27 Apr 2020
By Mohammed Abubakar
It takes 20 years to build a reputation and five minutes to ruin it.
If you’re looking to improve your cloud security, a good place to start is by implementing these 7 things today.
Multi-factor authentication is one of the best ways to protect AWS accounts from inappropriate access. It is very important to setup MFA on your Root use and Identity and Access Management (IAM) users.
Applications you build on AWS that require long-lived credentials such as database passwords or other API keys should never be have these hard coded in the applications themselves or stored in source code.
You can use AWS Secrets Manager to store these secrets and have your application retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hard code sensitive information in plain text. Secrets Manager allows you to rotate, manage, and retrieve database credentials, API keys, and other secrets through their lifecycle.
A good security plan must implement logging and monitoring. Being able to investigate unexpected changes or perform analysis relies on having access to data. I highly recommend writing CloudTrail logs to an S3 bucket in an AWS account designated for logging. The permissions on the S3 bucket should also prevent deletion of objects and they should be encrypted at rest.
Having all CloudTrail logs centralised means you can integrate with SIEM solutions or use AWS services to analyse them. You can also use the same Log Archive account to centralise logs from other sources, such as CloudWatch Logs and AWS load balancers.
AWS provides numerous managed services that provides you with actionable findings in your AWS accounts, these include AWS Security Hub, Amazon GuardDuty, and AWS Identity and Access Management Access Analyzer. For each finding, ensure that you have determined what your required response actions should be.
If you need to use access keys rather than IAM roles, you should rotate them regularly. The AWS Security Hub provides a check that look for IAM users with access keys more than 90 days old. Review best practices for managing AWS access keys for more guidance.
Security group enable network access to resources you have provisioned on AWS. Ensuring that only the required ports are open and the connection is enabled from known network ranges is a foundational approach to security. You can use services such as AWS Config or AWS Firewall Manager to programmatically ensure that the virtual private cloud (VPC) security group configuration is what you intended.
When AWS needs to contact you about your AWS account, they’ll utilise the information you provided when setting up the account. It’s very important to ensure that the information including the email address used to create the account and those listed under Alternate Contacts are correct and up to date. I highly recommend setting up aliases that are not dependent on a single person in case they leave the organisation.
All of the guidance to this point has been focused on the technology configuration that you can implement. The last piece of advice is about people, and can be broadly summarised as “raise the security culture of your organisation.” Security is everyone’s job — not just for those folks with it in their job title.
Contact us to learn more about how we can help your organisation with the basic principles of AWS security.