nobeastsofierce - Fotolia


AWS security best practices start with IT teams

Enterprises are still concerned with the security capabilities and gaps of public cloud providers. But proper research and planning can protect data and workloads beyond native vendor tools.

Security concerns are still a main reason why enterprises avoid public cloud services. And many cloud service providers have taken steps to alleviate it as a weakness of the public cloud. Only a small percentage of the cloud security incidents that affect enterprises are the service provider's fault. IT professionals are aware of the comprehensive security products provided in the public cloud infrastructure, and it is their responsibility to put them to use.

The basic on-premises enterprise IT security requirements and concepts, such as implementing firewall gateways and monitoring traffic, haven't really changed in the age of cloud. However, with public cloud, the required tools and skills have changed.

IT teams must be up to speed on AWS security best practices, which include the native AWS building blocks and available services, as well as other essential third-party products to enhance AWS deployment security. According to a Gartner 2016 predictions report, "By 2018, 50% of enterprises with more than 1,000 users will use cloud access security broker products to monitor and manage their use of [software as a service] and other forms of public cloud."

Businesses will also build secure infrastructures via the AWS Management Console or APIs. Focusing on building blocks, such as network security, access control and visibility, can help IT teams automate and enforce security policies at scale, and stay a step ahead of potential threats to an AWS operation.

Network security

Security groups are the most common building block for supporting network security. They can help organize pools of AWS resources and apply network security policies on those resources.

When setting up an AWS deployment, IT teams should place a security group within an AWS Virtual Private Cloud (VPC). This helps developers take advantage of the private virtual network capabilities of the AWS network. Developers should also use network access lists to control and define the inbound and outbound traffic of a subnet.

Access control

Each AWS user has a secret access key and access key ID that are used to secure an AWS account. Temporary access to an account can be given with an AWS Security Token Service. In addition, Amazon Identity and Access Management (IAM) provides role-based access. Users and applications are given defined roles, which help tightly control access to specific resources and applications. AWS also provides a multifactor authentication option.


In every IT environment, visibility is key for security. AWS has multiple security services, including Trusted Advisor, Amazon Inspector and AWS Config.

Trusted Advisor helps users identify vulnerabilities, such as:

  • Misconfigured security groups, including open ports;
  • IAM password policies that are not enabled; and
  • An Elastic Load Balancer that does not have a Secure Sockets Layer certificate.

AWS Trusted Advisor can also scan backup configurations and will alert users to outdated volume snapshots or notify them if their load is not balanced across enough availability zones to avoid single points of failure.

At re:Invent 2015, AWS announced Amazon Inspector and AWS Config Rules. Amazon Inspector is like an expansion of AWS Trusted Advisor, because it is an assessment tool. However, the agent-based Amazon Inspector is an "up the stack" tool that analyzes application behavior and correlates it to the behavior of the underlying AWS resources. Amazon Inspector is still in preview mode.

AWS Config automates compliance checks. It captures the current state of AWS resources, tracks changes and then alerts users of a change that doesn't comply with AWS security best practices.

AWS Config Rules expanded AWS Config capabilities by allowing administrators to set custom rules that target specific types of resources. AWS Config helps maintain consistent resource tagging and provides alerts on misconfigured security groups. AWS Config also gives users a more granular look into the history of each resource configuration change, which adds another way to gain visibility over the AWS stack.

VPC flow logs and AWS CloudTrail are also important audit and log services that are required to maintain proper visibility and control over an AWS deployment.

Backups and disaster recovery

For high availability, developers must automate backups and implement disaster recovery (DR) processes around the basic instance using volume snapshots and Amazon Machine Images. In addition, AWS offers with built-in, high availabity measures are recommended for AWS security best practices.

Amazon Simple Storage Service (S3) and Relational Database Service (RDS) are two examples of robust AWS storage options. S3 is a highly available storage utility and has inherent redundancy. According to Amazon, S3 is designed to provide 99.999999999% durability and 99.99% availability of objects over a given year.

Amazon RDS is automatically backed up and enables point-in-time recovery for a database instance. One pitfall, however, is that if a user deletes the RDS, all the automatic snapshots will be removed as well.

Third-party security tools

Amazon cloud engineers had the foresight to create an API-first strategy, which allows security vendors to complement the base infrastructure as a service offering. Vendors can provide comprehensive network security management to help deploy and secure security groups.

Log management is also important when implementing AWS security best practices. Popular tools, such as Splunk, automatically aggregate log data and run intelligent analysis that initiate actions. and CloudCheckr also enhance visibility into a deployment; both options offer third-party alternatives to Amazon Inspector and Trusted Advisor tools. Third-party DR and backup tools can also be found in the AWS Marketplace.

Other AWS security best practices include using cross-region backup for workloads and deploying a bastion server on the network perimeter in order to help detect threats.

In addition, AWS offerings with built-in high-availability measures are recommended AWS security best practices.

Next Steps

Create policies to secure AWS

Manage access to AWS resources

Mitigate AWS security and compliance risks

Dig Deeper on AWS security