Andrea Danti - Fotolia

AWS security automation protects sensitive data, workloads

AWS security tools keep cloud environments safe, but as application development methods evolve, so too must security. Evaluate these automation tools to protect your workloads.

The public cloud amplifies some enterprises' security concerns, but fortunately, public cloud providers offer tools...

to calm those fears. In particular, AWS provides a growing menu of services that guard precious resources and support a high level of automation.

The pace of cloud application development and deployment continues to accelerate. This puts enormous pressure on developers and operations staff to create secure code, deploy applications to secure environments, ensure proper authentication for those resources and guard everything against malicious activity. That can be a tall order that demands extensive use of automation. Fortunately, public cloud providers rise to the challenge, and businesses can select from an ever-expanding list of AWS security automation tools.


Developers commonly use web applications as vital enterprise portals to support sales and allow access to corporate data, as well as many other tasks. Consequently, hackers often target web apps to steal data and simply render the application unavailable.

Most attacks on web applications follow well-understood patterns, and firewalls typically identify and stop those potentially malicious traffic patterns. But it can be cumbersome for IT teams to create and maintain a myriad of different firewall rules, especially in the face of changing threats.

AWS Web Application Firewall (WAF) is a service that examines incoming requests to access web applications on Elastic Compute Cloud instances. AWS WAF typically starts with a common set of firewall rules received by AWS CloudFormation, though users can apply their own custom firewall rules. WAF then analyzes traffic as it moves through front-end services, such as an Application Load Balancer and Amazon CloudFront. WAF looks for common attack patterns, including bots, SQL injection, HTTP flood attacks, cross-site scripting, probes and port scans. The service also manages lists of known IP addresses for whitelists and blacklists. When WAF detects a potential attack, AWS can block the traffic to prevent security breaches, maintain application availability and minimize public cloud resource use.

IT professionals can configure the service using the AWS WAF API and AWS Management Console. AWS WAF also supports automatic deployment and provisioning via CloudFormation templates, which describe all security rules associated with web applications delivered by CloudFront. This allows new workloads to automatically integrate WAF security and rule sets.

AWS Shield

Distributed denial-of-service (DDoS) attacks are common methods used to impair workload availability. DDoS attacks flood a workload with far more request traffic than it can handle. To achieve a huge malicious traffic volume, attackers typically use an array of multi-region source systems. Large-scale distributed attacks frequently involve zombie systems that were previously infected with malware, which allows attackers to subvert those systems to participate in attacks on demand. Once an attack begins, the workload can only service few -- if any -- legitimate requests, and it denies service to actual end users.

Hackers can wage DDoS attacks against local workloads, as well as those hosted in the public cloud. But public cloud attacks can further drive up resource utilization, as load balancers and automatic scaling services attempt to scale the workload to handle extra traffic. This drives up public cloud costs for the business.

Shield is an AWS security automation service that automatically detects and mitigates DDoS attacks on AWS web apps. AWS Shield users can select between two levels of protection. AWS Shield Standard relies on analytical techniques, such as traffic signatures and anomaly detection, to detect malicious traffic at the network and transport layers of the Open Systems Interconnection stack. Users can also add protection against infrastructure layer DDoS attacks via integration with services such as Amazon Route 53 and CloudFront. Once Shield detects malicious traffic, the service can automatically use packet filtering and traffic shaping, which mitigates the effects of the attack and the impact on the workload. AWS Shield Standard is free, and users never need to contact AWS support for assistance or corrective action.

AWS Shield Advanced is a fee-based service that builds on the features of AWS Shield Standard to provide additional detection and protection against large, concerted DDoS attacks. AWS Shield Advanced monitors specific resource usage and detects application layer DDoS attacks, including domain name system query floods or HTTP floods. Integrate the service with AWS WAF to enable developers to build custom DDoS protections using WAF rules, such as rate-based blacklisting to block traffic that occurs at a suspicious rate.

AWS Shield Advanced has access to AWS Support through the AWS DDoS Response Team, which provides direct, manual assistance for the most sophisticated attacks that impact workloads. The Advanced service also provides cost protection against spikes in AWS resource usage due to DDoS attacks.

AWS Shield Advanced requires enrollment in AWS Premium Support -- either Enterprise or Business plans -- and a one-year commitment with a $3,000 monthly fee, plus data transfer fees.

Amazon Macie

Security in the public cloud goes far beyond guarding against attacks and external malicious activities. IT teams must adhere to regulatory compliance and established practices of good business governance. For many organizations, teams work to achieve a greater awareness of business data, such as what data is actually present, how old it is, where it is located, how long it has been stored and how it is being accessed or moved.

But the challenge with data -- stored locally or in the public cloud -- is that such insight is extremely difficult to establish and maintain over time. Most organizations struggle to track data content, understand how it's used and enforce data lifecycles. Data lifecycle tools can address some concerns, but they add yet another management element for IT administrators.

Amazon Macie is an AWS automation tool that applies big data and machine learning techniques to business data in the public cloud. Amazon Macie can discover, classify and protect data in Amazon Simple Storage Service (S3) across an AWS environment. For example, Amazon Macie can detect data that contains personal information, trade secrets or other intellectual property that is likely governed by data retention and protection rules. Amazon Macie only supports S3, though additional storage support could become available.

AWS established a baseline for data that enables Macie to determine its relative value based on how it's accessed. The service then monitors data activity against that baseline, looking for anomalies that could suggest suspicious activity. These anomalies could include changes to security settings for sensitive data, unsecured credential storage and excess downloads. Administrators can see statistics and alerts through a monitoring dashboard. For example, Amazon Macie can generate an alert if it detects a user account downloading an unusually large amount of data from an unusual IP address. Macie could also detect when a high volume of sensitive data has been shared publicly.

Amazon Macie automates monitoring and alerting, but it also enables organizations to define custom remediations so that Macie can take the appropriate actions for a particular organization. For example, anomalies can trigger actions, such as password resets or access control list resets.

Amazon Inspector

Most organizations focus too much on infrastructure-related issues, such as the computing architecture, OS configuration, network design and security tools. But the infrastructure constitutes just a small part of enterprise security. In many cases, the design and configuration of an application leave vulnerabilities that attackers can exploit. Those oversights can expose a business to compliance or governance violations, even when an attack does not occur. Thus, poor coding and deployment practices can potentially damage a business as much as a DDoS attack.

Enterprise IT teams must ensure the consistent application of proven development practices and security-minded deployment configurations to improve security and compliance. They should create extensive checklists of potential flaws and then regularly check and correct all possible security errors in application code and in a deployment to these security vulnerabilities.

Amazon Inspector is an AWS automation security service that can assess the security posture of native, hosted applications. Inspector identifies security vulnerabilities or deviations from security best practices, determines the relative severity of each issue and then reports those potential problems. Inspector works with apps in development and in production. Inspector can also detect and alert users of software components with known security vulnerabilities. Amazon Inspector starts with a knowledge base of hundreds of rules that AWS regularly maintains and updates. Currently, users cannot stipulate custom rules.

IT teams can access the service through AWS Management Console, but it is also API-driven, which enables developers to integrate Inspector into DevOps or Agile processes and make security a central part of the development process. Auditors and business leaders can use Inspector's assessments and reporting to show adherence to compliance and business governance.

AWS Identity and Access Management

Authentication ensures that only valid users can access valuable resources. Public cloud creates even more concerns about accessibility, as usage directly impacts service and resource costs. AWS Identity and Access Management (IAM) lets administrators control access to services and resources. You can create users and groups and then apply permissions to allow or deny access to resources on a granular level.

Although IAM is not an AWS security automation tool in the strictest sense, admins can quickly and efficiently apply user and group privileges through the use of policies. They can also apply IAM permissions and privileges to an organization's local Active Directory environment. Once admins create users and groups, IAM operates seamlessly in the background to secure access to resources. AWS CloudTrail can log IAM actions for further security auditing and compliance evaluation.

Dig Deeper on AWS security