The move to cloud by business is nothing new and seems to be an inevitability. A recent survey of I.T. professionals showed 94 percent use cloud, and public cloud (Amazon Web Services, Microsoft Azure) adoption is 91 percent. Two things the recent pandemic has accelerated are:
- Increasing reliance on cloud-based infrastructure, and thus an increased need for cloud security
- Shared responsibility - just as we all have a shared responsibility to slow the spread, we have a shared responsibility to keep our cloud environments secure. In fact, AWS is based on a model of shared responsibility between Amazon and the customer for security and compliance.
Maybe you are an IT professional charged with maintaining an AWS environment. Maybe you are a marketing professional in charge of maintaining your customer-facing website that is hosted on AWS. Some of the following content is technical, but it is meant to be an approachable road map for what to do to ensure you are properly securing your data in AWS. If you work in the IT sector this should all be familiar, and you will know what to do with these steps. If you are in Marketing or the business side, you can take this roadmap to your IT team and make sure these steps are being followed.
Where is your data and how is it used, stored, and processed?
Start with a data flow and a data inventory. Talk to your stakeholders and map out all of the data elements you store and where you store them. Then rate each element based on:
- The likelihood that it could be accidentally or maliciously compromised
- The impact of this data element being compromised; this will help develop a sense of criticality
Click here for an example data risk matrix
For example, take social security numbers (SSNs). If you only store a user SSN in a few select cases, the likelihood of a breach is low. However, if this data point were to be compromised, the impact on your company’s reputation may be unacceptable.
For some more help in identifying sensitive data and the impact of a disclosure, here is a nice guide.
You will notice that at the end of this exercise you may decide that risk avoidance, in some cases, maybe the best course of action. For example, in our SSN example, you may decide you don’t need to store this data element after all, and so avoid any risk.
Once you have your data inventory - which is a snapshot of all your data elements - you need to create a data flow. In other words, determine where your data is stored and how it is processed and utilized in your systems. If you use AWS a data flow analysis could be realized through an assessment of:
- Systems and applications that access data both in AWS and outside of AWS
- Systems and applications that transfer data to/from AWS, via web services or database replication services, etc.
- Systems and applications that transfer data within the AWS environment e.g. between S3 buckets
- Human processes that move data around
[check back for an example data flow diagram]
Data analysis complete? Then let’s make sure it’s secure!
CIS BENCHMARKS
We never want to reinvent the wheel, so start with existing security benchmarks or frameworks and tailor them to your needs. In this case, start with the CIS Benchmarks for AWS and focus first on the areas of your data flow that relate to the data elements you’ve bubbled up as high likelihood/high impact. Once you have a plan for securing those high-value data elements, then circle back to the lesser ones.
The CIS AWS benchmarks are separated into the following areas:
- AWS Identity and Access Management (IAM)
- AWS Configuration
- AWS CloudTrail
- AWS CloudWatch
- AWS Simple Notification Service (SNS)
- AWS Simple Storage Service (S3)
- AWS VPC (Default)
Start off by paying close attention to the first benchmark area, AWS IAM, which will provide prescriptive guidance on password policies, Multi-Factor Authentication (MFA), and deleting your root account keys. Spend time to analyze your AWS user base, ensuring roles and policies are appropriate and follow the principle of least privilege. In a recent post regarding securing AWS, we outline some steps to make sure your AWS IAM policy is up to par.
WEB APPLICATIONS
Conduct an analysis and security assessment of your critical web applications. Submit them to vulnerability testing that can assess them against industry standards. For example, analysis against the OWASP Top-10 web application vulnerabilities is highly recommended. Check out our earlier blog post on securing your website.
ENCRYPTION
Make wise use of encryption: a robust use of encryption is table stakes for cloud deployments. Use this abbreviated checklist to make sure your data is safe from theft:
Use AWS key management system to encrypt all data
It’s easy, but AWS is controlling the keys. If you’re not okay with that, then a solution such as StrongKey or Vault could be a better choice.
Enable encryption wherever it’s an option
AWS makes it easy to enable encryption for data at rest. Make sure it’s enabled. There’s no reason to leave data unencrypted in S3 buckets, RDS and Aurora databases, and EC2 EBS volumes
Use HTTPS everywhere
If you’re using CloudFront, you’ll need certificates to set up HTTPS connections. Use the AWS Certificate Manager to create them and configure your databases to accept secure connections.
MONITOR YOUR INFRASTRUCTURE
AWS has no shortage of logging options. Make sure you’ve configured the following logging services to greatest effect.
- CloudTrail Logs
- VPC Flow Logs
- S3 Access Logging
- Billing Logs
AWS has published a Centralized Logging Implementation Guide. Check it out to get the most out of your monitoring capabilities.
Once you are secure, remain vigilant
Once you have implemented your benchmarks and system and application security controls, you will need to remain constantly vigilant; after all, we are not carving granite. Security is an ongoing battle and just like anything else in IT it requires ongoing assessment, learning, and training to stay up to date with the latest tools, threats, and mitigations.
Here are a few additional education resources for staying up to date with AWS security:
Cloud Security Alliance - training and education