When it comes to managing access control lists in AWS, one of the best places to start is the AWS Management C...
When it was first launched, AWS did not present a strong security mechanism to provide firewall rules on Web servers, explained Ali Hussain, CTO and co-founder of Flux7 Labs, an IT consultancy that helps businesses modernize IT systems based in Austin, Texas. Businesses needed to implement stronger security themselves, either through a custom setup or a third-party product, he said. With the introduction of AWS Web Application Firewall (WAF), they no longer need third-party products. AWS WAF can help protect Web applications from common Web exploits.
Additionally, Amazon Simple Storage Service (S3) resources start off as private -- relative to the owner and the AWS account; other users can gain access only if the owner writes a cloud access control policy. Then the subject splits up resource-based policies and user policies. Resource-based policies and cloud access control policies apply to buckets and objects. Cloud access control policies can also be attached to users in your account.
When an administrator provides permission, he determines which end user or group is being given permission and which S3 resources they can access. An administrator can also restrict which actions are allowed on those resources.
ACLs restrict access
Cloud admins can use Access Control Lists (ACLs) to grant basic read/write permissions to other AWS accounts, according to the company. However, there are limits to managing permissions using ACLs. For example, when you grant permissions to other AWS accounts, you can't grant permissions to users in your own account, nor can you grant conditional permissions or explicitly deny permissions. However, if a bucket owner allows other AWS accounts to upload objects, the permissions for these objects can be managed using an object ACL by the object owner.
AWS WAF lets you use the AWS Management Console to create rules that indicate potential malicious traffic and then block such traffic. For example, AWS WAF could be used to block attempts to access from countries that are not supposed to be using your cloud service, stop access to admin pages from the public internet, or URLs with malformed text that can indicate an attack, Hussain explained. In addition, admins can create whitelist rules, while rejecting all requests that don't follow the pattern. The biggest advantage of this cloud service is that admins can simplify the procurement process so it's directly through Amazon, which reduces the number of vendors, he added.
Additional security measures
The AWS Management Console provides additional security options. For instance, within the user interface, the "properties" pane includes a "permissions" tab that simplifies the process and displays who has been granted permissions. Adding and removing permissions is a simple matter of highlighting and checking boxes.
"Making it a part of the management console makes it easy to provide the desired security configuration," Hussain said.
When managing cloud access control with AWS, it's also important to take advantage of AWS Identity and Access Management (IAM), said Manoj Chaudhary, CTO and vice president of engineering at Loggly, a provider of cloud-based log management tools based in San Francisco. "IAM allows administrators to not only add a level of control to this critical business service, but also allow for a more streamlined internal process," he said.
AWS users should enhance security by implementing read-only access through IAM. Setting up group-specific access policies is one example. On an ongoing basis, though, it is crucial to continue with "housekeeping," Chaudhary added. Administrators must make sure that access controls are kept up to date with changing roles and responsibilities.
Defend your AWS cloud with security measures
Hybrid cloud challenges include networking and security
IAM rules guards AWS by managing user access
Cloud security policy protects resources