AWS Security Services: Bảo vệ hạ tầng Cloud

Defense in Depth

AWS Security dựa trên nguyên tắc nhiều lớp bảo vệ. Mỗi service bảo vệ một layer khác nhau.

Layer	Service	Bảo vệ
Edge	Shield, CloudFront	DDoS, CDN
Application	WAF	SQL injection, XSS
Network	Security Groups, NACLs	Traffic filtering
Detection	GuardDuty, Security Hub	Threat detection
Data	KMS, Secrets Manager	Encryption, secrets

Amazon GuardDuty

Threat detection service sử dụng ML để phát hiện hoạt động bất thường.

Enable GuardDuty với Terraform

# Enable GuardDuty
resource "aws_guardduty_detector" "main" {
  enable = true

  datasources {
    s3_logs {
      enable = true
    }
    kubernetes {
      audit_logs {
        enable = true
      }
    }
    malware_protection {
      scan_ec2_instance_with_findings {
        ebs_volumes {
          enable = true
        }
      }
    }
  }

  finding_publishing_frequency = "FIFTEEN_MINUTES"

  tags = {
    Name = "${var.project_name}-guardduty"
  }
}

# SNS topic cho notifications
resource "aws_sns_topic" "guardduty_alerts" {
  name = "${var.project_name}-guardduty-alerts"
}

# CloudWatch Event Rule cho GuardDuty findings
resource "aws_cloudwatch_event_rule" "guardduty" {
  name        = "${var.project_name}-guardduty-findings"
  description = "Capture GuardDuty findings"

  event_pattern = jsonencode({
    source      = ["aws.guardduty"]
    detail-type = ["GuardDuty Finding"]
    detail = {
      severity = [{ numeric = [">=", 7] }]  # High severity only
    }
  })
}

resource "aws_cloudwatch_event_target" "sns" {
  rule      = aws_cloudwatch_event_rule.guardduty.name
  target_id = "SendToSNS"
  arn       = aws_sns_topic.guardduty_alerts.arn
}

AWS WAF (Web Application Firewall)

Bảo vệ applications khỏi common web exploits.

WAF với Terraform

# WAF Web ACL
resource "aws_wafv2_web_acl" "main" {
  name        = "${var.project_name}-waf"
  description = "WAF for ${var.project_name}"
  scope       = "REGIONAL"  # hoặc CLOUDFRONT

  default_action {
    allow {}
  }

  # Rule 1: AWS Managed Rules - Common attacks
  rule {
    name     = "AWSManagedRulesCommonRuleSet"
    priority = 1

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWSManagedRulesCommonRuleSetMetric"
      sampled_requests_enabled   = true
    }
  }

  # Rule 2: SQL Injection protection
  rule {
    name     = "AWSManagedRulesSQLiRuleSet"
    priority = 2

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesSQLiRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWSManagedRulesSQLiRuleSetMetric"
      sampled_requests_enabled   = true
    }
  }

  # Rule 3: Rate limiting
  rule {
    name     = "RateLimitRule"
    priority = 3

    action {
      block {}
    }

    statement {
      rate_based_statement {
        limit              = 2000
        aggregate_key_type = "IP"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "RateLimitRuleMetric"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "${var.project_name}-waf"
    sampled_requests_enabled   = true
  }
}

# Associate WAF với ALB
resource "aws_wafv2_web_acl_association" "alb" {
  resource_arn = aws_lb.main.arn
  web_acl_arn  = aws_wafv2_web_acl.main.arn
}

AWS KMS (Key Management Service)

Quản lý encryption keys cho data encryption.

KMS với Terraform

# Customer Managed Key
resource "aws_kms_key" "main" {
  description             = "KMS key for ${var.project_name}"
  deletion_window_in_days = 30
  enable_key_rotation     = true
  multi_region            = false

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "Enable IAM User Permissions"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
        }
        Action   = "kms:*"
        Resource = "*"
      },
      {
        Sid    = "Allow use of the key"
        Effect = "Allow"
        Principal = {
          AWS = aws_iam_role.app.arn
        }
        Action = [
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:ReEncrypt*",
          "kms:GenerateDataKey*",
          "kms:DescribeKey"
        ]
        Resource = "*"
      }
    ]
  })

  tags = {
    Name = "${var.project_name}-key"
  }
}

resource "aws_kms_alias" "main" {
  name          = "alias/${var.project_name}"
  target_key_id = aws_kms_key.main.key_id
}

# Sử dụng KMS key cho S3
resource "aws_s3_bucket_server_side_encryption_configuration" "encrypted" {
  bucket = aws_s3_bucket.data.id

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = aws_kms_key.main.arn
      sse_algorithm     = "aws:kms"
    }
    bucket_key_enabled = true
  }
}

AWS Secrets Manager

Lưu trữ và rotate secrets tự động.

# Store database password
resource "aws_secretsmanager_secret" "db_password" {
  name        = "${var.project_name}/db/password"
  description = "Database password for ${var.project_name}"
  kms_key_id  = aws_kms_key.main.arn

  tags = {
    Name = "${var.project_name}-db-password"
  }
}

resource "aws_secretsmanager_secret_version" "db_password" {
  secret_id = aws_secretsmanager_secret.db_password.id
  secret_string = jsonencode({
    username = var.db_username
    password = random_password.db.result
    host     = aws_db_instance.main.endpoint
    port     = 5432
    database = var.db_name
  })
}

# Random password
resource "random_password" "db" {
  length           = 32
  special          = true
  override_special = "!#$%^&*()-_=+[]{}|:,.<>?"
}

# IAM policy to read secret
resource "aws_iam_policy" "read_secret" {
  name = "${var.project_name}-read-db-secret"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect   = "Allow"
        Action   = ["secretsmanager:GetSecretValue"]
        Resource = aws_secretsmanager_secret.db_password.arn
      },
      {
        Effect   = "Allow"
        Action   = ["kms:Decrypt"]
        Resource = aws_kms_key.main.arn
      }
    ]
  })
}

AWS Security Hub

Aggregates security findings từ nhiều services.

# Enable Security Hub
resource "aws_securityhub_account" "main" {}

# Enable AWS Foundational Security Best Practices
resource "aws_securityhub_standards_subscription" "aws_foundational" {
  depends_on    = [aws_securityhub_account.main]
  standards_arn = "arn:aws:securityhub:${var.aws_region}::standards/aws-foundational-security-best-practices/v/1.0.0"
}

# Enable CIS AWS Foundations
resource "aws_securityhub_standards_subscription" "cis" {
  depends_on    = [aws_securityhub_account.main]
  standards_arn = "arn:aws:securityhub:${var.aws_region}::standards/cis-aws-foundations-benchmark/v/1.4.0"
}

AWS CLI Commands

# GuardDuty
aws guardduty create-detector --enable
aws guardduty list-detectors
aws guardduty list-findings --detector-id xxx

# WAF
aws wafv2 list-web-acls --scope REGIONAL
aws wafv2 get-web-acl --name my-waf --scope REGIONAL --id xxx

# KMS
aws kms create-key --description "My key"
aws kms encrypt --key-id alias/my-key --plaintext "secret" --output text --query CiphertextBlob
aws kms list-keys

# Secrets Manager
aws secretsmanager create-secret --name my-secret --secret-string "password123"
aws secretsmanager get-secret-value --secret-id my-secret

Best Practices Checklist

✅ Enable GuardDuty trong tất cả regions
✅ WAF trước mọi public-facing applications
✅ KMS với key rotation cho data encryption
✅ Secrets Manager cho credentials (không hardcode!)
✅ Security Hub để aggregate findings
✅ Config Rules để enforce compliance

Bài tiếp theo: Monitoring & Logging - CloudWatch, CloudTrail và observability.