10 Dec 2019
By Mohammed Abubakar
With CI/CD, and ephemeral workloads that come along with cloud architectures, the constant code changes dictate more reactive security postures and protocols. With over a decade of development under their belt, AWS’s world-class engineers have built tools to deliver an incredibly strong state of security.
A state of constant compliance and monitoring is always scanning the ecosystem. By automatically comparing current state to desired state, teams can rest easy knowing that resources are appropriately tagged, secured, and patched. Having the tools and desire is one thing, but having the best practices and know how, is where the security/compliance rubber meets the road.
By creating and maintaining an auditable log of AWS Management Console actions and API Calls, customers and their security auditors have greater visibility into user and resource activity. Enable Cloud Trail for all regions and ensure that access to log files are restricted based on bucket policies or fine grained IAM policies. Cloud Watch is an ideal tool for monitoring and alerting.
Disable root API access and server keys. This simple step is sometimes overlooked leaving the Root account open. AltoStack recommends that root user access keys should be deleted, and be replaced by AWS IAM user credentials and keys. Cloud Watch Events can be configured to alert on failed logins.
To minimise surface area for attack; security policies and administrators should be established and individual users assigned specific credentials, tasks and access built upon granular Least Privilege methodologies. Many regulatory bodies require strong passwords. Establishing IAM User Groups makes assign- ing bulk permissions seamless. As users leave the group or organisation it is easy to reassign groups or remove access. Policy generator and simulators are invaluable for creating roles for EC2.
For cross development teams and 3rd party access to resources outside of the long term access, temporary credentials can be given. IAM users can be granted access from 15 minutes to 12 hours (15 to 60 minutes by default) and gain access by multi-factor authentication access key ID, a secret access key and security token.
4 Using social engineering hackers have been known to break into a username/ password security system. According to Panda Security, 52% or users, reuse passwords for multiple accounts. Using MFA with tokens has proven to be an effective deterrent. MFA is free for AWS customers, and effective.
Changing the locks on the doors every 90 days is strong security practice to prevent costly unwanted access. From APIs to encryption keys, AWS key rotation can be automated and be built to not disrupt your AWS environment. With current key active, a second key is created and supplied to automated process where it is tested, and if passed, the older key is deactivated.
With pattern matching, anomalous activity monitoring, and geolocation blocking AWS WAF is a potent tool to deflect unwanted requests.
As a belt and suspenders approach to DDoS attacks, and especially for mission critical applications, elastic AWS environments are unsatisfying target for bad actor using DDoS techniques. With AWS Shield, Distributed Denial of Service (DDoS) attacks can be mitigated in subseconds compared to minutes without Shield. Greater fault tolerance can be achieved as spikes in traffic are automatically rerouted to multiple Amazon EC2 instances.
Secure by default, user error and lack of knowledge can make S3 buckets vulnerable. Misconfigured and readable S3 buckets can expose data to bad actors. Taking the necessary precautions, like assigning bucket policies based on the sensitivity of the data is standard operating procedure. For a large organisation, constantly monitoring S3 buckets is a necessity. For certain workloads and accounts, automatic remediation is a good practice.
Employees switch jobs and roles often. For large organisations, Single Sign On integration allows stan- dard employee off-boarding procedures to streamline this process. Regular access reviews ensure that users still require the same level of access as previously granted. To test and review IAM policies and permissions in real world scenarios, AWS’s IAM Policy Simulator is an excellent tool. A consistent analysis of permissions strengthens access and security of AWS resources, such as Amazon S3 buckets, Amazon SQS queues, Amazon SNS topics, or Amazon S3 Glacier vaults.
To prevent servers from being spun up in regions outside of relevance, compliance and to control spend diable regions outside of purview.
EC2, Glacier, at rest and in transit. Ensure all data is encrypted, always. AWS is secure by default. With custom configurations, AWS native and 3rd party tools AWS can support and scale your business unleashing team potential, innovation velocity and end user satisfaction. This Swiss Army Knife of tools and configurations can be daunting. AWS Security and DevOps experts like Foghorn offer valuable experience and opinion to help deliver exceptionally secure and compliant AWS environments that support business goals.