With a rapid surge in cloud-native business solutions, organizations must learn and adapt security best practices to take advantage of their benefits. Configuring and maintaining a highly secure and resilient cloud infrastructure requires a strong understanding of cloud security concepts and their nuances.
Security is a critical aspect of AWS Cloud and is one of the Five Pillars of AWS’s Well-Architected Framework. AWS provides a globally-secure infrastructure under the 'Shared Responsibility Model'. It allows organizations to take advantage of the highly-secure AWS data centers, and its global network. However, it also requires clients to be accountable for implementing control over their environment, depending on their use case. Client responsibilities includes Patch Management, Configuration Management, classification of assets, and choosing the appropriate AWS services and Region that meets their needs.
As an AWS managed service provider, EPI-USE Services for AWS is dedicated to assisting you with establishing and maintaining a highly-secure cloud environment. Our team of experts will constantly be reviewing your security posture, identifying security threats, and implementing security changes and controls needed to operate securely. By strictly adhering to the security best practices, we can assist you with migrating your on-premises data to AWS cloud with minimal downtime. Through this blog, we explain how we manage our AWS workloads with an emphasis on security best practices.
Our team of engineers is well versed in cloud security concepts and is keen to implement the best security measures to protect your cloud infrastructure. We use some of the principal security-related AWS services like Security Hub, Amazon GuardDuty, and Amazon Inspector.
Leverage AWS security services
AWS offers a broad range of security services and management tools to assist you in protecting your data and environment from unwanted exposures, vulnerabilities, and threats. Learn more about AWS Security best practices.
AWS Security Hub helps manage and improve the security of AWS accounts by providing a comprehensive view of the security posture across all of your AWS accounts. It also shows your compliance with security standards and best practices. Amazon GuardDuty is a threat detection service, which continuously monitors harmful activity and unlawful conduct, thereby securing your AWS accounts, workloads, and data stored in Amazon S3. Amazon Inspector checks applications for vulnerabilities, exposures, and security breaches. It also evaluates and generates a complete list of security findings, ranked by severity.
In one instance, one of our clients was facing a brute force attack on their Windows instance which led to a service interruption. With the help of Amazon GuardDuty, we were able to proactively block such attacks before they could impact the client servers. Furthermore, we were able to scale up security measures by identifying various obsolete software systems and programs on the instance. Leveraging these AWS services helps our team to make informed decisions and achieve the highest security for our clients’ cloud infrastructure.
Security in AWS Organization
AWS Organization enables you to create and centrally manage AWS accounts to compartmentalize your workloads efficiently. The DevOps team at EPI-USE Services for AWS is experienced in assisting clients to automate the setup of highly efficient and security-compliant multi-account environments. By configuring AWS Control Tower using AWS Organization, our clients can accelerate innovation by focusing more on the application side. It removes the complexities associated with multi-account governance and ensures immediate visibility into their security compliance status.
While Control Tower helps to centralize information security management across AWS Organization, single sign-on (SSO) allows users to log in securely to their multiple accounts and websites with a single set of credentials. By enforcing appropriate guardrails through Service Control Policies (SCP) and identifying policy violations with the help of AWS Config, you can effectively manage and track the security compliance issues.
Perform periodic audits
As a managed service provider, our priority is to keep your data safe from cyberattacks, such as data theft, malware attacks, and distributed denial of service (DDoS) attacks. As a best practice, we perform frequent and periodic account audits to identify security vulnerabilities.
Seven services and security best practices
Here are seven of the services and security best practices that we would recommend in keeping your AWS environment safe and foolproof:
1. AWS access keys:
Access keys are long-term credentials used to make a programmatic request to AWS CLI or API. They consist of a combination of a secret access key and an access key ID. As a security best practice, you should not share your access keys with a third party. It is not advisable to embed the access keys directly into code. Instead, you should place access keys in AWS credentials files. To store credentials for the AWS SDK for .NET and the AWS Tools for Windows PowerShell, AWS recommends using the SDK store. Periodically rotating access keys, as well as removing unused keys, are also well-known security best practices.
There have been instances where we have identified client access keys that were issued for more than a year. We always remind our clients to rotate their access keys periodically. This will shorten the active timespan for an access key, thereby reducing the business impact in the event of breach. Our regular audits have aided in the identification and deletion of unused access keys that have been left behind after employees have exited our clients' organizations.
2. Principal of least privilege and enabling MFA:
We always ensure we assign IAM permissions with the least-privileged rights. We also recommend using MFA and SSO to protect and centralize user access respectively. We always encourage and help our clients in configuring multi-factor authentication for sensitive operations
3. Security groups and ports:
Security groups are virtual firewalls that act at the instance level. During our routine security checks, we identified client web and application servers using security groups with unrestricted ports. This was brought to the client's attention and, as part of security measures, we limited the server access to a single IP address. In addition, we implemented more restrictive rules and deleted those which were overly permissive.
4. AWS Web Application Firewall (WAF):
WAF helps to safeguard your applications or APIs against common web exploits by allowing you to configure specific rules that can analyze and block common web attacks. WAF monitors and protects the applications deployed on AWS services like CloudFront, API Gateway, and AppSync. A variety of factors are to be considered while setting up a WAF, including IP addresses, country of origin of the request, values in headers and bodies, and rate limit. Our most common WAF use case is the protection of web applications against application layer assaults like cross-site scripting (XSS), SQL injection, and cookie poisoning.
5. AWS Config:
AWS Config keeps track of your AWS resource configurations and analyzes them over time. It also maintains a historical record of modifications made to your resources, helping align with your organization's legal policies. AWS Config constantly evaluates the configuration details of new and existing resources against a config rule that represents the desired configuration for a resource. For instance, you can define a config rule which mandates EC2 volume encryption. By enabling AWS Config, you will get notified of the unencrypted volumes in your environment. Furthermore, it can also perform remedial measures, such as encrypting or removing volumes. Our team always uses Config rules to audit and evaluate the configurations of services deployed in the AWS environment.
6. AWS CloudTrail:
AWS CloudTrail audit logs provide critical information for tracking user activity across your AWS accounts, detecting potentially fraudulent conduct, and revealing sections of your infrastructure that might lack proper configuration. As a best practice, we leverage AWS CloudTrail logs for our client accounts to keep track of all user activities within the AWS environment.
7. AWS Security Hub:
AWS Security Hub provides a comprehensive report of your security posture, by combining the data from all the above services and presenting the information in a unified view. It gathers information from all AWS security services across different AWS accounts and regions, making it easy to analyze your security trends and issues. Security Hub also facilitates data collection from third-party security products. Security Hub has helped us manage and improve the security of our client accounts in a seamless way. Our team of experts also works closely with our clients to accomplish industry-accepted security standards like CIS AWS Foundations Benchmark and Payment Card Industry Data Security Standard (PCI DSS).
Our managed service team also works closely with the client to help them to acquire industry-accepted security and compliance standard certifications like PCI, HIPAA, and ISO.
Mitigate security risks
To conclude, AWS has an extended range of cloud security services and tools that can help you mitigate some of the risks associated with poor security hygiene and make your environment impenetrable to data breaches. However, to maximize the benefit of these tools, you must make a consistent effort in enforcing adequate security controls throughout your organization. Our team of managed service experts can support you in achieving a secure AWS environment and staying ahead in terms of cybersecurity.
Authors:
Sethu Manuel: Project Manager, EPI-USE Services for AWS
Rose Maria Pius: Finance Analyst, EPI-USE Services for AWS
