AWS Security Blog

In Case You Missed These: AWS Security Blog Posts from January and February

November 1, 2021: AWS KMS is replacing the term customer master key (CMK) with AWS KMS key and KMS key. The concept has not changed. To prevent breaking changes, AWS KMS is keeping some variations of this term. More info.

In case you missed any of the AWS Security Blog posts from January and February, they are summarized and linked to below. The posts are shown in reverse chronological order (most recent first), and the subject matter ranges from using AWS WAF to automating HIPAA compliance.


February 29, AWS Compliance Announcement: Announcing Industry Best Practices for Securing AWS Resources
We are happy to announce that the Center for Internet Security (CIS) has published the CIS AWS Foundations Benchmark, a set of security configuration best practices for AWS. These industry-accepted best practices go beyond the high-level security guidance already available, providing AWS users with clear, step-by-step implementation and assessment procedures. This is the first time CIS has issued a set of security best practices specific to an individual cloud service provider.

February 24, AWS WAF How-To: How to Use AWS WAF to Block IP Addresses That Generate Bad Requests
In this blog post, I show you how to create an AWS Lambda function that automatically parses Amazon CloudFront access logs as they are delivered to Amazon S3, counts the number of bad requests from unique sources (IP addresses), and updates AWS WAF to block further requests from those IP addresses. I also provide a CloudFormation template that creates the web access control list (ACL), rule sets, Lambda function, and logging S3 bucket so that you can try this yourself.

February 23, Automating HIPAA Compliance How-To: How to Use AWS Config to Help with Required HIPAA Audit Controls: Part 4 of the Automating HIPAA Compliance Series
In today’s final post of this series, I am going to complete the explanation of the DevSecOps architecture by highlighting ways you can use AWS Config to help meet audit controls required by HIPAA. Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications. This Config output, along with other audit trails, gives you the types of information you can use to meet your HIPAA auditing obligations.  

February 22, March Webinar Announcement: Register for and Attend This March 2 Webinar—Using AWS WAF and Lambda for Automatic Protection
AWS WAF Software Development Manager Nathan Dye will share  Lambda scripts you can use to automate security with AWS WAF and write dynamic rules that can prevent HTTP floods, protect against badly behaving IPs, and maintain IP reputation lists. You can also learn how Brazilian retailer, Magazine Luiza, leveraged AWS WAF and Lambda to protect its site and run an operationally smooth Black Friday.

February 22, Automating HIPAA Compliance How-To: How to Translate HIPAA Controls to AWS CloudFormation Templates: Part 3 of the Automating HIPAA Compliance Series
In my previous post, I walked through the setup of a DevSecOps environment that gives healthcare developers the ability to launch their own healthcare web server. At the heart of the architecture is AWS CloudFormation, a JSON representation of your architecture that allows security administrators to provision AWS resources according to the compliance standards they define. In today’s post, I will share examples that provide a Top 10 List of CloudFormation code snippets that you can consider when trying to map the requirements of the AWS Business Associates Agreement (BAA) to CloudFormation templates.

February 17, AWS Partner Network: New AWS Partner Network Blog Post: Securely Accessing Customers’ AWS Accounts with Cross-Account IAM Roles
Building off AWS Identity and Access Management (IAM) best practices, the AWS Partner Network (APN) Blog this week published a blog post called, Securely Accessing Customer AWS Accounts with Cross-Account IAM Roles. Written by AWS Partner Solutions Architect David Rocamora, this post addresses how best practices can be applied when working with APN Partners, and describes the potential drawbacks with APN Partners having access to their customers’ AWS resources.

February 16, AWS Summit in Chicago: Register for the Free AWS Summit – Chicago, April 2016
Registration for the 2016 AWS Summit – Chicago is now open. This free event will educate you about the AWS platform and offer information about architecture best practices and new cloud services. Register todayto reserve your seat to hear keynote speaker Matt Wood, AWS General Manager of Product Strategy, highlighting the latest AWS services and customer stories.

February 16, Automating HIPAA Compliance How-To: How to Use AWS Service Catalog for Code Deployments: Part 2 of the Automating HIPAA Compliance Series
In my previous blog post, I discussed the idea of using the cloud to protect the cloud and improving healthcare IT by applying DevSecOps methods. In Part 2 today, I will show an architecture composed of AWS services that gives healthcare security administrators necessary controls, allows healthcare developers to interact with the system using familiar tools (such as Git), and leverages AWS managed services without the need for advanced coding or complex configuration.

February 15, Automating HIPAA Compliance How-To: How to Automate HIPAA Compliance (Part 1): Use the Cloud to Protect the Cloud
In a series of blog posts on the AWS Security Blog this month, I will provide prescriptive advice and code samples to developers, system administrators, and security specialists who wish to improve their healthcare IT by applying the DevSecOps methods that the cloud enables. I will also demonstrate AWS services that can help customers meet their AWS Business Associate Agreement obligations in an automated fashion. Consider this series a getting started guide for DevSecOps strategies you can implement as you migrate your own compliance frameworks and controls to the cloud. 

February 9, AWS WAF How-To: How to Configure Rate-Based Blacklisting with AWS WAF and AWS Lambda
One security challenge you may have faced is how to prevent your web servers from being flooded by unwanted requests, or scanning tools such as bots and crawlers that don’t respect the crawl-delay directivevalue. The main objective of this kind of distributed denial of service (DDoS) attack, commonly called an HTTP flood, is to overburden system resources and make them unavailable to your real users or customers (as shown in the following illustration). In this blog post, I will show you how to provision a solution that automatically detects unwanted traffic based on request rate, and then updates configurations of AWS WAF (a web application firewall that protects any application deployed on the Amazon CloudFront content delivery service) to block subsequent requests from those users.

February 3, AWS Compliance Pilot Program: AWS FedRAMP-Trusted Internet Connection (TIC) Overlay Pilot Program
I’m pleased to announce a newly created resource for usage of the Federal Cloud—after successfully completing the testing phase of the FedRAMP-Trusted Internet Connection (TIC) Overlay pilot program, we’ve developed Guidance for TIC Readiness on AWS. This new way of architecting cloud solutions that address TIC capabilities (in a FedRAMP moderate baseline) comes as the result of our relationships with the FedRAMP Program Management Office (PMO), Department of Homeland Security (DHS) TIC PMO, GSA 18F, and FedRAMP third-party assessment organization (3PAO), Veris Group. Ultimately, this approach will provide US Government agencies and contractors with information assisting in the development of “TIC Ready” architectures on AWS.

February 2, DNS Resolution How-To: How to Set Up DNS Resolution Between On-Premises Networks and AWS Using AWS Directory Service and Microsoft Active Directory
In my previous post, I showed how to use Simple AD to forward DNS requests originating from on-premises networks to an Amazon Route 53 private hosted zone. Today, I will show how you can use Microsoft Active Directory (also provisioned with AWS Directory Service) to provide the same DNS resolution with some additional forwarding capabilities.

February 1, DNS Resolution How-To:  How to Set Up DNS Resolution Between On-Premises Networks and AWS Using AWS Directory Service and Amazon Route 53
As you establish private connectivity between your on-premises networks and your AWS Virtual Private Cloud (VPC) environments, the need for Domain Name System (DNS) resolution across these environments grows in importance. One common approach used to address this need is to run DNS servers on Amazon EC2 across multiple Availability Zones (AZs) and integrate them with private on-premises DNS domains. In many cases, though, a managed private DNS service (accessible outside of a VPC) with less administrative overhead is advantageous. In this blog post, I will show you two approaches that use Amazon Route 53 and AWS Directory Service to provide DNS resolution between on-premises networks and AWS VPC environments.


January 26, DNS Filtering How-To:  How to Add DNS Filtering to Your NAT Instance with Squid
In this post, I discuss and give an example of how Squid, a leading open-source proxy, can restrict both HTTP and HTTPS outbound traffic to a given set of Internet domains, while being fully transparent for instances in the private subnet. First, I explain briefly how to create the infrastructure resources required for this approach. Then, I provide step-by-step instructions to install, configure, and test Squid as a transparent proxy.

January 25, AWS KMS How-To: How to Help Protect Sensitive Data with AWS KMS
One question AWS KMS customers frequently ask is about how how to encrypt Primary Account Number (PAN) data within AWS because PCI DSS sections 3.5 and 3.6 require the encryption of credit card data at rest and has stringent requirements around the management of encryption keys. One KMS encryption option is to encrypt your PAN data using customer data keys (CDKs) that are exportable out of KMS. Alternatively, you also can use KMS to directly encrypt PAN data by using an AWS KMS key (KMS key). In this blog post, I will show you how to help protect sensitive PAN data by using KMS keys.

January 21, AWS Certificate Manager Announcement: Now Available: AWS Certificate Manager
Launched today, AWS Certificate Manager (ACM) is designed to simplify and automate many of the tasks traditionally associated with provisioning and managing SSL/TLS certificates. ACM takes care of the complexity surrounding the provisioning, deployment, and renewal of digital certificates—all at no extra cost!

January 19, AWS Compliance Announcement: Introducing GxP Compliance on AWS
We’re happy to announce that customers now are enabled to bring the next generation of medical, health, and wellness solutions to their GxP systems by using AWS for their processing and storage needs. Compliance with healthcare and life sciences requirements is a key priority for us, and we are pleased to announce the availability of new compliance enablers for customers with GxP requirements.

January 19, AWS Config How-To: How to Record and Govern Your IAM Resource Configurations Using AWS Config
Using Config Rules on IAM resources, you can codify your best practices for using IAM and assess the compliance state of these rules regularly. In this blog post, I will show how to start recording the configuration of IAM resources, and author an example rule that checks whether all IAM users in the account are using a sample managed policy, MyIAMUserPolicy. I will also describe examples of other rules customers have authored to assess their organizations’ compliance with their own standards.

January 15, AWS Summits: Mark Your Calendar for AWS Summits in 2016
Are you ready for AWS Summits in 2016? This year we have created even more information-packed Summits that will take place across the globe, each designed to accelerate your cloud journey and help you get the most out of AWS services.

January 13, AWS IAM Announcement: The IAM Console Now Helps Prevent You from Accidentally Deleting In-Use Resources
Starting today, the IAM console shows service last accessed data as part of the process of deleting an IAM user or role. Now you have additional data that shows you when a resource was last active so that you can make a more informed decision about whether or not to delete it.

January 6, IAM Best Practices: Adhere to IAM Best Practices in 2016
As another new year begins, we encourage you to review our recommended IAM best practices. Following these best practices can help you maintain the security of your AWS resources. You can learn more by watching the IAM Best Practices to Live By presentation that Anders Samuelsson gave at AWS re:Invent 2015, or you can click the following links that will take you to IAM documentation, blog posts, and videos. 

If you have comments  about any of these posts, please add your comments in the “Comments” section of the appropriate post. If you have questions about or issues implementing the solutions in any of these posts, please start a new thread on the AWS IAM forum.

– Craig