By: Owen Dubiel
July 6, 2021
The Pillars of AWS Security Best Practices
By: Owen Dubiel
July 6, 2021
There's no denying that AWS and cloud computing are the future of business as well know it. Therefore, it will be essential that all organizations utilizing AWS for business operations consider the risk implications of expanding their network to the cloud. Luckily, it has our backs and has created a well-structured guide of security controls to protect all facets of instruction that could be occurring. This article will cover these five pillars and provide in-depth examples of how each preserves cloud accounts.
Identity and Access Management
There are many different ways to implement IAM (Identity and Access Management) practices into AWS. What is very important to note and should be a common theme amongst all the best practices for IAM is to manage both Human identities and Machine identities (EC2 instances, Lambda functions, third parties). The following concepts should be adhered to:
- Centralized Identity
- Ensures that there is a means to have one reliable location to store and process identity.
- User Groups and attributes
- Uses predefined user groups with attributes will help organize and control AWS access to resources by job function. They also help to prevent lateral movements from occurring.
- Temporary credentials (JIT)
- Utilizes just-in-time access to limit provisioning users additional access longer than needed to perform a specific job function.
- Strong Authentication (MFA, SSO)
- Uses strong MFA and implementing network-wide SSO is always a security best practice in the cloud or on-prem.
- Audit Credentials (rotate)
- Creates a company-wide password policy that stipulates how often credentials have to be changed is essential in overall security health. Rotating credentials every 90 days is always a great starting point.
- Securely store secrets
- Store secrets and passwords in a secure location also widely accessible and integrated into your company's most commonly used tools.
Detection and Incident Response
Having the ability to detect an intrusion and having the means to respond to it effectively is essential in stopping attacks before and after they occur. The following are both detection and incident response controls to install in your AWS environment.
- Set up logging (CloudTrail, Configs, Guard Duty, SecurityHub, VPC)
- Get the most out of your logging by enabling all native security and system logging within AWS.
- Analyze logs within SIEM solution
- Whether the company uses the native logging solution within AWS or another third-party solution, ensure that there is a quick way to recall all AWS logging.
- Create action items (playbooks) on security events
- Take your SIEM to the next level by utilizing playbooks wherever possible. Using automatic playbook responses for known issues can further expand your security team's workload capabilities.
- Add in Automation
- Where ever possible, make life easier by automating AWS into your security solution. Whether it be automatic remediation, streamlined alerting, or optimize the incident response, use the power of automation to strengthen your overall security approach.
- Establish objectives
- To accomplish detection and response initiatives quickly, set recurring objectives to stay on track and not get discouraged.
- As you enable features, create policies, and implement new remediations. It will be essential to document everything performed so functionality can be recreated or rolled back.
- Use scalable solutions
- When researching new security solutions or even vendors for an incident response retainer, it is best to make sure they are fully compatible with the AWS environment and won't inhibit your current progress.
Ensuring your underlying infrastructure is secure against both attacks and fits any compliance guidelines required is imperative to your overall success. The following controls will help:
- Segmentation ( regions, availability zones, local zones)
- Creating as much segmentation as possible without inhibiting business operations will help develop additional boundaries for attackers to jump through to get to your sensitive data.
- Network Layers
- Adding onto segmentation, you can utilize lambda functions and separate EC2 instances to isolate sensitive systems from the rest of the network by creating network layers.
- Traffic Controller at all layers
- By creating network-level segmentation, restricting resource traffic becomes easy with the "drop in the bucket" method. If a resource needs access, it goes in bucket A; if it doesn't, Bucket B will be its home.
- Inspect to protect
- Use the native AWS tools like WAS and cloud trail to inspect and restrict unneeded network activity in and out of the instance.
- Whether it is WAF detection rules or a third-party EDR solution, ensure that these tools integrate and automate easily within AWS to protect against any adversaries.
The data is the gold for most companies, and it is just as valuable to the threat actors. Therefore, identifying, classifying, and controlling your information is crucial when operating out of the AWS cloud. The following best practices would enrich your data protection plan:
- Identify data being used.
- It is essential to know precisely which data is currently in use and which can be archived. Archived data usually has legal stipulations around it, and the quicker it can be archived, the quicker it can be ultimately deleted or at least securely locked down.
- Categorize and define data
- To correctly classify data, it must be categorized and defined. It is essential to be able to locate where your sensitive data is.
- Give data an end of life.
- Most compliance frameworks will assist with creating an end life for data, but if not, ensure any sensitive data have an end of life data where it can be deleted or archived.
- Automate both identification and classification processes.
- To avoid duplicate data or misclassification, using a tool like Amazon Macie, you can prevent the need for manual intervention within the classification process.
- Secure Key Management (tokenization, Encryption)
- Use a solution to store and encrypt your system's access keys.
- Encryption at rest
- Even if data is waiting to be used or if it is in an archive, implement some form of encryption at rest to create further obstacles for possible intruders.
- Access controls
- Strict access requirements around who and what can access sensitive data are relevant.
- Audit use of Keys
- If data needs to be accessed, changed, or even deleted. Having audit logs in place around the access keys is crucial to detect possible signs of tampering or a disgruntled employee.
- Change management to keep data isolated.
- Have a system in place that tracks changes made to the systems housing your data. It may be needed for both compliance and forensics purposes if a breach ever occurs.
- Authenticate network communications for data in motion
- Just as you should encrypt at rest, you should implement a secure pipeline for data in transit as well.
- Automate detection of specific data access
- Create detection rules within the AWS security center or your third-party SIEM to identify when data access occurs. These should be few and far between and reviewed regularly.
Security is always something that will take a village to develop correctly; now, with the added element of the cloud, enterprises must learn how to properly secure their AWS instance by adopting the above pillars into their environment. To learn more about how best to implement security best practices, head on over to Cybrary's content site to check other great information resources.