Securing AWS Workloads
The InfoSec Consulting Series #30
By Jay Pope
Amazon Web Services (AWS) is among the most popular public cloud services. As with any cloud service, there are security implications to its use, with new and evolved threats constantly emerging. Securing AWS workloads is therefore vital if you are relying on it for your business. We’re going to look at some AWS security best practices that you should be following.
Understand The Model
The first step towards securing AWS workloads is to understand Amazon’s security model. This is based on shared responsibility, which means that while Amazon is responsible for its infrastructure, you, the customer, are responsible for the correct configuration of your environment and for ensuring that data isn’t improperly shared. In practice, therefore, Amazon protects its computing and storage assets, as well as networking and database services. However, it has little control over how AWS customers use the platform, so customers are responsible for the secure use of the system. Where a customer requires multi-factor authentication, for example, it’s their responsibility to ensure it’s turned on for all users, and that user activities are monitored.
Access Management
As more and more business-critical data is stored in the cloud, a key aspect of the management of AWS security templates is controlling access to your systems. We’ve mentioned multi-factor authentication, and this makes access to your system much safer than simply relying on a user ID and password. Another important method of securing your AWS workloads is to ensure that identity and access management (IAM) is well defined. This is an AWS service that allows you to manage users and groups and grant permissions and set rules to control access to AWS resources. To make best use of this, it’s important to set permissions at a group or job role level, this helps to avoid the risk of users accruing one-off permissions that could result in them having more access than they need. You should always look to grant the minimum AWS permissions that users need to do their jobs.
Your AWS root account user access keys give full access to all aspects of the account and cannot be restricted. You should avoid use of this if at all possible, indeed if you haven’t created an access key for your root account, don’t! Instead, use the AWS management console to create a user with the administrative permissions you need. If you absolutely must use the root account, change the password regularly and keep a log of when and by whom it’s used.
Databases And Storage
Another key aspect when considering the management of AWS security templates is to follow best practices for configuring database and storage services. A number of recent AWS data leaks featured the exploitation of misconfigured S3 Buckets [1] which underlines the need to pay particular attention to configuration. You should ensure that no S3 Buckets are publicly available unless your business requires this. You should also encrypt data in your Elastic Block Store (EBS), and consider encrypting your Amazon relational database (RDS) too. You should also restrict access to RDS to minimise the risk of attacks. Another key aspect of securing your AWS workloads is to monitor file integrity. This is crucial to keeping tabs on what’s happening in your cloud environment and alerting you to any attacks as soon as possible when they occur. Integrity monitoring alerts you when a file is added to or deleted from a directory, in addition to when files are opened and when they are modified.
End To End Security
If you are using AWS as a DevOps development environment, your security team needs to be involved at each stage of the development. By ensuring that securing AWS workloads is a deliverable in your project at the outset helps to ensure that you don’t have to firefight problems later on. You also need to ensure that developers’ access to systems is properly controlled. It may be tempting to give developers access to production data for testing, but you must ensure that data is properly secured. You should also track and monitor when any software is installed that could have an impact on system configuration.
It should also be noted, of course, that weakest security link is often the people who are using the system. It is therefore vital to educate your staff and make them aware of their responsibilities. When introducing a new measure such as multi-factor authentication, for example, you need to ensure that people know how to use it and why it matters. Securing your AWS platform should be taken just as seriously as protecting your in-house systems. Following these best practice recommendations will help you meet your current security needs and give you flexibility as your requirements evolve.
[1] https://www.zdnet.com/article/aws-rolls-out-new-security-feature-to-prevent-accidental-s3-data-leaks/
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.