AWS Security Best Practices

• Posted February 28, 2018

Amazon Web Services (AWS) is a widely adopted cloud platform that has allowed companies worldwide to leverage a more efficient delivery model. But enhanced agility and scaling solutions in the cloud come with new vulnerabilities and exposures—like data spills, hackers, backdoors open from unsecured development instances, and more. If your organization is transitioning to AWS, you may need to change up your security strategies to ensure your data and your clients’ data is secure. To help you get started, here’s a quick guide to AWS security best practices

The AWS Shared Responsibility Model

AWS operates under a “shared responsibility model”. In this model, AWS takes responsibility for the security of its infrastructure only. That means it is your responsibility to make sure your AWS environment is configured with security best practices as per AWS Well-Architected Framework.

Common Challenges & Limitations

Each organization defines its own unique security requirements, which often times are not based upon the latest security best practices. This can make it challenging for cloud service vendors to provide a one-size-fits-all security solution. It is crucial to monitor all users and instances for delivery, performance and security in the cloud. Your security team will need a way to gain quick insight into vulnerabilities so that they can take appropriate action to remediate threats. This can become extremely challenging for large organizations developing at scale

The good news is that AWS security platforms are available to help you mitigate these challenges. Intelligent Discovery, for instance, can make securing your systems easy. Consolidate your logs, automate audits, manage compliance, discover vulnerabilities and remeditions steps, and more.

AWS Security Best Practices

As it is your responsibility to secure your AWS environments, it’s important to understand some necessary AWS industry standards and practices that can help you ensure your infrastructure runs smoothly and is adequately protected from threats and data breaches. Here is a quick checklist to help get you started. For a more comprehensive overview, see this guide from Amazon Web Services.

• Enable CloudTrail: AWS CloudTrail is an essential feature for managing API calls made to your account, delivering log files to your Amazon S3 bucket. Be sure to enable CloudTrail across all regions and turn on mutifactor authentication for additional security.
• Security Groups: Security groups are associated with each instance launch. Ensure the default Security group is NOT used to allow ALL traffics for ports and protcols. Additionally, put a process in place to remove security groups that are not in use or attached to any instances.
• Root Account MFA: Enable MFA on the AWS Root Account User. Also, make sure not to use the Root user to do day-to-day tasks in AWS.
• IAM Policies: Make sure that IAM policies are attached to groups and roles instead of individual users to prevent man in the middle attacks. Put a policy in place to remove unused IAM keys after a specified period as well.
• Minimum IAM Permissions: When giving access to IAM users, ensure minimal access privleges are given. Ensure the user has the access levels they need to complete their task(s), and nothing more.
• IAM MFA: Enable multifactor authentication for all IAM users, require strong passwords for all accounts, and establish a regular roation for access keys.
• EC2 Termination: Enable EC2 termination protection to help prevent accidental terminations.
• Avoid Public S3 Buckets: To reduce external threats, ensure that no S3 bucket is publicly accessible unless really necessary.
• S3 Bucket Policy: Utilize bucket policies to provide access to required resources.
• Data Encryption: Enable Data-at-rest and Data-in-transit encryption for RDS, Redshift, ElastiCache, etc.
• Access to Databases: Restrict access to Databases on RDS and EC2 instances with the help of Security Groups to make sure the source of access is provided.
• SSL Certificate Expiration: Keep track of expiration dates and renew as appropriate, so you can ensure continued service.
• For Custom Applications: Keep an inventory of all custom applications in your environment—to include data types, compliance requirements, and vulnerabilities. Be sure to work closely with the application’s security team as you bring any new tools into your environment, but restrict priveleges to the minimum number of users and access levels required.

These are only a few of the common AWS security practices to keep in mind. There is much more to consider to keep your environment safe. To ensure you are up to date on the latest threats in your system and the steps you can take to mitigate, consider using a dedicated AWS security platform.

Intelligent Discovery Makes AWS Security Easy

Intelligent Discovery offers a comprehensive, real-time display of control status by account. View multiple accounts, remediation steps, threats and violations, instance inventories, and more within a convenient dashboard. Access all of your AWS security needs in one place, and take proactive action to secure your environments.