demonishen - Fotolia


Stay one step ahead of AWS cloud security issues

IT administrators cite security concerns in their hesitation to migrate to the cloud, but Amazon's array of options provides answers for those skeptics.

There is no single way to protect your resources, files and data in the public cloud. Companies using Amazon Web Services can rely on a variety of native tools to secure their clouds, but are best served being proactive in shoring up data.

Skeptics of the public cloud are decreasing in numbers, but those that remain cite security concerns for their cloud abstinence. Many companies have determined that Amazon Web Services (AWS) is safe for storage and non-mission-critical computing resources and applications, but worries over breaches aren't entirely baseless. Let's address some common security obstacles and how to tackle them.

What's the worst that could happen with AWS cloud security?

In the case of Code Spaces, a code hosting company based in England, a hacker brought down the entire company. In June 2014, an intruder gained access to the company's AWS Elastic Compute Cloud (EC2) console. After failing in an attempt to extort money, the hacker deleted a significant portion of the company's data, backups, instances and other AWS resources, rendering it unable to continue its business operations.

This debilitating attack resonated through the IT industry and shuttered Code Spaces' doors, though the attack could have been prevented through off-site backups and separation of services. Companies must work to understand and shore up their vulnerabilities.

How can I monitor my security processes?

Enterprises that want to monitor who's doing what in their cloud can use Amazon's CloudTrail to monitor actions and send alerts. The Web service collects a variety of API calls, allowing admins to identify the person, time and location of the submitted request parameters. Log files are automatically delivered to Amazon S3 buckets and protected against unauthorized access and manipulation.

CloudTrail also facilitates resource management and compliance reporting, meeting a variety of internal and external regulatory parameters.

How does AWS protect its public cloud?

Amazon provides the same standard of security for its customers across the globe; small businesses have access to the same security tools as AWS' largest Web-scale customers. Amazon fiercely protects its infrastructure and facilities, right down to strict rules governing its employees. AWS also offers a myriad of networking and security monitoring systems, including customer access points, built-in firewalls, private subnets via the Virtual Private Cloud (VPC) and data storage encryption.

The VPC defends network security, allowing admins to manage multi-tier application servers into strictly controlled subnets. Amazon then provides users with the ability to create security groups to govern inbound and outbound network traffic.

AWS users should regularly evaluate their security needs and, ideally, devote weekly personnel resources to new security research. DevOps teams should implement regular security testing and, if the worst-case scenario unfolds, companies should outline a policy of what to do in the event of a breach.

How can our enterprise limit access to data in the cloud?

AWS Identity and Access Management (IAM) contains a variety of controls to manage and monitor access to the AWS cloud. Using IAM admins should spin up instances with roles assigned in order to protect the integrity of the AWS Management Console and API access keys.

Regularly updating roles to match evolving job titles is imperative, but companies should also restrict use of their root AWS profile and never share access to it. Instead, only grant users the access needed to do their jobs, following the principle of least privilege in case a new user makes a mistake or an account is compromised.

Admins can also require complex passphrases of 14 or more characters, implement multifactor authorization or place IP restrictions on their resources, limiting access to pre-approved locations.

What third-party cloud security tools are available?

Third-party offerings are available through the AWS Marketplace, as Amazon encourages users to collaborate in the communal public cloud effort. These third-party security tools can help admins make sense of a wealth of configurations and audit trail data.

Cloudnexa's vNOC Cloud Management Platform is a software as a service option that groups data into snapshots to help users evaluate AWS performance contextually. RightScale and ServiceMesh provide further governance of EC2 instances. Security tools in the AWS Marketplace are plentiful, so keeping apprised is a task for admins. Knowing when to stick with native Amazon protocols vs. third-party software is another challenge IT professionals undertake in evaluating cloud security needs.

Next Steps

Implementing AWS security best practices

Security issues to consider in the AWS Marketplace

Managing data security and shared responsibility in AWS

Dig Deeper on AWS security