L1
Building a Secure Web App
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What are we building in Lab 1?
• We will setup a web application that connects to Twitter and reads information about a user
that is identified by a twitter handle.
• This lab is broken up into 3 sections
1. Deploy an Infrastructure with baseline Security
2. Further restrict network access and implement Encryption at Rest
3. Implement Perimeter Protection and enforce Encryption in Transit
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What are we building in Section 1?
• We will setup a web application that connects to Twitter and reads information about a user
that is identified by a twitter handle.
• In this lab we want to demonstrate:
1. How to create Virtual Private Cloud with public and private subnets
2. How to attach Internet Gateway
3. Setting up of Network Access Control Lists for subnets and security groups for EC2 instances
4. Launching two EC2 instances from pre-baked AMI that contains our web application
5. Usage of NAT Gateways
6. Usage of Application Load Balancer
7. How to create IAM roles
You can skip manual setup of Section 1 by running CloudFormation script:
https://s3.amazonaws.com/security-compliance-immersion-day/ImmersionDayCF_Module1.json
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Section 1
Setting up secure EC2 environment
Users
Internet
Gateway
Application
Load Balancer
NAT Gateway
public subnet a public subnet b
AMI AMI
private subnet a private subnet b
region
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Network Access Control Lists and Security Groups
Security Group Network ACL
Operates at the instance level (second layer Operates at the subnet level (first layer of
of defense) defense)
Supports allow rules only Supports allow rules and deny rules
Is stateful: return traffic is automatically Is stateless: return traffic must be explicitly
allowed, regardless of any rules allowed by rules
We evaluate all rules before deciding whether We process rules in number order when
to allow traffic deciding whether to allow traffic
Automatically applies to all instances in the
Must be applied to an instance
subnets
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Section 1
Setting up secure EC2 environment
Users
Internet
Gateway
Application
Load Balancer
Secure NACL’s NAT Gateway
public subnet a public subnet b
AMI AMI
Secure SG’s private subnet a private subnet b
region
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC Security Rules Evaluation
• The illustration below shows the packet flow from the Internet to a server in a private VPC subnet, which in
turn sends a packet to a NAT gateway, which forwards it to the requested host on the Internet.
• The route table, network ACL and security group rules are processed entirely in the hypervisor layer.
EC2 NAT
Guest OS
Instance ENI Instance ENI
10.0.0.6 10.0.10.8
Security Group Security Group Security Group Security Group
IN OUT IN OUT
Private Subnet Public Subnet
10.0.0.0/24 10.0.10.0/24
Hypervisor
Network ACL Network ACL Network ACL Network ACL
IN OUT IN OUT
Private Route Table Public Route Table
IGW IGW
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Enforce Consistent Security On Your Hosts
Configure and harden EC2 instances based on security and compliance needs
User administration
Host-based Protection Software Whitelisting and integrity
Malware protection
Restrict Access Where Possible Vulnerability management
Audit and logging
Launch with IAM Role Hardening
Operating system
Launch Configure
EC2 instance
instance
AMI catalog Running instance Your instance
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EC2 Roles
• Applications can securely make API requests from your instances
• You can delegate permission to make API requests using IAM roles as follows:
1. Create an IAM role
2. Define which accounts or AWS services can assume the role
3. Define which API actions and resources the application can use after assuming the role
4. Specify the role when you launch your instance, or attach the role to a running or
stopped instance
• Key rotation and revocation can now all be handled in IAM
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Section 1
Setting up secure EC2 environment
Users
Internet
Gateway
Application
Load Balancer
Secure NACL’s NAT Gateway
public subnet a public subnet b
AMI AMI
Secure SG’s private subnet a private subnet b
region IAM
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step 1 – Set up a VPC
• Select us-east-1 region (N. Virginia)
• Create a new VPC called “ImmersionDayVPC” (CIDR block 10.0.0.0/16)
• Create 2 public and 2 private subnets
1. “PublicSubnet_1a” in us-east-1a AZ with CIDR 10.0.0.0/24
2. “PublicSubnet_1b” in us-east-1b AZ with CIDR 10.0.1.0/24
3. “PrivateSubnet_1a” in us-east-1a AZ with CIDR 10.0.2.0/24
4. “PrivateSubnet_1b” in us-east-1b AZ with CIDR 10.0.3.0/24
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step 2 – Set up Security Group
• Demo application running on EC2 instance is a Java-based web application
running on Tomcat version 7.
• Create a security group “ImmersionDaySecGroup” with only HTTP allowed (port
80 and 8080) and source 0.0.0.0/0.
• The same security group will be used for all instances we start (EC2 and
Application Load Balancer).
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step 3 – Create Internet and NAT Gateways
• Create and attach Internet Gateway ”ImmersionDayInternetGateway” to the VPC
• Create NAT Gateway in the public subnet
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step 4 – Create Route Tables
• Create 2 new route tables:
1. One for the public subnet ”PublicSubnetRouteTable”
2. One for the private subnets ”PrivateSubnetsRouteTable”
• Associate private/public subnets to these new route tables and modify the routes
accordingly:
1. PrivateSubnetsRouteTable should have route to Target = NAT Gateway and
Destination = 0.0.0.0/0
2. PublicSubnetRouteTable should have route to Target = Internet Gateway
and Destination = 0.0.0.0/0
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step 5 – Create EC2 role
• Go to IAM and select Roles from the left hand side menu options
• Create new role for EC2 instance and name it "ImmersionDayEC2Role”
• Add following permissions to this role:
1. AmazonDynamoDBFullAccess (this gives our EC2 permission to
read/write from DynamoDB database)
2. AmazonSSMReadOnlyAccess (this gives our EC2 instance permission
to read from System Manager’s Parameter Store)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step 6 – EC2 setup
• Launch one EC2 instance in each private subnet with:
AMI ID = “ami-0aa3c8ac7278c6d3e” (if you are running in us-east-1)
or
AMI ID = “ami-0994313865b869a92” (if you are running in eu-central-1)
and
AMI Name= “SecurityComplianceImmersionDay”
(t2.micro, no additional EBS volumes)
• Add previously created role "ImmersionDayEC2Role”
• Use the security group that we created previously “ImmersionDaySecGroup”
• Tag instances with Key = instance, Value = immersionday
• If you don’t have a Key/Pair already in us-east-1 or eu-central-1 region, create
one and use it with these instances
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step 7 – Set up Application Load Balancer
• Create internet-facing ALB “ImmersionDayALB” and connect it with the public
subnets:
Ø Set listeners to be HTTP on port 80
Ø Set HealthCheck path /tweetstats/home on port 8080
Ø Create Target Group and add EC2 instances from private subnets on port
8080 to this group
• ALB will be responding to requests made on port 80 and will be forwarding them
to target instances on port 8080
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step 8 – Check if all is working fine
• Type in a browser ALB DNS endpoint with “/tweetstats/home” at the end
and see if it works, like:
http://ImmersionDayALB-111111111111.us-east-
1.elb.amazonaws.com/tweetstats/home
• You should see this:
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lab 1
Real-world deployment
Users
Internet
Gateway
Note:
In real-world deployments,
we would use 2 NAT Application
Gateways, one in each Load Balancer NAT Gateway
NAT Gateway
public subnet in different
AZ’s. We would configure
route tables so that EC2 public subnet a public subnet b
instances use NAT
Gateways from the same
AZ.
AMI AMI
This way we increase
private subnet a private subnet b
egress throughput and
availability.
region IAM
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What are we building in Section 2?
• This lab is continuation of the work we did in Section 1.
• In this lab we want to demonstrate:
1. How to create VPC endpoints (gateway and interface)
2. How to create encryption keys with KMS
3. How to manage secrets with Parameter Store
4. How to encrypt data in DynamoDB using Client-side encryption
You can skip manual setup of Section 2 by running CloudFormation script:
https://s3.amazonaws.com/security-compliance-immersion-day/ImmersionDayCF_Module2.json
Note: ”Step 3 – Set up parameter Store” still needs to be done manually as CloudFormation didn’t
support creating parameters at the time this was created.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Section 1 Recap
Users
Internet
Gateway
Application
Load Balancer
Secure NACL’s NAT Gateway
public subnet a public subnet b
AMI AMI
Secure SG’s private subnet a private subnet b
region IAM
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC Endpoints
VPC Endpoints can be used to improve security
• Network-based access can be restricted to AWS
• Can apply NACL’s and SG’s to further restrict
communication
• Policy-based access can be restricted to AWS resources
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Storing secret parameters
Where do we store configuration data for our applications?
We need to have a place to:
• Centrally store and find configuration data
• Have repeatable, automatable management (e.g. SQL connection strings)
• Have granular access control – view, use and edit values
• Encrypt sensitive data using your own AWS KMS keys
Ø In AWS, there are two ways to do it:
1. AWS Systems Manager Parameter Store, or
2. AWS Secrets Manager
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Comparing AWS Systems Manager and Parameter Store
AWS Systems Manager AWS Secrets Manager
Parameter Store
• Secure storage for configuration data, • A service to manage the lifecycle for secrets in
which can include secrets your organization
• Reference values using the unique name • Helps you meet security and compliance
specified during creation requirements by rotating secrets automatically
• Use parameters in scripts for configuration • Built-in integrations for Amazon RDS that can
and automation rotate database credentials on your behalf
• Parameter Store is free of charge • Extensible via Lambda
• Secrets Manager is pay as you go with $0.40 per
secret per month and $0.05 per 10,000 API calls
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How is data encrypted in DynamoDB?
• We are using aws-encryption-sdk-java library to encrypt and decrypt data to
and from DynamoDB.
// Instantiate the encryption SDK We keep this ID in
AwsCrypto crypto = new AwsCrypto(); Parameter Store
// Set up the master key provider
KmsMasterKeyProvider prov = new KmsMasterKeyProvider
("arn:aws:kms:" + region.getName() + ":" + response.getAccount() + ":key/" + kmsID);
// Encrypt data
String ciphertext = crypto.encryptString(prov, data, context).getResult();
// Decrypt data
CryptoResult<String, KmsMasterKey> decryptResult = crypto.decryptString(prov, data);
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How is data encrypted in DynamoDB?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Section 2
Protecting data at rest
Users
Internet
Gateway
Interface Parameter Store
Application Endpoint (AWS Systems Manager)
Load Balancer
NAT Gateway
public subnet a public subnet b Gateway Amazon
Endpoint DynamoDB
AMI AMI
private subnet a private subnet b
AWS KMS
region IAM
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step 1 – Set up VPC Endpoints
• Go to VPC endpoints and create one of DynamoDB and one for SSM
• Attach both private subnets to these endpoints
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step 2 – Create an encryption key in KMS
• Go to IAM -> Encryption Keys
• Create a new KMS key with name “ImmersionDayKey”
• Key Administrator is you
• Key User is previously defined ImmersionDayEC2Role
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step 3 – Set up Parameter Store
• Go to Systems Manager -> Parameter Store
• Create a new parameter with the name “kmsID”
• It should be type String
• Value should be ID of the encryption key that was created in KMS in the
previous step
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step 4 – Check if all is working fine
• Type in a browser ALB DNS endpoint with “/tweetstats/home” at the end
and see if it works, like:
http://ImmersionDayALB-111111111111.us-east-
1.elb.amazonaws.com/tweetstats/home
• Search for @jeffbarr and you should see this:
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step 5 – Check if encryption works
• Go to DynamoDB and look at the items in table “saved-tweeter-users-table”.
• Note: DynamoDB and this table is automatically created when our demo
application first starts.
• Check if items for “jeffbarr ”are encrypted:
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What are we building in Section 3?
• This lab is continuation of the work we did in Section 2.
• In this lab we want to demonstrate:
1. How to create web distribution with CloudFront
2. How to use Web Application Firewall on the CloudFront distribution
You can skip manual setup of Section 3 by running CloudFormation script:
https://s3.amazonaws.com/security-compliance-immersion-day/ImmersionDayCF_Module3.json
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Section 2 - Recap
Protecting data at rest
Users
Internet
Gateway
Interface Parameter Store
Application Endpoint (AWS Systems Manager)
Load Balancer
NAT Gateway
public subnet a public subnet b Gateway Amazon
Endpoint DynamoDB
AMI AMI
private subnet a private subnet b
AWS KMS
region IAM
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Section 3 users
Protecting data in transit
Amazon
AWS WAF
CloudFront
Internet
Gateway
Interface Parameter Store
Application Endpoint (AWS Systems Manager)
Load Balancer
NAT Gateway
public subnet a public subnet b Gateway Amazon
Endpoint DynamoDB
AMI AMI
private subnet a private subnet b
AWS KMS
region IAM
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step 1 – CloudFront setup
• Create
… CloudFront web distribution and point it to the ALB origin (origin protocol
is HTTP only)
• Viewer Protocol Policy: Redirect HTTP to HTTPS
• Cache: None
• Object Caching: Use Origin Cache Headers
• Forward Cookies: All
• Query String Forwarding and Caching: Forward all, cache based on all
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Now, try to see if CloudFront works:
• Type in a browser your CloudFront endpoint with “/tweetstats/home” at the end
and see if it works.
• Note: it takes about 10mins for CloudFront distribution to become active…
• If it’s not active immediately for you, go ahead and enable WAF
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step 2 – WAF setup
• Create WAF Web ACL for CloudFront distribution.
• In the CloudFront WAF,
create a ”String and
Regex Matching” condition
that denies all requests with
“immersion” in the query
string.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step 2 – WAF setup
• The previously created condition should have a rule like below, which means to
block all requests that match the condition in the query string
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Now, try to see if WAF for CloudFront works:
• You need to edit CloudFront settings and include WAF!
• Type in a browser your CloudFront endpoint with
“/tweetstats/home?query=immersion” at the end and see if it works
• You should get “Request Blocked” page.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.