AWS: Implementing Zero-Trust Architecture
CyberPreacher Edition
A mid-sized company is transitioning to a Zero-Trust security model in AWS. Previously, they relied on perimeter security but lacked identity-based access controls, making them vulnerable to unauthorized access and insider threats. Their new Zero-Trust strategy focuses on:
- Verifying identities before granting access.
- Using IAM policies to enforce security.
- Monitoring and auditing access attempts.
- Protecting workloads with network segmentation and access control policies.
For all resources in this lab, we are using the AWS US-East-1 region.
Lab Objectives
In this AWS lab, you will complete the following exercises:
- Exercise 1: Enable AWS IAM Identity Center and Conditional Access.
- Exercise 2: Configure Multi-Factor Authentication (MFA) for users.
- Exercise 3: Implement VPC Network Segmentation and Private Access.
- Exercise 4: Monitor and Audit Access Logs.
Pre-exercise
Bulk Import of Users
Task 1: Bulk operations for creating users with a .csv file
- Navigate to AWS IAM Identity Center.
- Under Users, select Bulk Import.
- Download the CSV template and populate it with user details.
- Modify the file to add users in bulk. Ensure fields like username, display name, and initial password are filled.
- Upload the CSV file and submit the bulk creation request.
- Create a new IAM Group named Management and add the imported users.
Estimated Timing: 15 minutes
Task 1: Create Conditional Access Policies
- Navigate to AWS IAM Identity Center in the AWS Management Console.
- Under Access Management, select Policies.
- Click Create Policy, name it Zero-Trust Access Control.
- Configure the following settings:
- Users: Assign to a specific IAM group (e.g., Management).
- Conditions:
- Restrict access based on device type (Windows, iOS).
- Enforce sign-in risk levels (High, Medium).
- Actions:
- Require multi-factor authentication (MFA).
- Attach the policy to the Management IAM Group.
Estimated Timing: 10 minutes
Task 1: Enforce MFA through IAM Policies
- Navigate to AWS IAM.
- Under Access Management, select Users.
- Click on a user and go to Security Credentials.
- Enable MFA and require authentication via AWS MFA App or hardware token.
- Apply MFA enforcement to all users in the Management IAM Group.
Exercise 3: Implement VPC Network Segmentation and Private Access
Estimated Timing: 20 minutes
- Open AWS Management Console and navigate to Amazon VPC.
- Create a new VPC to segment workloads logically:
- Public Subnet: Allows external applications and necessary services.
- Private Subnet: Houses sensitive workloads like databases and internal services.
- Use VPC Peering or Transit Gateway to control inter-VPC communication.
Task 2: Apply Security Groups and NACLs
- Security Groups act as virtual firewalls for instances:
- Allow only necessary inbound/outbound traffic.
- Restrict access based on IP ranges and ports.
- Network ACLs (NACLs) provide additional subnet-level security:
- Define rules to block unauthorized traffic.
- Implement deny-by-default policies for Zero Trust enforcement.
Task 3: Implement AWS PrivateLink for Secure Access
- AWS PrivateLink ensures private connectivity to AWS services without exposing workloads to the internet.
- Steps to implement:
- Create a Private Endpoint for services like Amazon RDS, S3, or Lambda.
- Configure DNS resolution to route traffic through private endpoints.
- Ensure applications use private connections instead of public internet access.
Exercise 4: Monitor and Audit Access Logs
Estimated Timing: 15 minutes
Task 1: Enable AWS CloudTrail and AWS Config
- Navigate to AWS CloudTrail and enable logging for:
- Sign-in attempts.
- IAM policy changes.
- Network activity.
- Use AWS Config to track security compliance.
Task 2: Review Security Logs Using AWS CloudWatch
- Open AWS CloudWatch and run queries to detect anomalies:
SELECT * FROM cloudtrail_logs WHERE eventName = 'ConsoleLogin' AND riskLevel != 'None'
- Investigate suspicious login attempts and adjust policies accordingly.
Outcome
By following these steps, you successfully implemented a Zero-Trust Architecture in AWS, securing identity access and network traffic. The organization now has a robust identity-based security model, protecting against unauthorized access and insider threats.
Side Task: Once done, take a screenshot of the completed task and upload on LinkedIn including the Hashtag #cloudprojectwithcyberpreacher #CPwCP while sharing your experiences around the project.
Note: Ensure to delete every resources created during this project, to ensure cost management.