As enterprises develop their first AWS applications, Amazon cloud security should be at the forefront of infrastructure...
considerations. It's one thing to spin up a pilot to test an idea; it's another thing to systematically address every potential threat that could emerge. Hackers only need to exploit one weak link to overcome even the most robust Amazon cloud security infrastructure. Building a secure AWS infrastructure includes setting up identity and access management, securing data and logging cloud activity.
Control access to resources
AWS Identity and Access Management (IAM) sets up the appropriate permission system for end users to access AWS resources. It allows an enterprise to create IAM users under an AWS account and assign permissions directly to them or to roles. The basic AWS account creates a superuser with access to the whole infrastructure.
Compromised user credentials have several ramifications, and there are dozens of ways someone can steal security credentials. Managing credentials with a fine-grained permission system such as IAM helps detect and minimize the effect of compromised login credentials. It is a very bad practice to use AWS account credentials for day-to-day activities. If AWS account credentials are compromised, an admin must refresh the whole infrastructure.
Many organizations choose to create separate AWS accounts for different departments or functions. This can improve the Amazon cloud security posture of groups that don't need direct access to the same infrastructure, such as development, testing and operations teams.
With IAM, the enterprise can set up credentials for users, services and applications through the AWS Management Console, command-line interface or directly through APIs. It is a good practice to create separate credentials for each person, service or application. Admins create fine-grained permissions for resources and apply them to groups. This is far more efficient than directly specifying permissions for each IAM account.
Access to the operating system running inside of an Elastic Compute Cloud (EC2) instance requires a different type of authentication mechanism. This can be set up through X.509 certificates, Microsoft Active Directory or local operating system accounts. To share EC2 encryption key pairs, you must be using an encrypted connection, like OpenSSL. Admins can generate these keys locally or can obtain them through Amazon when the instance is created.
Properly securing data
Encrypting data in transit and at rest using encryption keys generated on premises or in the cloud is another way to protect data. It is a good practice to secure the keys in Hardware Security Modules with tamper-proof storage, such as the AWS CloudHSM service. This practice prevents someone with physical access from copying the keys. The enterprise can also secure the keys and then connect them to the cloud using a virtual private network or AWS Direct Connect with IPSec enabled.
The AWS infrastructure does have some baked-in security, but if regulatory or compliance considerations are important, the data should be encrypted at rest to reduce the risk of accidental disclosure and to protect it from tampering. Amazon Simple Storage Service supports encryption for each object on the server, which can be decrypted before it's sent to the client. Client-side encryption and decryption can provide a higher level of Amazon cloud security; AWS provides a Java SDK for managing client-side decryption.
Log and audit cloud events
Despite your best efforts toward access management and data security, a breach can still occur. New techniques for compromising client machines, applications, cloud services and networking protocols are discovered regularly. Using tools for logging and auditing cloud resources is the only way to detect these breaches.
The challenge is that these services generate a lot of data. A security monitoring tool will likely generate a lot of noise, which can overwhelm security teams. Find the right balance between false positives that require security teams' attention and actual breaches.
Ask these questions when setting up security monitoring:
- What parameters should we measure and how?
- What are the thresholds for these parameters?
- How will escalation processes work?
- Where will we keep data?
- What changes should we monitor?
AWS CloudTrail provides logs for various AWS-related activities, but does not support log management. The AWS CloudWatch service can monitor logs for specific phrases, values or patterns in real time and send out alerts. AWS Config helps identify unauthorized changes to infrastructure.
Best practices for AWS security
Limit AWS security and compliance risks
Control security through AWS access management