AWS Basic Concepts

Learning Objectives
In this room, you will learn about basic technologies associated with the AWS platform. These technologies represent foundational concepts for how you interact with AWS and AWS services. Once completed, you will have learned about:

• The basic security boundary, an AWS account, and the "root user account" associated with each AWS account.
• The Identity and Access Management (IAM) infrastructure inherent to using AWS.
• What is an AWS "region" and why that matters when you interact with AWS services.
• How AWS Organizations can streamline operations through central management of multiple/many AWS accounts.
• What is a "Virtual Private Cloud" and why you will almost inevitably need one (or many) when using AWS.

This information will help you become familiar with core AWS services and features. Using this information, you will be better prepared to understand and troubleshoot new challenges as they arise in your cloud journey.

AWS Account

An AWS account is a container for your AWS resources. AWS accounts are designated by a 12-digit number (e.g., 123456789012), known as an Account ID. Each AWS Account ID is unique and can never be reused (opens in new tab). AWS also notes that an account is also a security boundary (opens in new tab) in association with AWS Identity and Access Management (IAM). Learning AWS IAM is an entire module by itself, but it is key to understand that AWS IAM or root user credentials are the only way to access the AWS control plane. Even when using Single Sign-On (SSO) and third-party identity providers such as AzureAD or Okta, the permissions are granted to an AWS IAM user (opens in new tab) or role (opens in new tab).

AWS Account Root User

To sign up for an AWS account, AWS users provide a root user (opens in new tab) e-mail address. An e-mail address can only be used as the root user e-mail address for one AWS account. The root user is considered an IAM "superuser" and has complete administrative permissions against the AWS account. Generally, AWS customers are recommended not to use the AWS account root user credentials unless performing a task that only the root user can perform (opens in new tab).

By default, root users do not have multi-factor authentication (MFA) enforced. Furthermore, root accounts that do not have MFA enabled or a phone number set are susceptible to a weak password reset workflow attack. This is commonly the case for AWS accounts created automatically using the AWS Organizations service, which we will discuss in another room.

If an attacker gains control of the e-mail inbox for an AWS root user without MFA or a phone number on the account, the attacker will be able to send a password reset e-mail and complete a takeover of the targeted AWS account. If you have access to an e-mail inbox or are looking to target e-mail addresses as potential root users, you can use tools like Quiet Riot (opens in new tab) to enumerate valid root user e-mail addresses.

Defining AWS IAM

AWS Identity and Access Management (IAM) specifically means the capabilities and features of the IAM engine and service of AWS - this is the underlying system built by AWS to determine how IAM principals (opens in new tab) are granted access to specific services, resources, and capabilities in AWS. Essentially, IAM principals are the identities that AWS recognizes as having privileges in relation to AWS resources in the AWS IAM engine. You can use the following policy evaluation logic (opens in new tab) from AWS to determine whether and what type of access an AWS IAM principal has to a specific AWS service and resource (the policy evaluation logic image starts with an implicit deny):

IAM Roles

AWS IAM roles are AWS principals that have permissions in relation to AWS services and resources. AWS IAM roles are notable because of a feature known as "assume-role", or "switch-role". These terms mean that other identities recognized by AWS IAM are allowed to gain the privileges of a particular IAM role. Which identities are allowed to assume or switch to a role is determined by what is known as the "assume-role trust policy" that is attached to each IAM role. Below is an example of an assume-role trust policy:

"Version": "2012-10-17",
"Statement": [
   {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:role/maintenance-role"
       },
      "Action": "sts:AssumeRole",
      "Condition": {}
   }
 ]
}

In the above example, the role "maintenance-role" in AWS account "111111111111" would be able to assume the specified role. However, numerous types of an AWS IAM principal can be specified in an assume-role policy, including federated identities.

Federated Identities and Identity Providers

AWS IAM supports the use of Security Assertion Markup Language 2.0 (SAML 2.0) and Open ID Connect (OIDC) to federate identities from third-party Identity Providers (IdPs), such as Azure Active Directory (AAD), Ping Identity, Okta, Facebook, and any other SAML 2.0 or OIDC provider. This means that identities registered with these third-party providers can be provisioned access to AWS IAM roles with specific privileges inside of AWS accounts. In 2017, AWS furthered this integration with AWS Organizations and IAM Identity Center (successor to AWS Single Sign-On (SSO)).

IAM Identity Center

AWS Identity Center allows organizations to provision access across AWS accounts and applications hosted as part of an AWS Organization. Inside an AWS Organization, AWS Identity Center will allow customers to provision third-party IdP access to specific "permission sets" in a single AWS account, an Organizational Unit (OU), or Organization Root. Furthermore, using capabilities such as System for Cross-domain Identity Management (SCIM 2.0), AWS customers can automatically update which permission sets a user has based on user attributes or group membership in the originating IdP. This means that organizations can seamlessly manage access to AWS from the source IdP without the manual overhead associated with IAM provisioning.

Note: This task is only meant to explain the basics of AWS IAM - please see the room dedicated to AWS IAM for an in-depth look at these technologies.

Global vs. Regional Service

AWS services are considered either global or regional. A global service means that the service supports a central control plane (opens in new tab) and data plane (opens in new tab) (management APIs) that does not resolve to a specific AWS region. Whereas with a regional service, the control plane and associated data plane resolve to a specific region where AWS data centers are housed geographically. For instance, US-East-1 resolves to Northern Virginia data centers in the United States. This is a valuable concept for organizations with data sovereignty requirements, but it also serves as a redundancy capability for organizations that architect "multi-region" workloads. You can find a list of all "regional" AWS services here (opens in new tab).

Notable Global Services

There are a few notable services that you should be aware of that are "global" services: 

• CloudFront - Content Delivery Network; CloudFront allows AWS customers to expose resources to the public internet.
• Route 53 - Domain Registrar and DNS Provider; Route 53 also allows AWS customers to expose resources to the public internet.
• Organizations - AWS Organizations itself is a "global" service.
• IAM - The Access and Authorization service for AWS; IAM determines what services and resources customer identities can access.

AWS also has a service known as the Security Token Service (STS) - STS is a key service to understanding AWS security as it allows AWS and third-party identities to retrieve temporary access credentials. Uniquely, STS is both a Global and Regional service. This means that STS has both global API endpoints and regional API endpoints. Though it is counterintuitive, STS tokens vended from a regional endpoint are valid in all AWS regions, whereas tokens vended from the global endpoints are only valid in regions enabled by default.

In a similar case - the "namespace" for S3 buckets is global. This means that once a bucket name is registered, there can be no other bucket across AWS with the same name. However, S3 buckets are stored regionally (opens in new tab) in multiple availability zones depending on the storage class (opens in new tab) selected for the bucket.

Default Regions

Until 2017, all AWS customers had a default region of US-EAST-1. This means, for longstanding AWS customers, that AWS assumes the customer identities are using US-EAST-1 unless another region is explicitly declared. Over time, this caused a disproportionate amount of AWS customer resources to be deployed in US-EAST-1. Since 2017, US-EAST-2 (Ohio) or US-WEST-2 (Oregon) are the default regions for new accounts.

Beyond having a default region for provisioning resources, certain AWS regions are disabled for customer use by default. These regions are (at the time of writing):

• Africa (Cape Town)
• Asia Pacific (Hong Kong)
• Asia Pacific (Hyderabad)
• Asia Pacific (Jakarta)
• Asia Pacific (Melbourne)
• Europe (Milan)
• Europe (Spain)
• Europe (Zurich)
• Middle East (Bahrain)
• Middle East (UAE)

These regions are not accessible using STS global API endpoint credentials. As an AWS customer, if you want to use one of these regions to deploy resources, you will need to manually enable the associated region (opens in new tab) and use a regional STS API endpoint to retrieve credentials.

2017 — Beginnings of AWS Organizations

AWS had been around for a decade with only the concept of an "account" to centralize management of a company's AWS resources. For large organizations, managing everything in one account was challenging and inflexible. Furthermore, managing each team or department in separate accounts didn't scale well. So in 2017, AWS decided to introduce the AWS "Organizations" service. AWS Organizations allows AWS customers to centralize and standardize key AWS security and operational management capabilities.

A key value of AWS Organizations is the concept of workload segmentation. By collecting accounts under an AWS Organization, AWS customers can track various AWS accounts while segmenting individual workloads (e.g., applications, networking infrastructure, etc.) into individual accounts, each with a separate security boundary. Gone are the days of putting all resources in one account.

Organizational Roots, Organization Units, and Accounts

Inside an AWS Organization, all AWS accounts are collected in a "parent container" known as an Organization Root. The hierarchy in the below image can be summarized as follows:

• An Organizational Unit (OU) is a sub-container under an Organization Root that may include multiple AWS accounts.
• An OU can contain other nested OUs (see Infrastructure OU and Security OU).
• An OU can contain one or more AWS accounts (see Network, Shared Service, Security, Log Archive, and the Tenant-x AWS accounts).
• An AWS account can contain one or more User accounts.

Organization Management Account

AWS Organization Management accounts are the primary account associated with any specific AWS Organization. Inside each Organization Management account are a set of roles (opens in new tab) that can be used to access any account in the Organization. By default, this role is named "OrganizationAccountAccessRole" and has full administrative permissions against the associated child account. Using the Management Console to "switch-role" or the AWS CLI to "assume-role", any IAM principal with privileges to assume these roles may be able to perform administrative activities across the Organization.

The Organization Management account is intended to host Organization-wide logging using a CloudTrail Organization Trail (opens in new tab), which allows AWS administrators to monitor control plane activities in AWS. AWS Organization Accounts also host Single Sign-On (SSO) configurations to manage Identity Provider (IdP) (e.g., Active Directory/Azure Active Directory/Okta/Ping Identity/etc.) integrations. Enterprises and other organizations use the AWS IAM Identity Center to access child account roles and AWS hosted applications across an AWS Organization using the integrated IdP credentials and authentication processes.

Organization Policies

AWS Organization Policies, such as Service Control Policies (SCPs), allow AWS customers to place restrictions on each child account in an AWS organization. SCPs specifically allow AWS customers to place highly customized security and access restrictions on the Organization Root, OUs, or individual accounts. By default, AWS Organizations attaches an SCP named "p-full-access" to each account, which allows subscription to all AWS services. Each Root, OU, and Child Account can have up to five (5) SCPs attached, and these policies allow restrictions (opens in new tab) such as:

• Allow only approved services (opens in new tab)
• Deny root user access (opens in new tab)
• Require the use of IMDSv2 (opens in new tab)
• Deny ability to create IAM access keys (opens in new tab)
• Region restriction enforcement (opens in new tab)
• Deny ability to leave Organization (opens in new tab)
• Deny ability to make a VPC accessible from the Internet that isn’t alread (opens in new tab)y (opens in new tab)

Notably, Organization Policies do not apply to the Organization Management account. This means that for IAM users and roles in the Organization Management account, SCP restrictions are not effective.

Other AWS Organizations Capabilities

AWS Organizations has a number of other capabilities that allow for centralized service management for Organizations-managed accounts. You can use the following services with AWS Organizations to manage configurations of child accounts:

• AWS Account Management - Manage contact information related to accounts.
• AWS Artifact - Accept legal/contractual agreements on behalf of accounts.
• AWS Audit Manager - Automated evidence collection for audit activities.
• AWS Backup - Centralize management and monitoring of backups and backup plans for accounts.
• AWS CloudTrail - Centralize logging of AWS "control plane" activity.
• Amazon CloudWatch Events - Share monitoring event data across accounts.
• AWS Compute Optimizer - Identify opportunities to improve compute efficiency based on AWS recommendations, across accounts.
• AWS Config - Aggregate and analyze asset (resource) configuration data across accounts. Enforce configuration requirements across accounts.
• AWS Control Tower - Automate governance and provisioning of accounts in association with AWS Organizations.
• AWS Directory Services - Provision/integrate Active Directory domains with accounts.
• AWS Firewall Manager - Centrally manage configurations of AWS Web Application Firewall (WAF) rules across accounts.
• Amazon GuardDuty - Automates detection and response to security incidents across accounts.
• AWS Health - Centralized visibility into potential health events related to AWS resource performance and availability.
• AWS IAM Access Analyzer - Analyze resource-based policies to determine what external accounts/principals may be trusted across accounts.
• AWS IAM Identity Center - Allows customers to configure a third-party Identity Provider (IdP) or use AWS IAM Identity Center to provision access centrally.
• AWS License Manager - Centralize management of third-party software licensing.
• Amazon Macie - Data identification and classification across accounts.
• AWS Resource Access Manager - Share data resources across accounts.
• AWS Security Hub - Check Organization-managed accounts for security compliance configurations related to governance standards.
• AWS Service Catalog - Share and manage IT service capabilities (AWS resources) across accounts.
• AWS Systems Manager - Manage and monitor Virtual Machines (VMs) across accounts.
• AWS Trusted Advisor - AWS automated best practices analysis across accounts.
• Amazon VPC IP Address Manager (IPAM) - plan, track, and monitor IP addresses accessing VPC-bound resources.

As there are so many different capabilities, we will not go into detail regarding the specifics of each service. However, it is important to understand, as both a defender and attacker, the native security tools AWS offers and how they impact the attack lifecycle when implemented.

VPC Components

At the core, a Virtual Private Cloud, or VPC, is a software-defined network topology that represents AWS's "traditional" network infrastructure offering for customers. VPCs allow AWS users to restrict the connectivity to sensitive resources designed to be isolated or segmented from other workloads, and critically, from the public internet. The following networking components are commonly found in AWS customer VPCs:

• Internet gateway - allows communication between the VPC and the internet.
• Egress-only internet gateway - allows an IPv6 IP address to initiate outbound connections to the internet, but restricts inbound.
• Carrier gateways - to establish direct communication with telecommunications carrier networks.
• NAT gateways - Network Address Translation service (NAT) gateways allow private subnets to connect to services outside of the VPC.
• DHCP - by default, all EC2 instances (VMs) in a non-default VPC receive an unresolvable host name assigned by AWS. This can be updated to leverage custom domains. 
• DNS - by default, AWS provides DNS resolution to VPCs via the Route 53 Resolver, a global AWS DNS service.
• Public and Elastic IP addressing - AWS maintains over 100 million public IPv4 IP addresses. Many of these addresses can be assigned by customers to specific resources. When using a Public IP address (opens in new tab) (AWS term), if the associated EC2 instance is stopped, the IP address will be reallocated to AWS, and a new IP address will be assigned if the public EC2 instance is ever restarted. However, with an Elastic IP address, the IP address is allocated to an AWS account ongoing and can be assigned to arbitrary resources as the customer chooses.

Default VPC Service Capabilities

Beyond the common components found in AWS VPCs, certain service capabilities are configured by default in any AWS VPC using link-local addresses, which are only valid in the local network segment. While these service capabilities are enabled by default, AWS users can configure and disable the following services:

• DNS Resolver - found at 169.254.169.253 in each VPC; this is the Route 53 Resolver discussed above. AWS customers can disable this service and implement their own DNS server.
• Amazon Time Sync Service (using Network Time Protocol (NTP)) - found at 169.254.169.123 in each VPC; this service performs time synchronization for compute instances.
• Microsoft KMS Service - found at 169.254.169.250 and 251 (opens in new tab); this service allows AWS customers running Windows to activate Windows licensing via Microsoft KMS (opens in new tab), without having to connect to the internet.
• EC2 Instance Metadata Service - found at 169.254.169.254 in each VPC and abbreviated as IMDS, this capability allows EC2 instances to retrieve information (opens in new tab) about the instance performing the query, including data from startup scripts, network interfaces, and potentially, instance metadata credentials that were famously used (opens in new tab) for privilege escalation in the 2019 CapitalOne breach.
• ECS Task Metadata Service - found at 169.254.170.2; if a customer is using Elastic Container Service (ECS) to provision infrastructure, this metadata endpoint is used similarly to the EC2 Instance Metadata Endpoint.

VPC Endpoints

VPC Endpoints allow AWS customers to integrate specific AWS services with their VPC without requiring customers to use an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection (opens in new tab). Interface VPC endpoints allow customers to integrate eligible AWS services (opens in new tab) using AWS PrivateLink, a service designed to allow such connectivity without exposing the connection to the internet (opens in new tab). Gateway Load Balancer endpoints can be used for traffic interception and associated inspection (opens in new tab).

Note: This task is only meant to explain the basics of VPCs - please see the room dedicated to VPCs for an in-depth look at these technologies.

In this room, you have learned about core AWS services and features. These capabilities are defining features of AWS as a user and attacker. You should understand the following concepts:

• How AWS "accounts" and "root users" relate to AWS security at a basic level.
• What AWS IAM is, and some of the key features you will encounter with IAM.
• How most services are regional and the difference between a "regional" and a "global" service.
• The wide variety of AWS services that can be centrally deployed/managed using AWS Organizations.
• How software-defined networking allows AWS accounts to create and interact with network-bound resources in VPCs.

You may never log in as a "root user" if you don't have your own AWS account, but you will encounter these concepts while working with AWS.