Interaction Session 9

on
Cloud Computing
noc25-cs11
by
Mainak Chakraborty

3rd March 2025

Indian Institute of Technology, Delhi
1
 Points to Remember:
• Total 6 more Discussion sessions to be taught
lectures and Tutorials
• Any specific problem, please upload in the
discussion forum, I will try to reply within 24
hours
• PPT and Video will be shared with everyone
• Assignments will not be solved but similar
problems will be solved.
 TOPICS TO BE COVERED

1. Cloud Computing Security

2. Security Groups in AWS
3. Hands-on S3
 Security in Cloud Computing
•Cloud computing involves outsourcing data and computation,
providing benefits such as:
•Scalability: Resources can expand or contract based on demand.
•On-Demand Provisioning: Resources are available when
needed without upfront investments.
•Cost Savings: Pay-as-you-go pricing eliminates the need for
expensive on-premises infrastructure2.
•Security in Cloud Computing

•Cloud security focuses on the following principles:

•Confidentiality: Ensures that sensitive data is accessible only to
authorized users through encryption, access controls, and
authentication mechanisms.
•Integrity: Protects data from unauthorized modification or
tampering using tools like hashing, digital signatures, and audits.
•Availability: Ensures reliable access to data and systems
through redundancy, fault tolerance, and disaster recovery
mechanisms.
•Authentication: Verifies the identity of users accessing the
system.
•Non-Repudiation: Ensures that actions cannot be denied by
their originators using cryptographic methods like digital
certificates

LINK : https://aws.amazon.com/compliance/shared-responsibility-model/
 What Makes Cloud Security Different from Traditional IT Security?
•Shared Responsibility Model: In cloud
environments, security responsibilities are
divided between the cloud provider
(infrastructure-level security) and the customer
(data and application-level security)

•Scalability: Cloud security must handle dynamic

resource allocation, unlike traditional setups
limited by physical infrastructure

•Multi-Tenancy Risks: Multiple customers share

the same infrastructure in the cloud, requiring
strict isolation to prevent data breaches
•Encryption in Transit and at Rest: Cloud
environments emphasize securing data during
transmission over the internet and while stored
in remote locations
•Centralized Management: Cloud security
provides a unified dashboard for managing
multi-cloud environments, unlike fragmented
traditional systems
How Do Confidentiality, Integrity, and Availability
Apply to Cloud Services?
- Confidentiality
Protects sensitive data from unauthorized access using encryption (e.g., AES), multi-factor
authentication (MFA), and access controls.
Example: A healthcare provider encrypts patient records to comply with privacy regulations like
HIPAA58.
- Integrity
Ensures data accuracy and trustworthiness by preventing unauthorized modifications.
Tools include digital signatures, hashing algorithms, and regular audits.
Example: Banks use integrity measures to ensure financial transactions are not tampered with
during processing513.
- Availability
Ensures uninterrupted access to services through redundancy (e.g., backup servers) and disaster
recovery plans.
Example: E-commerce platforms rely on load balancing to maintain availability during high traffic
periods like Black Friday sales59.
 Key Security Concepts and Threats
Types of Attacks
• Interruption:
• Targets availability by disrupting services or systems, making them temporarily or
permanently unavailable.
• Examples: Denial-of-Service (DoS) attacks, hardware destruction, or erasing
critical files.
• Interception:
• Targets confidentiality by unauthorized access to data during transmission or
storage.
• Examples: Packet sniffing, man-in-the-middle (MitM) attacks, or wiretapping.
• Modification:
• Targets integrity by altering data or systems without authorization.
• Examples: Data tampering, code injection, or unauthorized system changes.
• Fabrication:
• Targets authenticity by creating false data or transactions to mislead systems or
users.
• Examples: Spoofing, fake user accounts, or counterfeit transactions
Passive vs Active Attacks
• Passive Attacks:
• Focus on covertly gathering information without altering the system.
• Examples: Eavesdropping on network traffic, traffic analysis, or monitoring
unencrypted communications.
• Characteristics: Harder to detect because they do not leave noticeable traces.
• Active Attacks:
• Involve direct interaction with the system to disrupt, alter, or manipulate data.
• Examples: Masquerade (impersonating a legitimate user), replay attacks (reusing
intercepted data), and denial-of-service (DoS) attacks.
• Characteristics: Easier to detect due to noticeable disruptions in system
functionality.
 Key Security Concepts and Threats
Classes of Threats
• Disclosure (Snooping):
• Unauthorized access to confidential data.
• Example: Intercepting sensitive emails.
• Disruption (Modification):
• Altering data or systems to cause errors or
failures.
• Example: Changing database records to
manipulate outcomes.
• Usurpation (Spoofing):
• Gaining unauthorized control by impersonating
legitimate entities.
• Example: Phishing attacks where attackers pose
as trusted sources.
 Cloud-Specific Security Challenges
•Multi-Tenancy Risks: Shared
infrastructure increases risks like
co-residence attacks.
•Data Location & Segregation:
Data stored in shared
environments across jurisdictions.
•Gartner’s Seven Cloud Risks:
•Privileged user access.
•Regulatory compliance.
•Data segregation.
•Recovery challenges.
•Investigative support
limitations.
•Long-term viability
concerns.
---

Links : https://aws.amazon.com/solutions/guidance/multi-
tenant-architectures-on-aws/
What are some real-world examples of
denial-of-service (DoS) attacks?
•Dyn DDoS Attack (2016):
•A massive Distributed Denial-of-Service (DDoS) attack using the Mirai botnet targeted Dyn, a
major DNS provider.
•Impact: Disrupted major websites like Netflix, Twitter, Reddit, and PayPal across the U.S. and
Europe.
•Link : https://en.wikipedia.org/wiki/DDoS_attacks_on_Dyn
•GitHub Attack (2018):
•A record-breaking DDoS attack peaked at 1.35 Tbps using memcached servers for amplification.
•Impact: Temporarily knocked GitHub offline but was mitigated within minute.
•Link : https://github.blog/news-insights/company-news/ddos-incident-report/
•Cloudflare Attack (2020):
•Exploited weaknesses in the Network Time Protocol (NTP) for amplification, generating massive
traffic loads.
•Impact: Demonstrated how protocol vulnerabilities could be leveraged for large-scale DDoS
attacks.
•Link : https://www.cloudflare.com/learning/ddos/famous-ddos-attacks/
 Security Mechanisms and Best Practices
•Policies: Define what is allowed or prohibited in a system. They act as the foundation of security by specifying acceptable
behaviors, access controls, and operational guidelines.
•Mechanisms: Enforce the policies through tools and technologies, such as firewalls, encryption, and intrusion detection
systems (IDS).
2. Network Security Steps
To secure cloud environments, organizations should follow these steps:
•Define Security Policy:
•Establish a comprehensive policy covering usage, access controls, and data protection.
•Include user training on password management and social engineering risks.
•Implement Firewalls and IDS:
•Firewalls filter traffic based on predefined rules (e.g., IP addresses, ports).
•IDS monitor network activity for suspicious patterns or breaches.
•Conduct Vulnerability Scanning and Penetration Testing:
•Regularly scan for potential vulnerabilities using tools like Nessus or Metasploit.
•Perform penetration testing to simulate attacks and identify weaknesses.
3. Virtualization Risks
Virtualization introduces unique risks due to the use of hypervisors (software managing virtual machines). Key
vulnerabilities include:
▪Hypervisor Exploits: Attackers can exploit bugs in the hypervisor to gain control of all hosted virtual machines
(VMs).
▪VM Escape: Malicious code can escape a VM’s isolation layer to access the host system or other VMs.
▪Rogue Hypervisors: Unauthorized hypervisors can be installed to control VMs covertly.
▪Denial-of-Service (DoS): Overloading a hypervisor can disrupt all hosted VMs.
 Security Measures in AWS

Link : https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html
Hands-on Session Checklist
• AWS Free-tier Account
Step 1

• IAM User
Step 2 • MFA

• Budget – zero spend

Step 3

• Hands-on EC2 – DONE

Step 4 • S3 -
 Amazon S3 Use Free-tier
functions only
Amazon Simple Storage Service (Amazon S3) is an object storage service offering industry-leading scalability, data availability, security, and
performance.

Features of Amazon S3
• Bucket : A general-purpose bucket is a container for objects stored in Amazon S3.
You can store any number of objects in a bucket and all accounts have a default
bucket quota of 10,000 general purpose buckets. Every object is contained in a
bucket. For example, if the object named photos/puppy.jpg is stored in
the amzn-s3-demo-bucket bucket in the US West (Oregon) Region, then it is
addressable by using the URL https://amzn-s3-demo-bucket.s3.us-west-
2.amazonaws.com/photos/puppy.jpg.

• When you create a bucket, you enter a bucket name and choose the AWS Region
where the bucket will reside. After you create a bucket, you cannot change the
name of the bucket or its Region. Bucket names must follow the bucket naming
rules. You can also configure a bucket to use S3 Versioning or other storage
management features.

• Object : Objects are the fundamental entities stored in Amazon S3. Objects consist
of object data and metadata. The metadata is a set of name-value pairs that
describe the object. These pairs include some default metadata, such as the date
last modified, and standard HTTP metadata, such as Content-Type. You can also
specify custom metadata at the time that the object is stored.

https://aws.amazon.com/ec2/pricing/on-demand/
 Use Free-tier

Buckets functions only

Amazon Simple Storage Service (Amazon S3) is an object storage service offering industry-leading scalability, data availability, security, and
performance.

Features of Buckets
• When you create a general purpose bucket, you choose its name and the AWS Region to
create it in. After you create a general purpose bucket, you can't change its name or
Region. The following sections provide information about general purpose bucket
naming, including naming rules, best practices, and an example for creating a general
purpose bucket with a name that includes a globally unique identifier (GUID).

• Important Rules :
•Bucket names must be unique across all AWS accounts in all the AWS Regions within a
partition. A partition is a grouping of Regions. AWS currently has three
partitions: aws (commercial Regions), aws-cn (China Regions), and aws-us-gov (AWS
GovCloud (US) Regions).
•A bucket name can't be used by another AWS account in the same partition until the
bucket is deleted. After you delete a bucket, be aware that another AWS account in the
same partition can use the same bucket name for a new bucket and can therefore
potentially receive requests intended for the deleted bucket. If you want to prevent this, or
if you want to continue to use the same bucket name, don't delete the bucket. We
recommend that you empty the bucket and keep it, and instead, block any bucket requests
as needed.

• Bucket policy
https://docs.aws.amazon.com/AmazonS3/latest/us
• First delete objects and then delete Bucket erguide/Welcome.html#BasicsBucket
• https://aws.amazon.com/s3/pricing/
 Hands-on Session

Let's Create a S3 Bucket Policy

https://awspolicygen.s3.amazonaws.co
m/policygen.html