AWS has revolutionised the cloud and allowed businesses to improve their efficiency in a flexible and affordable way. But in today’s world of cyber threats the average cost of a data breach has grown to $200,000, making AWS security is more crucial than ever.
Don’t worry, we are here to help. Read on for our 15 AWS security best practices to keep your systems safe.
…and work out if it supports certain tools and controls.
There’s a lot of talk about what should come first, tools and controls, or your security strategy. The answer isn’t as simple as the underlying discussion makes it seem.
The general consensus is to put your security strategy in place first. Then you can assess whether your controls and tools support this strategy.
You can also set this security protocol into all levels and functions in your business. Including the ones that rely on AWS. To help with continuous deployment, it’s better to have your strategy in place.
For example, say your business is using configuration tools like Chef or Ansible. These are automating updates and patches across the board. Having a strategy in place allows you to start monitoring security across all the tools from the off.
Many of the recent S3 attacks relate to S3 bucket breaches. These held sensitive information but were set to “public” access. But, by default, S3 buckets should set themselves to “private” so only select users have access.
To make sure your S3 bucket and cloud data are safe, have a security procedure. Write down clear, consistent security controls and steps for what to do.
You should define what data can go on the cloud for storage and who can access it. Have a hierarchy in place that categorizes your sensitive data and a clear chain of command.
Make sure you’re applying security measures across the board. A single firewall for your entire infrastructure won’t cut it.
Instead, put in place virtual firewalls on all virtual networks. This will control and track all network traffic. It’s the best way to ensure your infrastructure and operating systems remain threat-free. These firewalls are easy to find and install from the AWS marketplace.
To protect your web applications across the globe, use tools like Amazon CloudFront. There is a huge variety of AWS security tools you can use to secure all aspects of your cloud environment.
For example, Cloud Watch, AWS Shield, and Guard Duty to name a few. You can also use standard compliance systems like Amazon Machine Images (AMIs). They’re set up already with build-in compliance elements that do a lot of the front-end hard work for you.
You should establish and maintain a security protocol that’s a top-to-bottom effort. Everyone should know their responsibilities, what to do in the event of a breach. Most important is that every team member takes responsibility.
The threat is growing and there is a lack of cyber-security professionals. So personal care and accountability are vital to your organization’s security efforts.
Even if you have a dedicated security team, train all employees on security protocol. Instill the importance of preventing a breach. And inform them what they can do to boost your security defenses. It’s important your policy is clear, and employees know how to respond if disaster strikes.
Track the user access to your database and work out the purpose of each visit. For example, work out all admin tasks. This makes sure that you can put in place controls on the cloud for basic access.
When using external data sources, use data validation and encryption controls. This maintains confidentiality and ensures the integrity of the data.
Brute force attacks and password cracking are some of the most common attacks you might face. Having a strong, secure password policy can help keep your network protected. It will reduce the chances of a breach.
Your password policy should set conditions for each password creation, change and deletion. For example:
Encrypt all your sensitive data. This is a small step that’ll go a long way to improving your general and AWS security.
In AWS, it’s easy to set up especially if you’ve gone with their native encryption. This provides HTTPS and end-to-end SSL/TLS for AWS and APIs service.
You can also use key management. This creates, rotates, defines and audits encryption keys in one easy place. For client-side encryption, pair AWS encryption with S3, EBS or RDS. Or with Azure SSW (Secure Service Encryption).
Even with strong security and AWS’s robust infrastructure, disasters can happen. That is why it is essential that you backup your data.
The precise nature of your backups will depend on the data you have stored, your business practices and the legal requirements of your industry. That means that there isn’t a single perfect solution for all companies.
AWS offers several solutions to help you backup your data, such as AWS Backup. Or you can use a Disaster Recover as a Service provider to ensure that you are ready to get back to work straight away in the face of any issues.
Root account credentials give users full unrestricted access to your system. It’s a vital function to maintaining your systems. But if it’s compromised, it leaves you wide open to security breaches.
Rather than using root account keys, use an Identity and Access Management (IAM) admin. This defines and manages privileges, roles and access of each network user. You can also attach multi-factor authentication as an extra layer of security.
A sure way to secure your AWS cloud network is to have an up-to-date, consistent security policy. And ensure all organization members follow it. This will help keep you protected from unauthorized access, malware, hackers and more.
Make sure you’ve documented every AWS policy and process. Store this in a common shared drive so everyone has access. Keep this documented updated with any changes you make. This way, employees, third-parties, stakeholders and trading partners all stay updated together.
Check your systems and networks for vulnerabilities on a regular basis. AWS advises not to click links, download files or give passwords on suspicious emails.
If you suspect an email as suspicious, you can report it straight through Amazon’s system. This will alert AWS to any potential cloud breaches against your company. It also boost security culture and awareness.
Update and patch every AWS cloud server, even the ones that aren’t public. There are many tools out there to help you manage and automate this process.
AWS System Manager Patch Manager lets you automate AWS security and other updates. Patch Manager lets you apply patches to most Amazon EC2 instances, on-site servers and virtual machines (VMs).
There is an assumption that AWS takes care of security because of the level of infrastructure it has. It does give a lot of security controls, and you can configure firewalls. But this won’t be enough to completely secure your network.
Advanced malware uses SQL injection attacks to target your AWS. It also uses botnets, network traffic and cross-site scripting. It only takes 1 compromised AWS virtual server to take down the rest in that environment.
To boost your security against this, work in a shared responsibility model. This defines your responsibilities that are set apart from Amazon’s. For example, put in place:
Bring employees up to speed early on to make sure everyone knows what’s going on. It’s down to you and your team to boost your security beyond what AWS provides.
One of the most essential tools your IT team will be using is the AWS Management Console. This is the single tool that allows them to view, manage and administer every instance and resource in your AWS deployment.
From here they can create, remove and change VMs, or any other services. But with great power comes great responsibility, so you need to ensure you monitor logins and users with access. As soon as an administrator leaves the company, make sure their access is removed.
The cloud can be a dangerous place. But by following these our AWS security best practices, you can make sure that your systems are as protected as possible.
Make sure that you have security on all layers of your system, and only provide users the access they require. Perhaps most importantly, always plan for the worst by making backups of your data.
If you want to ensure the security of your AWS deployment, then check out Security as a Service offering. At NETdepot we recognise that no two companies have identical security requirements, which is why we customize a security solution to fit your exact needs.