Security at AWS is job zero. AWS is architected to be one of the most secure cloud environments with a host of built-in security features that allows it to eliminate most of the security overhead that is traditionally associated with IT infrastructure. Security is considered a shared responsibility between AWS and AWS customers where both of them work together to achieve their security objectives. We have looked at various services, tools, features, and third-party solutions provided by AWS to secure your assets on AWS. All customers share the following benefits of AWS security without any additional charges or resources:
- Keeping your data safe
- Meeting compliance requirements
- Saving money with in-built AWS security features
- Scaling quickly without compromising security
An enterprise running business-critical applications on AWS cannot afford to compromise on the security of these applications or the AWS environment where these applications are running. As per Gartner, by 2020, 95% of all security breaches or incidents in cloud will be due to customer error and not from the cloud provider.
Security is a core requirement for any Information Security Management System (ISMS) to prevent information from unauthorized access; theft, deletion, integrity compromise, and so on. A typical ISMS is not required to use AWS, however, AWS has a set of best practices lined up under the following topics to address widely adopted approaches for ensuring security for ISMS. You can use this approach if you have an ISMS in place.
- What shared security responsibility model is and how it works between AWS and customers
- Categorization and identifying your assets
- How to use privileged accounts and groups to control and manage user access to your data?
- Best practices for securing your data, network, servers, and operating systems
- How to achieve your security objectives using monitoring and alerting?
For more information on best practices on securing your ISMS, refer to the AWS Security Center at https://aws.amazon.com/security/. You can also use AWS Security Center for staying updated with the most common security issues and solutions to address these issues.
Security by design: There are the following two broad aspects of security in AWS:
- Security of AWS environment: AWS provides many services, tools, and features to secure your entire AWS environment including systems, networks, and resources such as encryption services, logging, configuration rules, identity management, and so on.
- Security of hosts and applications: Along with your AWS environment, you also need to secure applications that are running on AWS resources, data stored in the AWS resources, and operating systems on servers in AWS. This responsibility is primarily managed by AWS customers. AWS provides all tools and technologies available on-premises and used by the customer in AWS cloud as well.
Security by design is a four-phase systematic approach to ensure continuous security, compliance, and real-time auditing at scale. It is applicable for the security of AWS environment that allows for automation of security controls and streamlined audit processes. It allows customers to imbibe security and compliance reliably coded into AWS account. The following are four-phases of the Security by design approach:
- Understand your requirements
- Build a secure environment
- Enforce the use of templates
- Perform validation activities
Security in AWS is distributed at multiple layers such as AWS products and services, data security, application security, and so on. It is imperative to follow best practices for securing all such products and services to avoid getting your resources compromised in the AWS cloud.
Security is the number one priority for AWS and it is a shared responsibility between AWS and its customers. Security is imperative for all workloads deployed in the AWS environment. In AWS, storage is cheap, it should be used to store all logs and relevant records. It is recommended to use AWS managed services and in-built reporting services as much as possible for security to offload heavy lifting and enabling automation.
In this lesson, we will go over security best practices in AWS. These best practices are a combination of AWS recommendations, as well as expert advice and most common practices to follow in order to secure your AWS environment.
Our objective is to have a minimum security baseline for our workloads in the AWS environment by following these best practices that are spread across AWS services, products, and features. These security measures allow you to get visibility into the AWS usage and AWS resources and take corrective actions when required. They also allow automation at multiple levels, such as at the infrastructure level or at the application level to enable continuous monitoring and continuous compliance for all workloads deployed in AWS along with all AWS resources used in your AWS account.
We will learn about security best practices for the following topics:
- Shared security responsibility model
- IAM
- VPC
- Data security
- Security of servers
- Application security
- Monitoring, logging, and auditing
We will also look at Cloud Adoption Framework (CAF) that helps organizations embarking on their cloud journey with standards, best practices, and so on.
We will learn about the security perspective of CAF along with the following four components:
- Preventive
- Responsive
- Detective
- Directive
One of the first and most important requirements and security best practice to follow is to know about the AWS shared security responsibility model. Ensure that all stakeholders understand their share of security in AWS.
AWS is responsible for the security of cloud and underlying infrastructure that powers AWS cloud, and customers are responsible for security in the cloud, for anything they put in, and build on top of the AWS global infrastructure.
It is imperative to have clear guidelines about this shared security responsibility model in your organization. Identify resources that fall under your share of responsibilities, define activities that you need to perform, and publish a schedule of these activities to all stakeholders. The following figure shows the AWS shared security responsibility model:
Figure 1: AWS shared security responsibility model
IAM provides secure access control in your AWS environment to interact with AWS resources in a controlled manner:
- Delete your root access keys: A root account is one that has unrestricted access to all AWS resources in your account. It is recommended that you delete access keys, access key IDs, and the secret access key for the root account so that they cannot be misused. Instead, create a user with the desired permissions and carry on tasks with this user.
- Enforce MFA: Add an additional layer of security by enforcing MFA for all privileged users having access to critical or sensitive resources and APIs having a high blast radius.
- Use roles instead of users: Roles are managed by AWS; they are preferred over IAM users, as credentials for roles are managed by AWS. These credentials are rotated multiple times in a day and not stored locally on your AWS resource such as an EC2 instance.
- Use access advisor periodically: You should periodically verify that all users having access to your AWS account are using their access privileges as assigned. If you find that users are not using their privilege for a defined period by running the access advisor report, then you should revoke that privilege and remove the unused credentials. The following figure shows the security status as per AWS recommended IAM best practices in the AWS Management Console:
Figure 2: AWS IAM security best practices