All the AWS security news, research, and technical changes in your inbox, every Monday.

How to Start Threat Modelling in AWS

by Ihor Sasovets

Introduction

It is hard to find a company that does not use cloud technologies. Therefore security of the implemented cloud solutions is often one of the top priorities. Due to this, it is required to identify and mitigate risks as early as possible. That is where threat modelling comes into play. Threat modelling is a proactive approach to identifying potential security risks, enabling you to address vulnerabilities before they become breaches. In this article we will talk about the fundamentals of threat modelling and discuss the main steps to get started with this practice in AWS.

What is Threat Modelling?

Threat modelling is a structured process for identifying, evaluating security threats to a system and defining appropriate mitigations measures that should be implemented in order to reduce a risk of exploitation. By understanding potential attack vectors, vulnerabilities, and value of assets in scope, organizations can build stronger defenses and make informed decisions about risk management.

The key goals of threat modelling are:

When applied in the AWS cloud environment, threat modelling takes into account unique considerations such as shared responsibility, the dynamic nature of cloud resources, and the diverse services AWS offers. It helps you to have a look at your cloud infrastructure from the security point of view and try to understand where you can apply additional protection measures that would match your expectations in terms of security and help to become resistant against common cloud security risks.

How Threat Modelling Can Help Secure AWS Infrastructure?

Threat modelling is particularly effective in cloud environments like AWS because:

By applying threat modelling, organizations gain a deeper understanding of their AWS environment, enabling targeted security enhancements.

Step 1: Educate Your Team

In order to start doing threat modelling on the project it is required to have a certain set of skills that will help to make this process a way more efficient and achieve measurable results in a shorter amount of time. For instance, participants of threat modelling sessions should have an understanding of common threats to cloud infrastructure, so they will be able to apply them to the resources in scope in the right way, reducing the risk of adding false positives or concentrating your attention on less important assets. Thankfully, there are a lot of training opportunities that will help you to cover this knowledge gap and establish a good foundation in order to move forward to applying these skills in practice. Below is a list of resources that you can use during this journey:

  1. AWS-Specific Security Training and Resources:
  1. Threat Modelling Resources:

Investing in your team’s education ensures they can identify threats effectively and propose actionable mitigations.

Step 2: Create Infrastructure Diagrams

Creating detailed infrastructure diagrams is a highly important step that has a significant impact on the efficiency of the threat modelling process. These diagrams serve as a blueprint of your AWS environment, helping your team visualize the architecture, identify critical assets, and pinpoint potential vulnerabilities. A well-designed diagram provides the foundation for analyzing threats and planning effective mitigations.

Infrastructure diagrams help:

  1. Understand Your Architecture: They offer a clear picture of how components interact, data flows, and dependencies.
  2. Identify Weak Points: Highlighting exposed areas or insecure configurations becomes easier when you have a visual representation.
  3. Facilitate Communication: They act as a common reference point for discussions among teams (DevOps, Security, and Operations).
  4. Meet Compliance Requirements: Visual documentation is often a requirement for audits and compliance frameworks.

Best Practices for Creating Infrastructure Diagrams

To ensure your diagrams are useful and accurate it is recommended to follow some common best practices that help to create well-designed infrastructure diagrams with a required amount of details covered. Such diagrams can help all the participants of threat modelling sessions to quickly highlight main data flows as well as key infrastructure components. Here are some key things to remember when creating infrastructure diagrams:

  1. Keep Them Updated: AWS environments are dynamic. Regular updates ensure diagrams reflect the current state.
  2. Focus on Critical Components: Identify key assets (e.g., S3 buckets, databases) and the pathways data flows through.
  3. Highlight Security Boundaries: Show trust boundaries, where control or access changes, like between VPCs, security groups, or user roles.
  4. Use Consistent Symbols: AWS provides official architecture icons that make diagrams intuitive and professional. use them in order to make the further threat modelling as efficient as possible.

Key Components to Include in Your Diagrams

When creating diagrams for AWS infrastructure, be sure to represent:

Here is a sample diagram to give you a better understanding on what to expect:

More examples can be accessed by the following links:

Tools for Creating Infrastructure Diagrams

Several tools can help you create effective and visually appealing diagrams:

Name Description
Draw.io (diagrams.net) Features: Free, browser-based, integrates with Google Drive and GitHub.
Advantages: Easy to use, supports AWS-specific icons.
Use Case: Suitable for quick and straightforward diagram creation.
Lucidchart Features: Cloud-based, collaborative, large library of templates.
Advantages: Great for team collaboration and sharing.
Use Case: Ideal for distributed teams working on complex environments.
Cloudcraft Features: AWS-specific, visually stunning diagrams, real-time cost estimates.
Advantages: Perfect for AWS architects, integrates with live environments for accuracy.
Use Case: Best for environments requiring deep AWS service integration visualization.
Eraser.io Features: Lightweight and straightforward, ideal for quick sketches, AI-powered generation of infrastructure diagrams (Diagram GPT).
Advantages: Great choice for brainstorming and iterative diagramming.
Use Case: Great for the initial stages of diagram creation, helps to quickly draw a base version of a diagram using AI.

Steps to Create an Infrastructure Diagram

  1. Inventory Your Resources:
  1. Define the Scope:
  1. Map Resources and Connections:
  1. Add Security Layers:
  1. Review and Refine:

Suppose you are designing a threat model for a web application hosted on AWS. Your diagram might include:

Tools like Cloudcraft can import details directly from your AWS account, creating an accurate starting point. By creating comprehensive infrastructure diagrams, you set the stage for effective threat modelling. A clear, detailed diagram ensures all stakeholders have a shared understanding of the architecture, making it easier to identify vulnerabilities and develop mitigation strategies.

Step 3: Conduct a Threat Modelling Session

Once your infrastructure diagrams are ready, the next step is to conduct a threat modelling session. This step involves identifying potential threats to your AWS environment, analyzing their impact, and prioritizing them for mitigation. A well-structured threat modelling session helps uncover vulnerabilities and provides actionable insights for improving security.

The primary objectives of a threat modelling session are:

  1. Identify Threats: Pinpoint risks based on architecture and configurations.
  2. Understand Vulnerabilities: Determine how and where threat actors can exploit weaknesses.
  3. Assess Risk: Prioritize threats by their potential impact and likelihood.
  4. Define Mitigation Strategies: Propose actionable measures to minimize risks.

Preparing for the Session

Preparation is highly important for a productive threat modelling session. Here’s what you’ll need:

  1. A Clear Scope:
  1. Infrastructure Diagram:
  1. Team Participation: Assemble a cross-functional team including (please note that it is not mandatory to include every role from the listed below, that’s just a reference):
  1. Threat Modelling Frameworks and Tools:

Key Steps of an efficient Threat Modelling Session

  1. Identify Assets:
  1. Identify Threats: Analyze your diagram for potential risks using a framework like STRIDE:
  1. Analyze Identified Threats: Discuss each identified threat for its potential to exploit vulnerabilities in your AWS environment.

  2. Prioritize Risks:

  1. Document Findings:

Tools for Conducting Threat Modelling

  1. OWASP Threat Dragon:
  1. AWS Threat Composer:

Post-Session Actions

  1. Review Findings:
  1. Integrate Threat Modelling into SDLC:
  1. Revisit Threat Models:

Conducting a threat modelling session is a collaborative and iterative process that brings clarity to your AWS security posture. By systematically identifying and prioritizing threats, you can focus your efforts on the most critical risks and strengthen the overall resilience of your cloud environment.

Step 4: Implement Mitigation Measures

After identifying threats, the next step is implementing security measures to mitigate them.

Key Strategies:

Collaborate with your DevOps and security teams to ensure these measures are applied effectively.

Learn by Example

In the previous sections of this article we’ve discussed main steps that should be covered in order to make your threat modelling session efficient. Now, I would like to provide you with a practical example on how to use threat modelling in order to highlight possible security issues in the serverless application architecture. Consider the following architecture:

This architecture represents a serverless application built on AWS, designed to handle user requests via APIs and process, store data using S3 and DynamoDB.

How It All Works Together

  1. A user sends a request to the API Gateway.
  2. The API Gateway forwards the request to the Lambda function.
  3. The Lambda function processes the request:
  1. Logs and metrics from the entire workflow are sent to CloudWatch for monitoring.
  2. Permissions of the lambda function are defined by using the IAM service.

Great, so we added an application architecture diagram and now let’s move to the next step - conduct a threat modelling session. For this example I’m going to use the AWS Threat Composer tool.

So, open a threat composer application and add a sample application info.

After that, upload your infrastructure diagram to the threat composer.

You can also upload a data flow diagram if you have one, so it can be easier to create the threat model itself. Once all the initial steps are done, you can move to the adding actual threat based on your architecture diagram. For this example I will use STRIDE methodology in order to define a list of possible threats. If you are unsure where to start, you can generate a sample threat like below:

Here’s a STRIDE-based threat analysis for the serverless architecture presented on the aforementioned diagram:

  1. Spoofing

Threat: Unauthorized access to API Gateway or backend services.

  1. Tampering

Threat: Manipulation of data in transit or at rest.

  1. Repudiation

Threat: Lack of accountability for actions performed within the system.

  1. Information Disclosure

Threat: Exposure of sensitive data to unauthorized entities.

  1. Denial of Service (DoS)

Threat: System performance degradation or downtime due to overwhelming requests.

  1. Elevation of Privilege

Threat: Gaining unauthorized access to higher-privileged resources.

Once you’ve discussed the possible threats, add them to your threat model.

It is also possible to add metadata for each identified threat, so you can make it easier to understand and map threats to the STRIDE categories.

Do the same for all the identified threats. You can review your threat model at any time by visiting the “Threat model” tab inside the tool.

During the threat modelling session we should talk not only about the threats, but also about the mitigations that can help us to reduce security risks. All the mitigations can be linked to the defined threats, so it can be easier to track if everything was covered once you complete work on adding required controls. For the previously defined list of threats we can suggest the following mitigation measures:

Here’s a STRIDE-based threat analysis for the serverless architecture depicted in the diagram:

  1. Spoofing

Threat: Unauthorized access to API Gateway or backend services.

Mitigation:

  1. Tampering

Threat: Manipulation of data in transit or at rest.

Mitigation:

  1. Repudiation

Threat: Lack of accountability for actions performed within the system.

Mitigation:

  1. Information Disclosure

Threat: Exposure of sensitive data to unauthorized entities.

Mitigation:

  1. Denial of Service (DoS)

Threat: System performance degradation or downtime due to overwhelming requests.

Mitigation:

  1. Elevation of Privilege

Threat: Gaining unauthorized access to higher-privileged resources.

Mitigation:

Final threat model will look in the following way:

You can additionally export it and save for later in the following formats:

What’s Next?

Threat modelling is not a one-time task - it’s an ongoing process. As your AWS infrastructure evolves, so should your threat models.

Next Steps:

  1. Regular Updates: Update your threat models as infrastructure changes occur.
  2. Automation: Explore tools for automating threat detection and response.
  3. Continuous Learning: Stay informed about new threats and AWS security updates

By embedding threat modelling into your development lifecycle, you can maintain robust security and confidently navigate the complexities of AWS.

I hope this post will help you to introduce threat modelling to your team and make it a valuable part of your SDLC processes. If you’re interested in receiving more AWS security related content, please follow me on LinkedIn or GitHub.