AWS (Amazon cloud) security explained
Amazon Web Services (AWS) is one of the most-used cloud Infrastructures today. With a broad range of available cloud-based services, organizations like yours rely on it every day to provide operational availability to their employees, contractors, partners, supply chains, and customers.
Because of this, the need to protect all parts of AWS is paramount; any investment in AWS must include a layered security approach that provides all parts of AWS that are proactively protected, with an ability to respond to identified threats.
Needed areas of AWS security
As with any environment exposed to the Internet, the need for network firewalls, web application firewalls, encryption in transit, and other base security services designed to protect your AWS environment as a whole are necessary.
Monitoring and auditing
External attacks and insider threats both require the watching of user activity for misuse of privileges – from logon to resource use. Logging off, auditing, and alerting on activity, including API calls, is necessary to maintain security and to assist with compliance.
Threat detection and remediation
A vast array of intelligence exists today that can serve as the basis for detecting threats. Both intrusion detection and endpoint detection are necessary parts of the strategy with AWS implementations that offer insight in a detected threat to make remediation direct and swift.
Any web-facing application can become the target of a Distributed Denial of Service (DDoS) attack. AWS-hosted applications need to automatically detect and mitigate DDoS attacks, providing for the availability and accessibility of your applications.
Understanding where your sensitive data resides is the first step in protecting it. Data existing in S3, EC2 instances, EBS, RDS, and more all can contain critical, protected, sensitive, or otherwise valuable data. Data classification automatically discovers and classifies data based on its content.
Identity and access control
Access to AWS resources requires a unified approach. A central user identity store is necessary with an ability to manage user identities and their roles, along with single sign-on (SSO), multi-factor authentication (MFA), and granular access to AWS resources.
While discovering and patching AWS vulnerabilities isn’t your responsibility, performing assessments of and remediating vulnerabilities found on virtual resources within AWS should still be a fundamental part of your security strategy.
Penetration testing While AWS continually tests its infrastructure, there are several core services (e.g., AWS EC2 and AWS RDS) against which customers can perform their security assessments and penetration tests without approval from AWS. Select types of tests are prohibited.
What security tools are available?
AWS provides many tools to help protect your AWS investment.
Infrastructure - AWS Firewall Manager and Amazon WAF allow centralized configuration and management of rules used to block traffic and traffic patterns that are synonymous with malicious activity. Encryption of data is available across most AWS storage and database services, utilizing AWS Key Management Services to manage encryption keys and their use.
Data classification – Amazon Macie identifies sensitive data such as personally identifiable information (PII) or intellectual property, providing visibility into how this data is accessed. It is limited in scope to data residing in S3.
Monitoring & auditing – Two services provide this service: Amazon CloudWatch collects monitoring and operational data via logs, metrics, and events across over 70 AWS services. AWS CloudTrail monitors AWS account activity and API usage. It should be noted that the level of detail doesn’t extend into EC2 VM host activity.
Vulnerability management – AWS Inspector provides automated security assessments on EC2 instances, looking for vulnerabilities or deviations from best practices.
Identity and access management – AWS offers a solution set designed to meet the needs of organizations that are still on-premises, are cloud-first or are somewhere in-between. AWS Identity and Access Management (IAM), AWS Multi-Factor Authentication, and AWS Directory Service together provide highly secure, granular, centralized access to AWS resources, integrating with on-premises identity systems, such as Active Directory, and cloud-based identity management solutions to offer single sign-on access to multiple applications and infrastructure services outside of AWS.
DDoS mitigation – Amazon Shield automatically detects and responds to DDoS attacks to minimize the time necessary to mitigate and help reduce the impact of attacks. AWS customers can enjoy AWS Shield’s Standard level of service for free, with an Advanced tier of service to protect EC2, ELB, and other AWS recourse available at an additional cost.
Threat detection – Amazon GuardDuty monitors all AWS accounts, analyzing network and account activity for anomalous actions. Using rule sets, threat intelligence, and machine learning, GuardDuty detects threats within AWS and can either automatically address with Amazon Lambda or route findings into 3rd-party event management or workflow application.
Penetration testing – AWS performs its pen testing but allows external testing against a wide range of services. Activities such as protocol or resource request flooding, any DoS test, or DNS zone walking are prohibited.
In almost every case above, the focus of these tools is the AWS infrastructure, with little offered to specifically address protecting at the host OS level within virtual environments hosted in EC2.
Best practices to provide for AWS security
Making sure of the security of your AWS environment requires strategic focus based on your organization’s use of the wide range of services available and the risk footprint those services create as a result. Use the following list of high-level best practices.
Know your responsibilities
AWS follows a shared responsibility model where (in general) it is responsible for the underlying availability of computing, storage, networking, and more. You are responsible for data, applications, identity, and – most importantly – security.
Limit access via IAM
There’s the potential for a lot of missed visibility on the part of security teams. Starting with a tightly configured IAM strategy that utilizes defined roles to provide that users only have access to the bare minimum resources they should.
Assess your risk
In the case of AWS, risk is about exposure – data, system, or application. Because most use cases of AWS are Internet-facing, you need to gain an understanding of your exposure risk. Performing a risk assessment may be necessary to fully comprehend where you may be exposed and what security service may be needed to protect your AWS investment.
Think layered security
Attacks are continually evolving, requiring that your security strategy use several different tools and methods. Solutions that assist with protection, prevention, detection, and remediation of AWS security necessitate implementation across infrastructure, identity, storage, and endpoints.
This document is provided as a general informational overview. Mention of third-party products or services is not an endorsement of the same.