everythingpossible - Fotolia


AWS cloud access control falls on IT's shoulders

Restricting access to resources and closely governing permissions are solid practices in constructing a secure AWS cloud. While AWS provides tools, admins need to do the legwork.

When it comes to managing access control lists in AWS, one of the best places to start is the AWS Management Console.

When it was first launched, AWS did not present a strong security mechanism to provide firewall rules on Web servers, explained Ali Hussain, CTO and co-founder of Flux7 Labs, an IT consultancy that helps businesses modernize IT systems based in Austin, Texas. Businesses needed to implement stronger security themselves, either through a custom setup or a third-party product, he said. With the introduction of AWS Web Application Firewall (WAF), they no longer need third-party products. AWS WAF can help protect Web applications from common Web exploits.

Additionally, Amazon Simple Storage Service (S3) resources start off as private -- relative to the owner and the AWS account; other users can gain access only if the owner writes a cloud access control policy. Then the subject splits up resource-based policies and user policies. Resource-based policies and cloud access control policies apply to buckets and objects. Cloud access control policies can also be attached to users in your account.

When an administrator provides permission, he determines which end user or group is being given permission and which S3 resources they can access. An administrator can also restrict which actions are allowed on those resources.

ACLs restrict access

Cloud admins can use Access Control Lists (ACLs) to grant basic read/write permissions to other AWS accounts, according to the company. However, there are limits to managing permissions using ACLs. For example, when you grant permissions to other AWS accounts, you can't grant permissions to users in your own account, nor can you grant conditional permissions or explicitly deny permissions. However, if a bucket owner allows other AWS accounts to upload objects, the permissions for these objects can be managed using an object ACL by the object owner.

AWS WAF lets you use the AWS Management Console to create rules that indicate potential malicious traffic and then block such traffic. For example, AWS WAF could be used to block attempts to access from countries that are not supposed to be using your cloud service, stop access to admin pages from the public internet, or URLs with malformed text that can indicate an attack, Hussain explained. In addition, admins can create whitelist rules, while rejecting all requests that don't follow the pattern. The biggest advantage of this cloud service is that admins can simplify the procurement process so it's directly through Amazon, which reduces the number of vendors, he added.

Additional security measures

The AWS Management Console provides additional security options. For instance, within the user interface, the "properties" pane includes a "permissions" tab that simplifies the process and displays who has been granted permissions. Adding and removing permissions is a simple matter of highlighting and checking boxes.

"Making it a part of the management console makes it easy to provide the desired security configuration," Hussain said.

There are also additional, different control options available through AWS Key Management Service, which can also help with access control.

When managing cloud access control with AWS, it's also important to take advantage of AWS Identity and Access Management (IAM), said Manoj Chaudhary, CTO and vice president of engineering at Loggly, a provider of cloud-based log management tools based in San Francisco. "IAM allows administrators to not only add a level of control to this critical business service, but also allow for a more streamlined internal process," he said.

AWS users should enhance security by implementing read-only access through IAM. Setting up group-specific access policies is one example. On an ongoing basis, though, it is crucial to continue with "housekeeping," Chaudhary added. Administrators must make sure that access controls are kept up to date with changing roles and responsibilities.

Next Steps

Defend your AWS cloud with security measures

Hybrid cloud challenges include networking and security

IAM rules guards AWS by managing user access

Cloud security policy protects resources

Dig Deeper on AWS security