As IT pros tackle the final cloud frontier of security, cautionary tales are abundant -- but what are the proactive...
steps users can take to allay their AWS security concerns?
AWS security begins and ends with APIs, according to veteran IT pros.
APIs underpin every operational aspect of the AWS environment. Thus, if someone can obtain the API keys or the right API permissions, they can make a snapshot copy of that machine. All they'd need to do next is attach it to another newly created machine to gain complete access to that system -- regardless of whether they know passwords, according to Erik Peterson, director of technology strategy at Burlington, Mass., company Veracode, a cloud-based Web application risk assessment service that runs on AWS.
This makes turning on CloudTrail, Amazon's logging service for API calls, of critical importance.
"Make sure you're watching that information, because that becomes your No. 1 IDS -- your No. 1 indicator of what's going on in your environment," he said.
Without proper security monitoring, "the only [intrusion detection system (IDS)] for your cloud environment is going to be your bill," Peterson said.
"You're going to get the bill at the end of the month, and it's going to be $20,000 more than you were expecting -- and it's because you weren't paying attention to the right things in your environment."
AWS security don'ts
To avoid AWS security mistakes, find out what our experts said about what not to do when securing your AWS environment, including:
*Common mistakes to avoid
*AWS best practices
*Setting up firewalls and managing access
Check out our feature on avoiding AWS security pitfalls.
Some vulnerabilities in a cloud environment are very low priority in an on-premises data center and won't directly result in a compromise, but can open the door to bigger problems.
"In a cloud environment, there's something called the 'metadata API,' and if I can proxy requests through your application, I can get access to it," Peterson said. "Then, the metadata API will happily give me the API credentials that are being passed through the [Identity Access and Management] role."
In some cases, companies have been opened up to potential takeover because of these types of vulnerabilities. One example in 2013 was online presentation company Prezi Inc.; the attacker provided all information back to the company in good faith, but could have obtained access to everything within the Prezi environment -- a more sinister actor could have deleted and removed all the company's systems from the Internet. A similar hack happened to Code Spaces in 2014.
"API access and the credentials associated with that completely replace everything you would've thought about in terms of physical access, and authentication or access controls to the data center," Peterson said. "Now, you need to think about API controls and API permissions."
There are a couple of ways to secure APIs. One is the 'scorched earth' approach, where a system is not allowed access to the metadata API. That's less than ideal, according to Peterson, because it limits the type of automation you can do with that instance.
"The better approach is to get very granular about what you allow your API credentials and permissions to access," he said.
So, if you have a system that's running and needs access to one AWS service, lock it down to just that service, and lock down that API request so it only comes from known, trusted IP addresses.
"Nobody should be making API calls with these credentials from outside the country, for example," Peterson said. "A lot of people aren't aware that they can actually lock down an API request to certain IP addresses, to certain systems. Most people realize you can lock access to certain services, but you have a lot more control than that."
Whatever you do, don't put your API keys in GitHub, cautioned Edward Haletky, CEO of the Virtualization Practice LLC in Austin, Texas.
"That's probably the most important thing anybody can do, is ensure developers don't leak those keys," Haletky said. "Because once you do, you're done -- your AWS instance is open to everybody."
More dos: AWS security tools to use
The risk of leaking API keys is so onerous that Haletky wrote his own tool, published on GitHub, which checks for API keys and other potentially sensitive information in code before it's committed. It also logs the attempt to add such information to committed code.
Some users like Peterson have turned to third-party software, such as Threat Stack, to assess and correlate events in their AWS infrastructure.
"I was just looking at the Threat Stack console earlier today, and I noticed one user is logging into a machine ... but then, I also see that user making changes in a service, and it's all connected," Peterson said. "If I didn't have Threat Stack tracking all that information in one place, I would have to connect those dots myself."
There are many native tools that AWS shops can use to secure their clouds, according to Gaurav Pal, cloud broker platforms architect and secure DevOps strategist at stackArmor, a cloud consulting firm and AWS partner in Potomac, Md. AWS-native tools include VPC Flow Logs, the aforementioned CloudTrail and AWS Config. A product called Amazon Inspector, an automated security assessment service, is still in beta.
AWS Lambda and similar serverless computing offerings from Google and Microsoft may also prove a catalyst for the next generation of cloud security, Peterson said.
"We'll see how fast it moves, but I'm seeing customers right now building their next-generation applications entirely on top of Lambda, and their only concern is application-level security at this point," Peterson said. "They don't think about patching servers or anything like that -- they've effectively outsourced all the things they used to have to worry about to AWS, and that's ultimately where all the cloud providers are going."
In the meantime, Jason Dunkerley, director of IT for RBM Technologies Inc., based in Boston, recommended consulting with AWS support on questions about securing AWS. He suggested the Business support level, which comes with access to the Trusted Advisor tool for making security assessments of your environment against best practices.
A plethora of other third-party and open source tools on the market can be used to secure AWS environments, according to Pal.
Just a few include:
- Web Application Firewalls from FortiWeb and Sophos;
- IDS in the form of Snort, an open source utility;
- Log monitoring via Splunk, Elasticsearch, Sensui, Pallera and Sumo Logic;
- Vulnerability scanning from Nessus, Retina or OpenVAS;
- Web application scanning from Acunetix or Nessus;
- Compliance remediation from OpenSCAP;
- Quality assurance and code quality checks through SonarQube;
- Static code scanning from Checkmarx; and
- Open source security operations center OpenSOC.
Implement AWS best practices in your cloud
Mitigate compliance and security risks
New AWS APIs improve security