New technologies can be deployed globally with a few mouse clicks, but behind the simplicity of the user interface lies all the complexities of the traditional data center, as well as the complications that come with shared infrastructure, geolocation, and regulatory compliance. In a rapidly evolving cloud environment, security can often be an afterthought, with potentially serious consequences for those who do not take the time to build a solid foundation.
What is AWS Security?
Amazon provides toolsets that customers can configure to secure their AWS infrastructure, data, applications, and workloads. Amazon must take infrastructure security precautions to protect AWS, yet AWS customers also have security responsibilities under the shared responsibility model for cloud security. Good AWS security solutions must consider both cloud services and infrastructure, as well as remembering that public cloud relies on shared infrastructure and broad connectivity – traditional security controls focused on the boundary cannot work in isolation in the cloud.
AWS security: How It Works
At the core of AWS security is the concept of shared responsibility. While the adoption of cloud technologies results in some aspects of information security becoming the responsibility of the Cloud Service Provider (CSP), many others remain the sole responsibility of the customer.
It may be helpful to delegate responsibility for some aspects of security to a third party. In fact, the National Institute of Standards and Technology (NIST) recommends doing so where possible, but it is important to know which remain with the customer. AWS manage all aspects of physical security, infrastructure, and system hardware, and this includes compute, storage, database and network components used in the system.
AWS manages these aspects of its service in compliance with the following standards:
SOC 1/ISAE 3402, SOC 2, SOC 3
PCI DSS Level 1
FISMA, DIACAP, and FedRAMP
ISO 27001, ISO 9001, ISO 27018, ISO 27017
While the CSP is responsible for the physical aspects of the platform, such as hosting, physical security, and platform maintenance, as well as offering service availability to their customers in line with published service level agreements (SLA), responsibility for products and services offered via cloud infrastructure changes by service type:
Infrastructure as a Service (IaaS): IaaS products include virtual servers, in which CSP responsibility is limited to the underlying infrastructure. The security of everything built on such a platform becomes a customer responsibility – from the security of the base image, patching and software updates, antivirus and antimalware provision, to networking controls such as firewalls and intruder detection/prevention systems.
Platform as a Service (PaaS): PaaS offerings include managed databases, and mean the CSP is responsible for the host infrastructure, operating system, and principal application or service. The customer is responsible for ensuring that access controls and permissions are configured in a way that the service is only available to authorized users.
Software as a Service (SaaS): SaaS products are fully CPS managed, with the customer having no responsibility for the security of the service as such, though they retain responsibility for ensuring only authorized users can access their tenant, as well as the responsibility for any customer data that may be stored in such a platform.
Serverless and Container: These technologies blur the boundaries of the definitions above, with serverless compute being PaaS while the software running on it is SaaS, and containers operating in the space between IaaS and PaaS.
A key principle of cloud security is that, regardless of the cloud technology adopted, the customer is always responsible for managing the security of the cloud services consumed, using built-in or third-party tools as required. The customer is also responsible for ensuring services consumed are suitable for their data, as well as the regulatory and compliance frameworks that may apply.
AWS Security Issues and Concerns
AWS offers a robust default security position, by not providing access to any service or resource without such permissions being set by an admin user. In spite of this, it is alarmingly common for cloud administrators to grant excessive permissions, or to grant permissions during the creation of a cloud resource that are not revisited when that resource moves into production.
Some common AWS security concerns include:
Resource Permissions: Simple Storage Service (S3) buckets are created for public storage, but it is rare that having that storage available to everyone is desirable. Permissions can be set at bucket and object levels, using default as well as user-created policies, but any bucket that has ‘Everyone’ access enabled merits immediate review (‘Everyone’ being literally anyone in the world with an Internet connection). Users could be granted permissions to data in error, as well as sufficient rights to modifyS3 permissions and authentication. Anonymous access does not require authentication, and is responsible for the leakage of millions of objects from S3. A useful approach to resource permissions is role-based access controls, or RBAC, which in its simplest form means to assign permissions to groups rather than users, then assign users to those groups. AWS Identity and Access Management (IAM) can be used to create role groups to meet your organization’s needs, ensuring access permissions are consistent and minimizing the likelihood of operator error granting excessive permissions to an individual. This approach also makes analysis simple, as a review of user group memberships will show the operator what groups they are in, rather than the manual audit of systems being required to identify individual users with access.
Encryption: Encryption has always been best practice, with the overhead it places on a system being the only argument against it. That overhead is negligible for modern cloud infrastructure, and the benefits far outweigh the cost. Making sure data is encrypted in transit with TLS, and at rest with AES-256, preferably using customer-managed keys for maximum control, means that even if your data were to fall into the wrong hands, it is completely worthless to the malicious actor.
AMI Sharing: Amazon Machine Images (AMIs) are the templates used to create EC2 virtual machines. AMIs can be created to be private or public, and any public AMI is made available to all AWS customers. It is important to ensure no sensitive information is included in public AMIs.
Network Security: Your AWS Virtual Private Network (VPC) is your castle; your chunk of cloud where you create the subnets and access rules required for everything to work. It is common for overly permissive firewall rules to be created during build for convenience, but sadly also common for those rules to be overlooked after go live. And network security isn’t just for the boundary anymore –security groups can be used to limit network access to subnets, services, and individual systems. It is equally important to provide specific IP addresses for outbound connections from cloud resources to prevent the unauthorized exfiltration of data. The more granular your controls, the more secure your AWS cloud.
Exposed secrets: Leaving sensitive information in the clear, be it in insecure storage, badly coded software, or unencrypted communications, opens the door for the malicious actor. Data protection laws are often accompanied by serious sanctions for the privacy violations and data loss that can result from exposed secrets, yet these types of configuration errors persist. Proper attention to all elements of AWS security, especially API keys, certificates, and SSH information, prevent a number of security issues.
Features of AWS security
Having established customer responsibility for cloud security in AWS, you will be pleased to hear that Amazon provides tools, configuration guides, and additional products, to enable their customers to build and maintain a secure cloud environment.
Every AWS service has associated security configuration items, as well as third party providers who can enhance the base offering, providing custom security solutions for any organization to ensure the three core security tenets of Confidentiality, Integrity, and Accessibility, are upheld. The AWS controls available within the console fall into one of the following high-level categories:
Infrastructure Security: AWS cloud security tools for the network provide controls to ensure connections into a customer Virtual Private Cloud (VPC) are secure. Connections inbound can be private, dedicated, and encrypted if required, and once traffic is inside the AWS cloud, all services are encrypted using TLS. Separate subnets can be used to segment the cloud network to prevent lateral movement, with firewall technologies available at the boundary, subnet, and host level to provide granular control of network communications at every level. DDoS mitigation tools are available at layer 3, 4 or 7.
Data Encryption: Encrypting traffic is key to secure cloud computing, and AWS provides encryption at rest for data on IaaS disk at the click of a button, in addition to the encryption in transit already mentioned. PaaS and SaaS solutions benefit from similar protections, and APIs are provided that facilitate the interaction of any technology deployed to the cloud with AWS data protection tools. Encryption keys can be managed by AWS for convenience, or customer managed for maximum control.
Configuration Management: Cloud environments can scale quickly, making alignment with regulatory and compliance standards a challenge. AWS provides tools that enable the quick and easy configuration of cloud resources, policy options to ensure new resources are created in a compliant manner, and inventory tools to track configuration over time.
Identity and Access Management: IAM is the foundation of secure cloud. By defining user accounts and roles and enforcing secure login configurations such as SSO via the Identity Center or multi-factor authentication, access to cloud services, resources, and APIs can be tightly controlled. The principle of least privilege is key to a secure cloud deployment.
Logging and Monitoring: AWS offers several tools to help identify malicious activity, including CloudWatch for logging AWS service activity in a single location, CloudTrail for tracking, and GuardDuty for threat detection.
The Many Advantages of AWS security
AWS security offers a comprehensive suite of tools to assist cloud service customers in creating robust security postures for their cloud environments. From protecting data to monitoring security events, all with automated logging designed to improve delivery velocity at a lower cost, while maintaining a secure cloud presence.
AWS cloud security sees the integration of compliance with security by providing tools to monitor cloud payloads of configuration changes and user activity, and delivering comprehensive compliance reporting. Utilizing thousands of security controls throughout the AWS ecosystem means every customer benefits from the collective security experience of the user base, as well as new features being released regularly in response to customer demand.
Taking advantage of the shared responsibility model for cloud services reduces the attack service area for security professionals to manage, allowing the customer to concentrate on managing software and services rather than the infrastructure. Retain control of data and the configuration items that make your business unique, while leaving keeping the lights on to AWS.
It is important to secure your network infrastructure, VMs, containers, serverless and application to create a secure cloud environment, but it is equally important to consider the risk landscape overall. AWS security provides tools to enable analysis of monitoring data at scale, as well as consistent tools to develop a continuous security posture across platforms and services. Additionally, many enterprises leveraging AWS technologies are also looking to multi-cloud for resilience across cloud service providers, making awareness of Azure, GCP, OCI, Alibaba Cloud, VMware vSphere, Kubernetes, and OpenShift security increasingly important.
To learn how Wiz can support your AWS Security requirements, as well as providing coverage across all popular cloud platforms, you’re welcome to sign up for a free demo.