ │
│ 2. Rate Limiting │
│ • 2000 requests per 5 minutes per IP │
│ • Prevent DDoS and brute force │
│ │
│ 3. Bot Control (AWS Managed) │
│ • Block bad bots │
│ • Allow good bots (Googlebot, etc.) │
│ │
│ 4. SQL Injection (AWS Managed) │
│ • SQLi attack patterns │
│ • Common injection strings │
│ │
│ 5. XSS (AWS Managed) │
│ • Cross-site scripting patterns │
│ • Script injection attempts │
│ │
│ 6. Custom Rules │
│ • Application-specific patterns │
│ • Geo-blocking if needed │
│ │
│ 7. Default Action: ALLOW │
│ │
└─────────────────────────────────────────────────────────────────┘WAF Rule Example
json
{
"Name": "RateLimitRule",
"Priority": 1,
"Statement": {
"RateBasedStatement": {
"Limit": 2000,
"AggregateKeyType": "IP",
"ScopeDownStatement": {
"ByteMatchStatement": {
"SearchString": "/api/",
"FieldToMatch": {
"UriPath": {}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "LOWERCASE"
}
],
"PositionalConstraint": "STARTS_WITH"
}
}
}
},
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "RateLimitRule"
}
}Security Monitoring Dashboard
Key Metrics
| Metric | Source | Alert Threshold |
|---|---|---|
| Critical Findings | Security Hub | > 0 |
| High Severity Findings | Security Hub | > 5 |
| GuardDuty Findings | GuardDuty | > 0 |
| Failed Login Attempts | CloudTrail | > 10/hour |
| Root Account Usage | CloudTrail | > 0 |
| WAF Blocked Requests | WAF | Spike detection |
Best Practices Checklist
- [ ] Enable Security Hub with all standards
- [ ] Enable GuardDuty in all regions
- [ ] Configure WAF for public-facing applications
- [ ] Enable Shield Advanced for DDoS protection
- [ ] Implement automated remediation for common findings
- [ ] Conduct regular security assessments
- [ ] Review and rotate credentials regularly
- [ ] Enable Macie for sensitive data discovery
⚖️ Trade-offs
Trade-off 1: Security Strictness vs Operational Agility
| Approach | Security | Agility | Best For |
|---|---|---|---|
| Block-first WAF | Cao | Thấp | Financial, healthcare |
| Monitor-first WAF | Trung bình | Cao | E-commerce, startups |
| Auto-remediate all | Cao | Thấp | Non-production |
| Manual review | Trung bình | Điều chỉnh được | Production |
Trade-off 2: Security Tool Coverage vs Cost
| Tool | Monthly Cost (rough) | Value |
|---|---|---|
| Security Hub | $0.0010/finding | Central visibility |
| GuardDuty | $4/GB analyzed | Threat detection |
| Macie | $1/GB scanned | PII discovery |
| Inspector | $0.15/assessment | Vulnerability scan |
| Shield Advanced | $3,000/month | DDoS protection |
Khuyến nghị priority:
- Security Hub + GuardDuty (baseline)
- WAF (public apps)
- Inspector (compute)
- Macie (nếu có PII)
- Shield Advanced (high-profile targets)
Trade-off 3: Finding Volume vs Actionability
| Severity Filter | Findings/day | Actionable % | Team Load |
|---|---|---|---|
| Critical only | 1-5 | 90%+ | Low |
| High + Critical | 10-50 | 70% | Medium |
| All severities | 100-500 | 30% | Very High |
🚨 Failure Modes
Failure Mode 1: Alert Fatigue Leading to Missed Threats
🔥 Incident thực tế
Security team nhận 300 alerts/ngày. Real credential compromise finding bị miss trong 2 tuần. Attacker đã exfiltrate customer data. $5M breach cost + reputation damage.
| Cách phát hiện | Cách phòng tránh |
|---|---|
| Alert response time > 24h | Tiered alerting (Critical = PagerDuty) |
| High suppress/snooze rate | Tune rules, reduce noise |
| Team burnout | Automate low-severity responses |
Failure Mode 2: False Positive với WAF
| Cách phát hiện | Cách phòng tránh |
|---|---|
| User complaints | Count mode trước, block sau |
| Business metrics drop | Monitor block rate vs conversions |
| Legitimate traffic blocked | Regular rule review |
Failure Mode 3: Blind Spots trong Coverage
| Cách phát hiện | Cách phòng tránh |
|---|---|
| New accounts không có GuardDuty | Organizations-level enablement |
| New regions không monitor | Multi-region automation |
| Shadow IT resources | Regular resource discovery |
🔐 Security Baseline
Mandatory Security Services
| Service | Scope | Configuration |
|---|---|---|
| Security Hub | All accounts, all regions | CIS, AWS Foundational |
| GuardDuty | All accounts, all regions | S3, EKS protection enabled |
| CloudTrail | Organization trail | All regions, data events |
| Config | All accounts | Conformance packs |
Security Standards
| Standard | Coverage | Pass Target |
|---|---|---|
| CIS AWS Benchmark | Infrastructure | > 90% |
| AWS Foundational | Best practices | > 95% |
| PCI-DSS | Payment systems | 100% |
| SOC 2 | All production | > 85% |
Incident Response
┌─────────────────────────────────────────────────────────────────┐
│ INCIDENT RESPONSE FLOW │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Detection → Triage → Contain → Eradicate → Recover → Lessons │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ GuardDuty 5 min Isolate Remove Restore Doc │
│ Security SLA affected threat service PIR │
│ Hub resources actor ops │
│ │
└─────────────────────────────────────────────────────────────────┘📊 Ops Readiness
Metrics cần Monitoring
| Metric | Source | Alert Threshold |
|---|---|---|
| Critical findings | Security Hub | > 0 |
| High findings | Security Hub | > 10 unresolved |
| GuardDuty findings | GuardDuty | Any high/critical |
| Root login | CloudTrail | > 0 |
| Failed MFA | CloudTrail | > 5/hour |
| WAF block rate | WAF | Spike > 3x |
Runbook Entry Points
| Tình huống | Runbook |
|---|---|
| Critical Security Hub finding | runbook/security-hub-critical.md |
| GuardDuty high severity | runbook/guardduty-response.md |
| Compromised credentials | runbook/credential-compromise.md |
| WAF blocking spike | runbook/waf-investigation.md |
| Root account activity | runbook/root-account-investigation.md |
| DDoS attack | runbook/ddos-response.md |
✅ Design Review Checklist
Tool Coverage
- [ ] Security Hub enabled all accounts/regions
- [ ] GuardDuty enabled all accounts/regions
- [ ] WAF cho tất cả public endpoints
- [ ] Inspector cho compute resources
Monitoring
- [ ] Alerting configured và routed
- [ ] Security dashboard available
- [ ] On-call rotation defined
- [ ] Escalation path documented
Response
- [ ] Incident response runbooks
- [ ] Auto-remediation cho common issues
- [ ] Regular tabletop exercises
- [ ] Post-incident review process
Governance
- [ ] Security standards mapped
- [ ] Compliance score tracking
- [ ] Exception process defined
- [ ] Regular security reviews
📎 Liên kết
- 📎 GCP Security Perimeter - So sánh với GCP's security approach
- 📎 IAM Fundamentals - Identity security foundation
- 📎 Key & Secrets Management - Secrets security
- 📎 Observability & Auditing - Security monitoring
- 📎 Terraform Security - IaC security patterns