26 Oct 2021 - Dennis Egen

Security for Amazon Web Services: What You Need to Know

Chances are, you’re among the 94 percent of organizations using a cloud service to store data and power your enterprise. Of these enterprises, at least 30 percent of all IT budgets go towards cloud computing. Amazon Web Services (AWS) is one of the leading providers for those looking for reliable cloud computing. In fact, there are currently over 16.7 million live websites powered by Amazon Web Services alone. 

Even mammoth companies like Netflix use AWS for almost all of their cloud computing and storage. They use AWS for their databases, analytics, recommendation engines, video transcoding, and more, managing over 100,000 server instances on AWS. 

And this is just one of the millions of users that rely on AWS. 

With the increased prevalence of cloud computing and cloud-based enterprises also comes the increased need to pay attention to security. By the end of 2022, at least 95 percent of cloud security failures are predicted to be the fault of the customer. And what’s more? Ninety percent of the organizations that fail to control their cloud use will inappropriately (and inadvertently) share sensitive data.

New call-to-action

So, what should you do to keep your AWS cloud protected? Here’s what you need to know about AWS security:

About AWS Security and Shared Responsibility

One of the major benefits of employing Amazon Web Services is that Amazon maintains the strictest of security protocols on its end. Amazon has entire teams of people who are all dedicated to keeping their cloud platform safe. 

However, there is only so much that AWS can do. Security and compliance are shared between AWS and its customers. While this relieves much of the burden of security for the organizations that use AWS, this means that they still have responsibilities to keep their data secure on their end. 

AWS is responsible for operating, managing, and controlling its host operating system and virtualization layer. They also have a duty to maintain the physical security of the facilities that host their cloud hardware. 

This means that users don’t have to worry about the physical security of their data, but they do need to manage their operating system. This includes updates, security patches, associated application software solutions, and the personalized configuration of their AWS security group firewall. 

The breakdown of responsibility is as follows:

  • AWS is responsible for protecting the infrastructure that runs the cloud and all the associated services offered within the cloud. 
  • Customers also have a security responsibility; one that directly correlates to their chosen cloud service model. The security and configuration customers are responsible for is based on which cloud service model they choose—Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS)—as well as the software and applications they use. 

Essentially, AWS secures the server hardware, but the security of your individual cloud infrastructure is up to you. AWS offers a secure cloud infrastructure baseline, but users must do everything they can to keep their assets and vulnerable data protected. 

Common AWS Security Misconfigurations

AWS is easy to use, but that doesn’t mean there aren’t possible misconfigurations that can compromise data. Organizations are storing more of their sensitive data in the cloud every day, and hackers and other bad actors know this. Avoiding misconfigurations and locating and repairing them is essential to keeping data protected. 

Here are some of the most frequent misconfigurations that AWS users make:

  • Failure to adopt AWS Organizations (where relevant) and set up a multi-account organization framework with AWS SSO
  • Not naming a point person to take charge of security concerns, and not understanding the shared responsibility model and which responsibilities are up to the users. 
  • Neglecting to use tools like CloudTrail to trace API calls and callers to detect the source of potential issues. 
  • Forgetting to manage access control and neglecting Identity Access Management (IAM) to ensure that only some cloud users have administrative rights and that high-privileged access is only given to essential users.
    • It’s estimated that 35 percent of privileged users in AWS have enough access to bring down the entire AWS customer environment. Tiered access can help prevent these kinds of disasters. 
  • Using weak passwords and single-factor authentication instead of implementing multi-factor authentication, strong password requirements, and security controls.
  • Not securing root user access and leaving the door open to all the features, services, and resources that are accessible via a root user account. The root user account should never be used for everyday operations. 
  • Storing all data in a single virtual private cloud, leaving an entire dataset vulnerable if a bad actor gains access. 

AWS Security Checklist: Keeping Your Organization Protected

Securing your AWS infrastructure is a never-ending process. While there are important steps you need to take to get started on the path to security, maintaining a secure cloud infrastructure takes constant work.

> The Principle of Least Privilege and AWS Identity and Access Management

AWS IAM allows users to securely control user access to AWS resources. IAM implementation is the bedrock of a secure cloud infrastructure. 

Identity and Access Management is free for AWS accounts and enables you to manage access to all your AWS services and keep them secure. IAM allows you to create and manage users and groups, then oversee the permissions to allow and deny access to all the resources stored in your AWS cloud infrastructure. 

With IAM, you can take charge of your own user permissions and set up controlled access. This means that rather than giving every member of your organization full access to everything in your organization, you have controls in place to segment data and give access only to the people that need it. 

AWS Identity and Access Management also allows you to check your security status to audit your security to keep your environment protected. 

> Establish Console Access

If you haven’t done so already, your organization needs to establish console access set up for users who need to access the AWS management console with a username and password. To establish your console access, you’ll want to secure your root account password. 

A root account password needs to be strong, and it shouldn’t be shared with anyone. Additionally:

  • Your root account shouldn’t be used for administrative tasks. 
  • Don’t write down your password. Instead, use a password manager to keep track of it.
  • Use multi-factor authentication (MFA) as a second source of validation.

Next, create an administrative group that has console access; a small collection of trusted individuals.

> Set Up Programmatic Access

Programmatic access should be reserved for IAM users; those who need to make API calls and use the AWS command-line interface. Those with access should have individual access key IDs and secret access keys. Alternatively, you can use Secure Token Service (STS) to establish programmatic access. To do so:

  • Delete and secret keys for the root account.
  • If you have to use keys, assign them to individual users and not the root account so they are traceable.
  • Rotate keys on a regular basis.
  • Password-protect PEM files for SSH access into EC2 instances.
  • Don’t store access or secret keys in a code repository.
  • Use STS for programmatic access, but use IAM Role Delegation to grant access to compute resources. 

> Use Encryption When Necessary

Encryption is a critical tool to keep data protected in the event it gets intercepted. The easy answer is to encrypt everything. But not every organization has the resources, the processing power, staff, or money to encrypt every single piece of data. 

Generally, two types of data need to be encrypted, without question:

  • Personally identifiable information like phone numbers, social security numbers, or other personal information.
  • Confidential business information and intellectual property including plans for new projects or marketing campaigns.

Automatic encryption makes sense for many organizations, especially since manual encryption is so time-consuming, expensive, and prone to user error. 

AWS Key Management Service is a reliable way to create and manage encryption keys and control them throughout your cloud infrastructure, AWS services, and applications. It’s a resilient, secure option 

AWS Key Management Service (KMS) is one reliable way to create and manage cryptographic keys and control them throughout a wide range of AWS services and applications. KWS is both secure and resilient and uses validate security modules to protect cryptographic keys for encryption. 

> Use HTTPS Encryption

Especially if you’re using CloudFront, you’ll need to set up HTTPS connections. You can use the AWS Certificate Manager to create them. 

HTTPS keeps your internal communications and customer data secure. It’s also good for Google’s search algorithms and your website’s SEO score. HTTPS is also required for accelerated mobile pages, and it puts your clients’ and customers’ minds at ease. Plus, some popular browsers alert users when they are about to visit a site that is not secured, especially if the site asks users for login or credit card information. Not only does an unsecured site put your organization at risk, but this kind of warning can scare off conscientious customers. 

> Audit and Monitor Your AWS Interface

There are many options to make it simpler to monitor and audit your AWS infrastructure. These solutions track activity related to your infrastructure and log event history. Some can even diagnose whether accounts have too many restrictions in place, aid in security audits, track and audit your configurations, and more. These security monitoring solutions include:

  • CloudTrail Logs
  • VPC Flow Logs
  • S3 Access Logging
  • Billing Logs
  • Trusted Advisor
  • AWS Config
  • Inspector
  • Guard Duty
  • Macie
  • Shield

There are many third-party assessments, monitoring services, firewall managers, and more that can help keep your organization secure from one end to the other. If you need guidance monitoring and auditing the security of your infrastructure, you can enlist the help of a third-party service partner to help.

Your AWS Security Partner

You need an experienced provider to help navigate the intricacies of security for your cloud infrastructure and coding, to review code, train your team on proper security practices, and safeguard your infrastructure.

Engine Room Tech is passionate about cloud security and well-versed in the extensive requirements for establishing a secure cloud infrastructure and shared security responsibility in Amazon Web Services. We’ll guide you through it. Download our AWS security checklist today

New call-to-action