Event 6

Report: “AWS Cloud Mastery Series #3”

Event Purpose

This series was not just about individual services but a journey in System Thinking, helping to transition from traditional infrastructure management to a Cloud-Native Security model. The core objectives included:

  • Community Connection: Spreading the spirit of learning and skill development through AWS Cloud Clubs.
  • Governance Foundation: Managing scale with hundreds of AWS accounts while ensuring compliance.
  • Defense in Depth: Combining Identity, Network, and Data protection to eliminate Single Points of Failure.
  • Automated Response: Removing human latency from the incident response process.

Speakers List

  • Huynh Hoang Long, Dinh Le Hoang Anh - AWS Builders
  • Tran Duc Anh, Nguyen Tuan Thinh, Nguyen Do Thanh Dat - Cloud Engineer Trainee FCJ
  • Kha Van - Cloud Security Engineer, AWS Community Builders
  • Thinh Lam, Viet Nguyen - FCJer
  • Mendel Grabski (Long) - ex Head of Security & DevOps Cloud Security Solution Architect
  • Tinh Truong - AWS Builders, Platform Engineer at TymeX

Detailed Content

PART 1: KICK-OFF - AWS CLOUD CLUBS & OPPORTUNITIES

The journey began with the introduction of AWS Cloud Clubs, a place to nurture future Cloud talents.

1. Vision:

  • Empower students to explore and grow cloud computing skills.
  • Develop technical leadership and build global connections.

2. Core Benefits:

  • Build Skills: Learn through hands-on projects, access AWS exam vouchers and Udemy accounts.
  • Build Community: Connect with AWS experts and industry speakers.
  • Build Opportunities: Enhance personal portfolios, receive AWS credits, and get career support.

3. The Badging Journey:

  • Gamified development roadmap for Core Team members and Captains.
  • Levels ranging from Bronze, Silver, Gold, Platinum to Diamond.
  • Rewards: AWS Credits ($200+), Certification Vouchers, Exclusive Swag kits, and pre-approval for Student Community Day.

PART 2: IDENTITY & GOVERNANCE FOUNDATION

Security in the Cloud starts with controlling “Who can do what”.

1. Modern IAM Mindset:

  • Identity First: In the Cloud environment, Identity is the new firewall.
  • Credential Spectrum: Absolute shift from Long-term Credentials (Permanent Access Keys - high risk) to Short-term Credentials (STS tokens - secure, auto-expire).
  • Least Privilege: Apply minimum necessary permissions. Avoid using * in Policies unless absolutely necessary.

2. Governance at Scale with AWS Organizations:

  • Hierarchical Structure: Divide the organization into Organizational Units (OUs) like Security, Shared Services, Workloads (Prod/Dev) to isolate risks.
  • Service Control Policies (SCPs): This is the “Constitution” of the organization. SCPs establish Guardrails that block dangerous actions (e.g., prohibiting CloudTrail disablement, restricting Regions) that even Admin accounts cannot bypass.

PART 3: VISIBILITY & DETECTION

You cannot protect what you cannot see.

1. Amazon GuardDuty - Intelligent Scout:

  • Uses Machine Learning to detect anomalies from 3 foundational data sources: CloudTrail (management events), VPC Flow Logs (network traffic), and DNS Logs (domain queries).
  • Runtime Monitoring: Advanced feature that looks “deep” inside the operating system (via a lightweight Agent) to detect strange processes, file modifications, or privilege escalation behaviors.

2. AWS Security Hub - Command Center:

  • Solves the “alert fatigue” problem using ASFF (AWS Security Finding Format). It normalizes alerts from GuardDuty, Inspector, and Macie into a single JSON language.
  • Acts as a Cloud Security Posture Management (CSPM) tool, automatically checking if the system complies with CIS, PCI-DSS standards.

PART 4: NETWORK SECURITY

Building a “Digital Fortress” with a defense-in-depth strategy from the edge to the core.

1. Fundamental Controls (VPC Fundamentals):

  • Security Groups (Stateful): Apply Micro-segmentation. Instead of whitelisting IP addresses (which change easily), use Security Group Referencing (e.g., SG-DB only allows traffic from SG-App).
  • NACLs (Stateless): Act as a coarse filtering layer at the Subnet boundary, used to block blacklisted IPs or untrusted subnets.

2. Advanced Defense (Advanced Filtering):

  • DNS Firewall (Route 53 Resolver): Blocks connections to Command & Control (C2) servers right at the domain resolution step. This is a crucial choke point against malware (like the Mélofée case study).
  • AWS Network Firewall: Next-gen firewall with Deep Packet Inspection (DPI) capabilities.
    • Stateless Engine: Fast filtering based on 5-tuple (IP/Port).
    • Stateful Engine: Uses Suricata-compatible rules for Intrusion Prevention (IPS) and Domain filtering (FQDN) for Egress traffic.

3. Modern Network Architecture:

  • Uses AWS Transit Gateway with Native Network Firewall integration to simplify the network model, removing the complexity of routing through an “Inspection VPC”.
  • Applies Active Threat Defense: Automatically syncs malicious IP lists from GuardDuty to Network Firewall for immediate blocking without manual intervention.

PART 5: DATA PROTECTION

Data is the ultimate asset that must be protected by encryption.

1. Envelope Encryption:

  • Understanding the AWS KMS mechanism: Master Key (resides in HSM) encrypts the Data Key, and the Data Key is what encrypts the actual data. This mechanism ensures high performance and absolute security.

2. Secrets Management:

  • Problem: Hardcoding passwords in source code is a basic but common error.
  • Solution: Use AWS Secrets Manager for storage and, more importantly, Automatic Rotation of Database passwords using Lambda. Applications always retrieve the latest password via API.

3. Infrastructure Encryption:

  • Uses AWS Nitro System: Encryption tasks are offloaded to specialized hardware (Nitro Cards), enabling data encryption without compromising the host server’s CPU performance (Zero Performance Impact).

PART 6: INCIDENT RESPONSE

When defense layers are breached, the response process determines the extent of the damage.

1. Prevention Strategy (Sleep Better):

  • Golden Rules: Eliminate long-lived SSH/Keys, Block Public S3 access, Default to Private Subnets.
  • Infrastructure as Code (IaC): Mandate all infrastructure changes via Code (Terraform/CDK) and approval processes (PR Review), completely eliminating manual changes (ClickOps) that cause configuration drift.

2. Standard 5-Step Process:

  • Preparation: Have tools and Playbooks ready.
  • Detection: Rely on CloudTrail and GuardDuty.
  • Containment: “Jail” infected resources by changing Security Groups or revoking IAM permissions.
  • Eradication & Recovery: Remove malware, restore from clean backups.
  • Post-Incident: Learn lessons.

3. Automation is King:

  • Humans cannot race against machine speed. Hands-on labs demonstrated the necessity of using EventBridge + Lambda to automatically isolate compromised EC2 instances or auto-remediate public S3 buckets in seconds.

Conclusion

The “Cloud Security & Operations Mastery” series has provided a comprehensive overview of building secure systems on AWS through key pillars:

  • Governance & Identity: The foundation of every security system starts with strict user management and organizational policies.
  • Network & Monitoring: Establishing defense-in-depth layers and comprehensive visibility to detect potential threats.
  • Data & Response: Protecting digital assets with encryption and readying automated incident response processes to ensure service continuity.