Developer Notes

AWS IAM Policy

If you have worked in AWS CLOUD, you must be knowing about IAM (Identity and Access Management) and the policy. IAM policies are also called Identity Based policy . This differs from Resource based policies as applied in S3.

There are many use-case when you apply policies and stuck in understanding of the order, the policy may be executing.

Examples :

  • You want to give all permission except Billing and IAM.
  • You want to allow only EC2 permissions for a IAM user and deny all
  • What will be the allocation if you don’t give any permission

In a bigger picture, AWS IAM policy works in order of,


Implicitly Deny ALL >> Explicitly Allow >> Explicitly Deny

Detail logic of the execution flow as per AWS resource :https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

Policy Evaluation Logic

Two Most handful resource in policy creation are

Policy Simulator

Example 1: Policy to ” Allow ALL except Billing and IAM permission

{ 
   "Version":"2012-10-17",
   "Statement":[ 
      { 
         "Effect":"Allow",
         "Action":"*",
         "Resource":"*"
      },
      { 
         "Effect":"Deny",
         "Action":"aws-portal:*",
         "Resource":"*"
      },
      { 
         "Effect":"Deny",
         "Action":"iam:*",
         "Resource":"*"
      }
   ]
}

The most common usage in aws beginning is to assign a policy to system engineer to use AWS service but should not able to access billing and Identity Management .

for more : https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

Apache Web Server Basic Security fixes and Optimisation: –

If you are utilising the apache web server HTTP for your website hosting and you maintain that server, then you must consider the following points,

  • Turn on LOGS and installing mod_log_config. You can check the list of modules by this command : apache2ctl -M
  • Implement Firewall MOD_SECURITY module
https://modsecurity.org/ is an open source, cross-platform web application firewall (WAF) module. Known as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections.
https://github.com/Rev3rseSecurity/wordpress-modsecurity-ruleset
  • Implement mod_evasive module
  • Disable Extra  module which are not utilized to improve performance
  • Cross check  Directory Indexing. apache2.conf | httpd.conf | <vhost>.conf | .htaccess
    Options -Indexes
  • Setup following variables in apache2.conf or httpd.conf
    SET HTTP Limits
    • KeepAlive=on
    • KeepAliveTimeout
    • LimitRequestBody
    • LimitRequestFields
    • LimitRequestFieldSize
    • LimitRequestLine
    • LimitXMLRequestBody
    • MaxClients
    • MaxKeepAliveRequests
    • MaxRequestWorkers
    • RequestReadTimeout
    • TimeOut
  • Disable server signature . Add these lines in apache2.conf |  <vhost>.conf | .htaccess
    ServerSignature Off
    ServerTokens Prod
server signature
  • If web-server language is PHP,  By Default PHP version is available in response header, Remove PHP version from header from php.ini
    • expose_php = Off
  • Add these headers  to prevent XSS

X-Frame-Options: SAMEORIGIN 
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=utf-8