- Useful Libs and Tools
- Useful Articles and Blogs
- Incident Response
- Configure mutual Transport Layer Security (mutual TLS or mTLS) authentication with AWS services
- Options for granular control on TLS cipher suites
- Firewall Manager, WAF, Shield
- IAM
- RCP
- SCP
- Instance Metadata Service (IMDS)
- GuardDuty
- Security Hub
- Security Lake
- Verified Permissions
- Amazon Security Bulletins - https://aws.amazon.com/security/security-bulletins/
- Amazon Linux Security Center - https://alas.aws.amazon.com/announcements.html
- Amazon Detective Multiaccount Scripts - aws-samples/amazon-detective-multiaccount-scripts
- AWS IMDS Packet Analyzer - aws/aws-imds-packet-analyzer
- AWS Policy Generator - AWS Policy Generator
- Amazon Security Lake Resources aws-samples/amazon-security-lake
- AWS Security Benchmark - awslabs/aws-security-benchmark
- AWS Self-Service Security Assessment tool - awslabs/aws-security-assessment-solution
- Open source tools for AWS security - toniblyx/my-arsenal-of-aws-security-tools
- Ultimate DevSecOps library - sottlmarek/DevSecOps
- cloud-custodian - cloud-custodian/cloud-custodian
- CloudGoat - RhinoSecurityLabs/cloudgoat
- git-secrets - awslabs/git-secrets
- Pacu an open source AWS exploitation framework - RhinoSecurityLabs/Pacu
- Redboto - elitest/Redboto
- Endgame: Creating Backdoors in AWS - hirajanwin/endgame
- Endgame: AWS Pentesting tool - DavidDikker/endgame
- From Detection to Enforcement: Migrating from IMDSv1 to IMDSv2, DataDog, 2024-12-17
- Enhance your AWS cloud infrastructure security with AWS Managed Services (AMS), AWS, 2024-02-16 - a short and nice summary
- EC2 Privilege Escalation Through User Data, Nick F., 2024-01-21
- Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild, Datadog, 2023-10-11
- SSM Parameter Store SecureString vs. Secrets Manager - Handling Secrets with AWS, 2022
- **Note: Parameter Store now supports cross-account sharing (via AWS RAM) - NEW-2024-02
- AWS Exposable Resources - SummitRoute/aws_exposable_resources - this repo maintains a list of all AWS resources that can be publicly exposed.
- AWS Security Documentation by Category - docs.aws.amazon.com/security
- AWS Security Reference Architecture (AWS SRA) - docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/
- A Secure Cloud - Repository of customizable AWS security configurations and best practices - asecure.cloud/
- aws-samples/automated-incident-response-with-ssm - Automated Incident Response with SSM
- easttimor/aws-incident-response - Investigation of API activity using Athena and notification of actions using EventBridge
- Public AWS ACM does not allow you to export private key which means your client won’t be able to present the client certificate to validate. You might need to use things like Private Certificate Authority - AWS Certificate Manager - Amazon Web Services (AWS) 7 or some other CA to generate client certificate for you. See this Stack Overflow post - How do I get client certificate from ACM?.
- Introducing mTLS for Application Load Balancer, AWS, 2024-03-21
- Comparison of ALB’s mTLS modes with Network Load Balancer (NLB)
- Update (2023-11-27) - ALB now supports mTLS
- NLB → NGINX → Application service and pod
- Configure mutual TLS authentication for applications running on Amazon EKS
- Configuring mutual TLS authentication for a REST API
- Automating mutual TLS setup for Amazon API Gateway
- Introducing mutual TLS authentication for Amazon API Gateway
- Propagating valid mTLS client certificate identity to downstream services using Amazon API Gateway
- How to use ACM Private CA for enabling mTLS in AWS App Mesh
- Three things to consider when implementing Mutual TLS with AWS App Mesh
- https://docs.aws.amazon.com/app-mesh/latest/userguide/mutual-tls.html
If you want to exclude specific ciphers, you can use the following solutions to offload and control the TLS connection termination with a customized cipher suite:
- Network Load Balancer
- CloudFront distribution
- Self-managed reverse proxy
See Exclude cipher suites at the API gateway using a Network Load Balancer security policy