Navigating today’s threat landscape and ensuring security in the public cloud is more important than ever. When it comes to AWS security best practices, businesses must start with an understanding of the AWS Shared Responsibility Model. Unfortunately, many companies don’t fully understand that shared model and who is responsible for what, despite the AWS clear statement:
"While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter."
In order to decode the shared security model, businesses must go beyond the copious, available amounts of content to explain the AWS position. That should start with understanding what it takes to secure your environment.
Many organizations choose to partner with a cloud managed services provider to navigate security best practices at the beginning of their cloud journey. One of the first insights they gain is the fact that most serious breaches in the cloud occur due to lax identity/access management. While an internal bad actor could be the source of a breach, an employee’s stolen login credentials can also be the source, such as in the high-profile JPMorgan breach.
Basic AWS Cloud Security Best Practices Tips to Secure AWS Cloud
AWS goes a long way toward securing the cloud environment for its users with new approaches like the recent rollout of the Macie ML service to protect sensitive data across S3 repositories. While this is an optional service, let’s take a look at some of the security best practices options that all organizations should be implementing.
- Enable the Multifactor Authentication (MFA) for all your IAM users for secure two-step login that ensures the authenticity of a user.
- Implement the Termination Protection API to avoid erroneous termination of EC2 instances in your environment.
- Enable AWS CloudTrail service to record API calls made on your account, deliver the log files to an S3 bucket to track changes to resources and user activity, and support environmental compliance.
- Minimize and regularly change/rotate IAM admin access keys for users in your account.
- Utilize Security Group functions as a virtual firewall to control the inbound and outbound traffic for one or more instances.
- Incorporate techniques such as anomaly detection to create a secure, trusted environment.
- Create AWS snapshots to allow for easy disaster recovery and smooth business continuity.
- Develop a strategy to track and respond to the AWS S3 server dashboard alert that visibly warns server administrators that data has become publicly accessible.
Securing Trusted Environments
While root account is built into every AWS account, to provide Single Sign-on (SSO) identity for an account's privileged access to all AWS services and billing, it is inadequate for organizations with countless user access needs. AWS recommends using Identity Access Management (IAM) policies for role-based access to your AWS services.
Organizations should begin with an access governance strategy that provides robust visibility into who can access resources, how they obtained the access, when they received the access, and what they are doing with the access. The best approach with this strategy is to enforce a 'least privileges' approach to minimize the potential damage of a compromised account.
To accomplish this, proactive cloud security-conscious organizations will implement an Identity and Access Governance system. This will give IT administrators the ability to manage users on a granular level across the enterprise, both on-premise and in the cloud, in a consistent, visible, and scalable manner. This provides SSO access to all resources for end users as well as centralized ID management, authentication, and policy enforcement for administrators.
These are a few of the security measures that organizations should implement to secure data at rest and in transit:
- Web Application Firewalls (WAFs)
- Strong data encryption
- Identity and access controls
- Next Generation Firewalls (NGFWs)
- Message archiving
- DDoS mitigation
- Logging and monitoring
- Endpoint protection
- Data protection and archiving
Businesses of all sizes and across sectors are seeking out the advantages of a hybrid cloud approach that is a mixture of public and private cloud usage. Many are also utilizing a multi-cloud approach that includes AWS as a significant part of the mix to further maximize agility and cost savings. Consequently, implementing AWS security best practices is necessary since public cloud use continues to grow along with the threat landscape.
Most organizations do not have access to an internal cloud security team to navigate this landscape. For these and other businesses, the ideal approach is to work with a skilled and experienced security services and solutions partner showing a strong track record in AWS implementations. The result of such a partnership is that the businesses can take a well-informed and proactive security approach that secures the business side of the AWS shared responsibility model.