Securing Your AWS Workloads
The InfoSec Consulting Series #30
By Jay Pope
Amazon Web Services (AWS) is among the most popular public cloud services. As with any cloud service, there are security implications to its use, with new and evolved threats constantly emerging. Protecting your AWS workloads is therefore vital if you are relying on it for your business. We’re going to look at some AWS security best practices that you should be following.
Understand The Model
The first step towards securing your AWS workloads is to understand Amazon’s security model. This works on the basis of shared responsibility, which means that while Amazon is responsible for its infrastructure, you, the customer, are responsible for the correct configuration of your environment and for ensuring that data isn’t improperly shared. In practice, therefore, Amazon protects its computing and storage assets, as well as networking and database services. However, it has little control over how AWS customers use the platform, so customers are responsible for the secure use of the system. Where a customer requires multi-factor authentication, for example, it’s their responsibility to ensure its correctly configured for all users.
As more and more business-critical data is stored in the cloud, a key aspect of the management of AWS security templates is controlling access to your systems. We’ve mentioned multi-factor authentication and this makes access to your system much safer than simply relying on a user ID and password. The other thing you should do is use identity and access management (IAM). This is an AWS service that allows you to manage users and groups and grant permissions and set rules to control access to AWS resources. To make best use of this, it’s important to set permissions at a group or job role level, this helps to avoid the risk of users accruing one-off permissions that could result in them having more access than they need. You should always look to grant the minimum AWS permissions that users need to do their jobs.
Your AWS root account user access keys give full access to all aspects of the account and cannot be restricted. You should avoid use of this if possible, indeed if you haven’t created an access key for your root account, don’t! Instead, use the AWS management console to create a user with the administrative permissions you need. If you absolutely must use the root account, keep close control of it, change the password regularly and keep a log of when and by whom it’s used.
Databases And Storage
Another key aspect when considering the management of AWS security templates is to follow best practices for configuring database and storage services. Many recent AWS data leaks have been caused by misconfigured S3 Buckets which underlines the need to pay close attention to configuration. You should ensure that no S3 Buckets are publicly available unless your business requires this. You should also encrypt data in your Elastic Block Store (EBS), and consider encrypting your Amazon relational database (RDS) too. You should also restrict access to RDS to minimise the risk of attacks.
Another key aspect of protecting your data is to monitor file integrity. This is crucial to keeping tabs on what’s happening in your cloud environment and alerting you to any attacks as soon as possible when they occur. Integrity monitoring alerts you when a file is added to or deleted from a directory, in addition to when files are opened and when they are modified.
End To End Security
If you are using AWS as a DevOps development environment, your security team needs to be involved at each stage of the development. Building in security at the outset helps to ensure that you don’t have to firefight problems later. Using AWS best security practices is a good start, but the security team should also carry out some ‘attack tree’ analysis on the more esoteric concepts as well as attack techniques that are becoming more prevalent such as Server Side Request Forgery (SSRF).
You also need to ensure that developers’ access to systems is properly controlled. It may be tempting to give developers access to production data for testing, but you must ensure that data is properly secured. You should also track and monitor when any software is installed that could have an impact on system configuration. It should also be noted, of course, that weakest security link is often the people who are using the system. It is therefore vital to educate your staff and make them aware of their responsibilities. When introducing a new measure such as multi-factor authentication, for example, you need to ensure that people know how to use it and why it matters.
Securing your AWS platform should be taken just as seriously as protecting your in-house systems. Following these best practice recommendations will help you meet your current security needs and give you flexibility as your requirements evolve.
Does Your Organisation Need Top Security or Technical Delivery Talent?
Cyber Smart Associates provides certified Cyber Security & Technical Delivery Specialists to organisations looking to undertake their transformation challenges with foresight and with confidence. With our own practicing Cyber Security Consultants, we are well positioned in the industry to specialise in sourcing top security and technical delivery talent across all related technical roles and skillsets. We source the best people for permanent, contract, and interim roles for organisations that need specialist skills, and delivery experience.
Are you interested in learning more about how we can help you?
Hiring Managers click here
Candidates click here
Contractors click here