- Encryption: As a best practice to secure your data in AWS, encrypt everything! Encrypt your data at rest in AWS across your storage options. Automation and omnipresent, that's how you should design your encryption. Encrypting data helps you in the following ways:
- Privacy
- Integrity
- Reliability
- Anonymity
- Use KMS: Encryption using keys rely heavily on availability and security of keys. If you have the key, you have the data. Essentially, whoever owns the key, owns the data. So, ensure that you use a reliable and secure key management infrastructure for managing all your keys. AWS KMS is a fully managed service available for all your key management needs. Use this to manage your keys for encrypting data in S3, RDS, EBS volumes, and so on. Also, ensure that you control access to these keys through IAM permissions and policies.
- Rotate your keys: Ensure that keys are rotated periodically, usually quite frequently. The longer a key lives the higher is the security risk attached to it.
- Classify your data: Secure your data by classifying it, such as type of data, is it confidential information or is it publicly available? What would be the impact of loss or theft of this data? How sensitive is this data? What are the retention policies attached with this data? Moreover, classify data based on usage. Once you classify your data, you can choose the appropriate level of security controls and storage options in AWS for storing your data.
- Secure data in transit: Create a secure listener for your ELB to enable traffic encryption between clients initiating secure connection such as Secure Socket Layer (SSL) or Transport Layer Security (TLS) and your AWS ELB. This will help you secure your data in transit as well for applications running on EC2 instances. You can have similar configurations, known as TLS termination for other AWS services, such as Redshift, RDS, and all API endpoints. Use VPN, VPC Peering and Direct Connect to securely transfer data through VPC to other data sources.
- S3 bucket permissions: Ensure that you do not have world readable and world listable S3 buckets in your account. Restrict access to your buckets using IAM, access control lists, and bucket policies.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.