AWS Deep Dive

author: Nathan Acks
date: 2022-06-05

It’s been a while, hasn’t it?

I’d originally intended to spend May wrapping up “supplemental” TryHackMe room’s I’d been making note of while studying for the Security+ exam. But then I started a new job and wound up spending much of the time I had been using for my studies bringing myself up to speed instead.

The new job aligns much better with the direction I’ve been hoping to take my career, which is great. But it’s also highlighting some real deficiencies in my knowledge of AWS. It’s also really driven home that the exposure I’ve had to Burp Suite so far is not really adequate for real-world use cases.

So I’m going to put TryHackMe on (temporary!) hold, and spend some time beefing up on AWS and Burp Suite instead.

Fortunately, the new job has a great list of AWS-related videos, readings, course work, and hands-on “labs”. Much (though not all) of this is public, which means that I can continue to use this space as my notebook most of the time. I’m still going to take private notes for non-public materials, but I’m afraid I can’t share those in good conscience. This means that there are going to be more pauses than in previous sequences I hit non-public parts of my learning path.

Once I’m finished working through the AWS-related materials, I’m going to turn my attention to Burp Suite. There I’ll be working my way through PortSwigger’s Web Security Academy.

Once I’m done with both of these I’ll turn back to the remaining TryHackMe “supplements”, move on to a few odds-and-ends rooms focusing more on defensive security (it feels like I should have at least a passing knowledge of some of that), and then begin the process of working towards my Pentest+ certification!

AWS Essentials

I’ll be starting off by watching through the “AWS Essentials” YouTube playlist put together by the Linux Academy.

Project Omega!

AWS Essentials: Project Omega! (YouTube)

This is apparently the framing device for the entire series. Pretty skippable.

AWS Free Tier

AWS Essentials: AWS Free Tier (YouTube)

Core AWS services:

These all have some kind of free version.

Create an AWS Account

AWS Essentials: Create an AWS Account (YouTube)

Wow, AWS is using voice calls for account authentication! (At least they’re automated…)

How to Navigate the AWS Console

AWS Essentials: How to Navigate the AWS Console (YouTube)

You can switch between regions in AWS using a simple drop-down in the AWS Console’s header.

What is IAM?

AWS Essentials: What is IAM? (YouTube)

The first user in an AWS account is the “root” user, and has the sort of privileges this name implies.

While the root user gets permission to everything, subsequent users receive no permissions beyond what’s required to log in - any additional capabilities must be added in the IAM interface.

IAM Initial Setup and Configuration

AWS Essentials: IAM Initial Setup and Configuration (YouTube)

After initially creating the root account, the first thing you should do is work through all of the “Security Status” items in the IAM console.

Amazon MFA is always TOTP-based (when AWS refers to a “hardware key fob”, it means an RSA-style device, not a Yubikey).

For obvious reasons, the first thing you should probably do is create an additional (admin) user, and then generally avoid using the root user. Admin users are defined by having the AdministratorAccess policy attached.

IAM Roles

AWS Essentials: IAM Roles (YouTube)

Services (really, objects in a service) in AWS can’t be assigned policies directly, but can be assigned roles.

In general, roles are used to package policies for service objects, while groups are used to package policies for users. (That said, roles can be assigned to users as well; they’re quite flexible.)

AWS Global Infrastructure

AWS Essentials: AWS Global Infrastructure (YouTube)

VPC (Virtual Private Cloud) is the backbone of AWS’s offerings.

“Regions” are groupings of AWS resources that are concentrated in a given location (AWS data centers are not spread out uniformly).

“Regions” are in turn made up of “availability zone”, which are geographically isolated clusters of resources.

Every data center is assigned to only one availability zone; the purpose of availability zones is to provide redundancy within a region.

What is a VPC?

AWS Essentials: What is a VPC? (YouTube)

VPC settings can be changed in the AWS console under Networking > VPC.

Basically, this is logical partition of AWS. Importantly, this partitioning includes its own logical network layer. So you can kind of think of a VPC as a virtual network in AWS.

Note that a “default” VPC is created along with a new AWS account, but additional VPCs can be created as needed.

The VPC “internet gateway” is roughly equivalent to a modem in a home or SMB, while VPC “route tables” function like an actual router. VPC NACLs roughly fill the role of a (very simple, stateless) firewall.

Internet Gateways (IGWs)

AWS Essentials: Internet Gateways (IGWs) (YouTube)

Basically: The part of a VPC that provides the actual connection to the internet. It’s automatically scaled by Amazon as needed, so there’s little that needs to be configured here.

Really, all a IGW is providing is a route from the attached VPC to the internet. There can only be one IGW attached to a VPC at any given time. (Amazon also won’t allow a IGW to be detached if there are any live resources like EC2 or RDS instances in the VPC.)

Route Tables (RTs)

AWS Essentials: Route Tables (RTs) (YouTube)

The Route Table is presented (almost) as a literal route table (think of the Linux route command). So, no surprises here.

There can be multiple RTs per VPC. Similar to IGWs, however, RTs can only be deleted if they have no dependencies (active routes).

Network Access Control Lists (NACLs)

AWS Essentials: Network Access Control Lists (NACLs) (YouTube)

Think: Stateless firewall.

NACLs can be applied to one or more subnets in a VPC, and multiple NACLs are allowed in a VPC.

All NACLs end with a default DENY. However, the default NACL created with the default VPC has an “ALLOW ALL” rule ahead of this.

NACL rules are evaluated from lowest-to-highest rule number. Fortunately, the AWS console will automatically arrange rules in the order you’d expect (top-to-bottom).

Note that additional network security controls (“security groups”) can be applied to AWS resources like EC2 instances, etc. But NACLs are the only subnet level protection that’s available.

Subnets

AWS Essentials: Subnets (YouTube)

VPC subnets are limited to particular availability zones; by default, one subnet is created per availability zone for the region a VPC is created in.

Resources must be provisioned within a subnet. Since subnets cannot span availability zones, subnets are the level that AWS resources begin to correspond to physical computing structures in data centers.

Subnets can be “public” (internet routable) or “private” (not internet routable), which is determined by the associated route table. Note that every subnets must be associated with a route table.

Availability Zones (VPC Specific)

AWS Essentials: Availability Zones (VPC Specific) (YouTube)

The point of availability zones within a VPC is to allow redundancy to be engineered via mirrored subnets + resources.

S3 Basics

AWS Essentials: S3 Basics (YouTube)

Objects = Files

Buckets are limited to particular regions; data is automatically replicated across availability zones within that region.

Buckets & Objects

AWS Essentials: Buckets & Objects (YouTube)

Bucket names are globally unique.

Storage Classes

AWS Essentials: Storage Classes (YouTube)

Storage classes in S3 (standard, glacier, etc.) can be defined per object. Classes:

“Durability” is defined as the probability that a file will not be lost or corrupted in a given year.

“Availability” is defined as the probability that a file will be (immediately) available when requested in a given year.

Storage class can be set during upload, by using the object lifecycle tool, or just by editing in the AWS console (note that Glacier cannot be chosen in this way). Changing the storage type of a folder will change the storage class of all contained objects but will not effect subsequent uploads.

Reduced Redundancy Storage is actually recommended for backup (!), though Glacier is intended for actual archival usage.