Organizations invested in AWS need admins that understand cloud security responsibilities -- what AWS owns and what your company still needs to secure.
More specifically, the principle admins within a company need to understand AWS' shared security model, according to Sam Alapati, author of "AWS Certified SysOps Administrator Associate Exam Guide."
Under this model, AWS maintains the security "of the cloud," while organizations take ownership of security "in the cloud." Organizations, not AWS, must secure the databases and other data stores they run in an AWS environment, Alapati said.
"It helps to remember the famous case of CodeSpaces, which was forced out of business instantaneously upon attackers compromising their AWS account," Alapati said. "The cloud is always going to be a tempting target for attackers, and it's the administrator's job to safeguard their accounts to keep them from being breached."
The simplest way to ensure an admin is competent in these areas is to hire an AWS certified candidate -- or retrain your current admins.
Whether admins are pursuing an AWS certification on their own or as part of a retraining initiative, IT certifications are an investment of time and money. The associate-level AWS SysOps certification exam costs $150, and professional-level exams, the DevOps Engineer exam for example, costs $300. "AWS Certified SysOps Administrator Associate Exam Guide" also tackles many of the problems SysOps admins face working in the cloud and must answer in their AWS SysOps certification exam.
Certification guides aside, solid hands-on experience with the services included in the AWS SysOps certification exam is still the most important requirement, Alapati said.
"Many important aspects of AWS administration become clear only when you're working with a service or troubleshooting an issue with a database or a storage drive," Alapati said.
Admins should also get to know AWS documentation backwards and forwards. Alapati suggests admins make the documentation their bedside reading.
This excerpt from Chapter 3 of "AWS Identity and Access Management and AWS Service Security" will give admins an idea of how well they'll need to know AWS administration. It breaks down one of the thornier AWS security issues -- OS and application security when working with Amazon EC2 -- and offers an exam tip for a common test question. Readers can download the rest of the chapter expert here.
Securing the Operating System and Applications
In the shared responsibility model, you are responsible for both OS- and application-level security. AWS recommends that you standardize the OS and application builds; and maintain the security configurations in a secure build repository. Furthermore, you should build preconfigured AMIs that satisfy security hardening standards that address known security vulnerabilities.
Best practices for OS and application security include the following:
- Rotate credentials such as access keys.
- Run regular privilege checks using IAM user's Access Advisor and access key last used.
- Disable password-only access and use MFA to gain access to instances.
- Use bastion hosts to enforce control. A bastion host acts as a jump server that lets users hop into your AWS environment to access secure servers running within your private subnets. Ideally, all access to EC2 instances should be through a bastion host.
- Password-protect the .pem file on user servers.
- Restrict access to EC2 instances to a select range of IPs, using security groups (these act as firewalls).
- Use SSH network protocol to secure login to your Linux EC2 instances.
- Disable the root API access keys.
- Disable remote root login.
- Use command-line logging.
- Use sudo for privilege escalation.
- Generate your own key pairs, and don't share them with other customers (or even with AWS).
- Delete unnecessary keys from the authorized keys file on your EC2 instances.
An instance's neighbors thus don't have privileged access to the instance compared to any host on the Internet, meaning that you can treat them as belonging to different physical hosts.
The SysOps certification exam often includes a question relating to bastion hosts, which are part of a security best practice adopted by many to secure the assets that they run in their private subnets. A bastion host is a server in your network that's specifically designed and configured to withstand security attacks. You generally host a single application such as a proxy server on a bastion host and remove other services to reduce the threat to the server. In AWS, you place a bastion host in a public subnet. Users can log into a bastion host via SSH or RDP and use their session to manage other hosts that live in private subnets.