Post

AWS - Part 5

Posted
By thirtyone
11 min read
AWS - Part 5

Amazon CloudWatch Metrics

  1. Provides metrics for every services in AWS
  2. Metric is a variable to monitor(CPU, RAM and so on)
  3. Dimension is an attribute of a metric(instance id, environment etc)
  4. Upto 30 dimension per metric
  5. Create dashboards

Cloudwatch Logs

  1. Log Groups - Arbitrary name, usually representing a service or application
  2. Log Streams - A stream of log events from a specific source within a log group
  3. Can define log expiration policies
  4. Logs are encrypted by default

CloudWatch Logs Agent (legacy) Used to collect and push log files to CloudWatch Logs. Supports logs only.

CloudWatch Unified Agent Newer agent that can send both logs and system metrics (CPU, memory, disk) to CloudWatch. Recommended over the old logs agent.

Cloudtrail

Used to track and record API activity in an AWS account for auditing, security monitoring, and troubleshooting.

CloudTrail records all API calls made in AWS, whether from the AWS Console, CLI, SDKs, or services. It logs details such as who performed the action, when it happened, and from where. These logs are typically stored in S3 and help with security auditing and compliance.

AWS Config

Used to track and monitor configuration changes of AWS resources for auditing and compliance.

AWS Config records the configuration state of AWS resources (like EC2, S3, IAM) and keeps a history of changes over time. It helps detect configuration drift, evaluate resources against compliance rules, and troubleshoot issues by seeing what changed and when.

AWS Organizations

Motivation
Used to centrally manage multiple AWS accounts with consolidated billing, governance, and security policies.

AWS Organizations allows you to manage multiple AWS accounts from a single management account. It helps structure accounts into logical groups called Organizational Units (OUs) and apply policies across them. This is useful for separating environments like dev, staging, and production, while still maintaining centralized control.

One key feature is consolidated billing, where all accounts in the organization share a single payment method, but usage is still tracked per account. This helps organizations manage costs more easily.

AWS Organizations also provides Service Control Policies (SCPs), which define the maximum permissions available to accounts in the organization. SCPs do not grant permissions themselves but act as guardrails to restrict what actions accounts can perform.

It is commonly used in companies to implement a multi-account strategy, improve security isolation, and enforce organization-wide policies.

Key Concepts

Management Account
The primary account that creates and manages the organization.

Member Accounts
Individual AWS accounts that are part of the organization.

Organizational Units (OUs)
Logical groups of accounts used to organize accounts and apply policies.

Service Control Policies (SCPs)
Policies that define the maximum permissions allowed for accounts within the organization.

Consolidated Billing
Combines billing for all accounts into a single bill while keeping usage separated per account.

Service Control Policies (SCPs)

Motivation
Used to set permission guardrails across AWS accounts in an organization.

Service Control Policies (SCPs) are policies in AWS Organizations that define the maximum permissions available to accounts within the organization or within specific Organizational Units (OUs). They help enforce security and governance by restricting what actions accounts can perform.

SCPs do not grant permissions by themselves. Instead, they act as a filter on IAM permissions. Even if an IAM user or role has permission through an IAM policy, the action will still be denied if the SCP does not allow it.

SCPs can be attached to:

  • The root of the organization
  • Organizational Units (OUs)
  • Individual member accounts

Policies applied at higher levels (like root or OU) are inherited by all accounts under them.

Example Use Cases

  • Prevent users from disabling CloudTrail
  • Restrict resource creation to specific AWS regions
  • Block certain services like EC2 or RDS
  • Enforce organization-wide security rules

CIDR

(CIDR) is a method for allocating IP addresses and routing packets more efficiently than the traditional class-based system (A, B, C). It uses a compact notation—an IP address followed by a slash and a number (e.g., 192.168.1.0/24)—to define the network prefix length, allowing flexible subnet sizes.

Subnet Mask

Defines how many bits can change in the IP. Example - /0, /24, /32, /31. /32 -> 11111111.11111111.11111111.11111111 -> 2^0 -> 1 IP possible /27 -> 11111111.11111111.11111111.11100000 -> 2^5 -> 32 IPs possible /0 -> 00000000.00000000.00000000.00000000 -> 2^32 -> Entire IPv4 range

Private IP

Private IP addresses are reserved for internal use within a network and are not routable on the public internet. They are typically used for internal services, virtual machines, and devices that do not need direct internet access. Their ranges are:

  • 10.0.0.0/8
  • 172.16.0.0/12 -> AWS Default VPC
  • 192.168.0.0/16

Default VPC

  1. All new AWS accounts have a default VPC.
  2. New EC2 instances are launched into the default VPC if o subnet is specified.
  3. Default VPC has internet access enabled by default

  4. We also get a public and private IPv4 DNS names

  5. You can have multiple VPCs in an AWS region
  6. Max CIDR per VPC is 5, i.e. 1 primary CIDR block + up to 4 secondary CIDR blocks.

Example:

Primary CIDR

  • 10.0.0.0/16

Secondary CIDRs

  • 10.1.0.0/16
  • 10.2.0.0/16
  • 10.3.0.0/16
  • 10.4.0.0/16

Q. Can a VPC exist inside another VPC? A. No

AWS reserves 5 IP addresses in each subnet for internal use (e.g., broadcast, network, and loopback addresses).

Internet Gateway

  1. Allows resources(eg. EC2 instances) in a VPC connect to the internet
  2. Scales horizontally and is highly available and redundant
  3. One VPC can be attached to one IGW only
  4. Route table needs to edited

A bit on routing table

Route Tables

A Route Table is attached (associated) to a subnet and defines how traffic from that subnet is routed.

  • Each subnet must be associated with a route table
  • If not explicitly associated, it uses the main route table of the VPC
  • The route table contains routes (destination + target)
  • A target in a route table is the next hop resource that handles the traffic, not the subnet itself.

Example:

Destination Target 10.0.1.0/16 local 0.0.0.0/0 igw-12345

  1. User types webapp-A.com in browser
  2. DNS says → “that’s 54.12.34.56” (public IP)
  3. Packet travels over internet → reaches IGW
  4. IGW says → “54.12.34.56 belongs to instance in Subnet A” translates to private IP 10.0.1.50
  5. Packet reaches Subnet A → NACL checks “allowed?”
  6. Packet reaches Instance → Security Group checks “allowed?”
  7. Instance responds back → same path in reverse

NAT Gateway

A NAT Gateway allows resources in a private subnet to connect to the internet without exposing their private IP addresses.

Security Groups and NACLs

Security Groups are stateful firewall rules that control inbound and outbound traffic at the instance level.

NACLs (Network Access Control Lists) are stateless firewall rules that control inbound and outbound traffic at the subnet level.

Ephemeral Ports

Ephemeral ports are temporary ports used for outbound connections. They are automatically allocated by the operating system when a process needs to make a connection to a remote host. Port Range - 32768 to 65535

VPC Peering

VPC Peering allows two VPCs to communicate privately over the AWS backbone network, without the need for public IP addresses. If there are 5 VPCs, each peered with every other VPC, there would be a total of 10 peering connections.

Transit Gateway

A Transit Gateway is a central network hub that connects multiple VPCs together. If there are 5 VPCs, each connected to a Transit Gateway, there would be a total of 5 connections. Much more maintainable than VPC Peering for large numbers of VPCs.

  1. Every AWS service is publicly exposed(public URL)
  2. VPC Endpoints(powered by AWS private link) allows you to connect to AWS services using a private network instead of using the public internet.

Motivation: Access AWS services privately from a VPC without going through the internet, NAT, or IGW.

VPC Flow Logs are logs that capture network traffic flowing through your VPC. They can be used to monitor and troubleshoot network issues.

Site to site VPN

A Site-to-Site VPN creates an encrypted tunnel (IPsec) between your on-premises network and an AWS VPC over the public internet.

Direct Connect

A Direct Connect is a dedicated, private connection between your on-premises network and AWS. It provides a low-latency, high-bandwidth connection that is not subject to the public internet’s congestion and security risks.

Organizations often keep some systems in their on-premises data center while moving other systems to AWS. They need a secure way to connect the on-prem network to the VPC so that servers in both networks can communicate privately.

Customer Gateway (CGW) and Virtual Private Gateway (VGW) are components used to build a Site-to-Site VPN between an on-premises network and an AWS VPC.

  • Customer Gateway (CGW) The router or firewall in the on-premises network that initiates the VPN tunnel. In AWS, a CGW resource represents this device and its public IP.

  • Virtual Private Gateway (VGW) The AWS VPN endpoint attached to a VPC. It receives encrypted traffic from the customer gateway and routes it to resources inside the VPC.

Typical Flow On-prem servers → Customer Gateway → Encrypted VPN tunnel (IPsec over internet) → Virtual Private Gateway → VPC resources

AWS Network Firewall

Organizations running workloads inside a VPC often need centralized network security controls to inspect and filter traffic between subnets, VPCs, or the internet.

AWS Network Firewall is a managed network security service that inspects, filters, and blocks network traffic in a VPC based on rules.

How it works Traffic → Firewall rules evaluation → Allow / Block / Alert → Destination

Capabilities

  • IP/Port rules
  • Protocol filtering
  • Stateful and stateless traffic filtering
  • Domain and IP blocking
  • Intrusion prevention rules
  • Centralized network security policy

IAM Policy Evaluation Logic

Explicit Deny > Explicit Allow > Implicit Allow

  1. Is there an explicit deny policy that matches the action and resource?
  2. If no, is there an explicit allow policy that matches the action and resource?
  3. If no, the action is allowed by default (implicit allow).

Q. What is AWS shared responsibility model? A. AWS shared responsibility model is a framework that divides responsibility between AWS and customers. AWS is responsible for the security of the AWS infrastructure, while customers are responsible for the security of their own resources and configurations.

AWS WAF

Web applications exposed to the internet are vulnerable to attacks such as SQL injection, XSS, and bot traffic. A layer is needed to filter malicious HTTP requests before they reach the application.

AWS WAF (Web Application Firewall) protects web applications by filtering and monitoring HTTP/HTTPS requests based on configurable rules.

Client request → WAF rules evaluation → Allow / Block / Count → Application

Use Cases

  • Block SQL injection and XSS attacks
  • Filter malicious IPs or bots
  • Protect applications behind ALB, API Gateway, CloudFront

AWS Shield

Applications exposed to the internet may suffer from Distributed Denial of Service (DDoS) attacks that attempt to overwhelm resources.

AWS Shield is a managed service that protects AWS applications from DDoS attacks.

Types

Shield Standard

  1. Automatic protection
  2. Enabled for all AWS customers
  3. Protects services like CloudFront, Route 53, ALB

Shield Advanced

  1. Advanced detection and mitigation
  2. DDoS cost protection
  3. Access to AWS DDoS Response Team

AWS Firewall Manager

Motivation

Large organizations may have many AWS accounts and VPCs, making it difficult to manage security rules consistently.

Definition

AWS Firewall Manager is a service used to centrally manage firewall and security policies across multiple AWS accounts and resources.

How it works

Security policy → Applied across accounts/resources automatically

Use Cases

  • Manage WAF rules across many applications
  • Enforce security policies organization-wide
  • Manage Network Firewall and Shield policies centrally

AWS GuardDuty

Motivation

Cloud environments generate large amounts of logs. Detecting suspicious activity or security threats manually is difficult.

Definition

AWS GuardDuty is a threat detection service that continuously analyzes AWS logs to detect malicious activity and security risks.

Data Sources Analyzed

  • VPC Flow Logs
  • CloudTrail logs
  • DNS logs

Use Cases

  • Detect compromised EC2 instances
  • Identify unauthorized API calls
  • Detect crypto-mining or malware activity

AWS Inspector

Motivation

Applications and instances may contain software vulnerabilities or misconfigurations that attackers could exploit.

Definition

AWS Inspector is a service that automatically scans AWS workloads for security vulnerabilities and exposure risks.

What It Scans

  • EC2 instances
  • Container images (ECR)
  • Lambda functions

Use Cases

  • Identify software vulnerabilities
  • Detect unpatched packages
  • Improve security posture of workloads
AWS
AWS
This post is licensed under CC BY 4.0 by the author.