You’ve likely considered hosting your website in the cloud, on a platform like Amazon Web Services (AWS). AWS has a shared responsibility model, which means you’re still responsible for securing your website. AWS handles the security of the hardware and data centers, but you’re responsible for securing your code and user data.
Since using AWS doesn’t mean automatic security, we’ve put together a five-step AWS security checklist. Use this as a quick audit and ask yourself if you’re doing these essential security practices. We’ll also link out to helpful resources along the way.
Use the Principle of Least Privilege - AWS Identity and Access Management
AWS Identity and Access Management (IAM) is a service that allows you to securely control access to AWS resources. The foundation of secure cloud infrastructure is your IAM implementation.
AWS has plenty of guides on how to use IAM effectively. So here are some tips for a quick audit to make sure you’ve got yours set up correctly.
- Use the principle of least privilege for users and EC2 instances. Give users and groups the minimum permissions they need to do their job, and nothing more.
- Use AWS managed policies to assign permissions. Amazon provides a predefined set of policies that are completely managed by AWS. These policies serve common use cases while making it easier to enforce access policies than creating policies from scratch.
- Assign permissions at the IAM group or role level, rather than the individual IAM user level. For example, create groups, assign permissions to the groups (i.e., administrators, developers).
- PRO TIP: All applications running on the same EC2 instance run with the privileges of the EC2 instance. Don’t mix applications that require different levels of permissions on the same server.
- Create individual IAM users to serve as administrators. Give them only the access they need. Don’t use the Root user account for basic admin functionality and delete the root account access keys.
Protect Your Secrets
Moving your infrastructure to the cloud gives you a host of secrets to keep. You can’t hide behind your physical data center.
Here are the checks you should make to ensure you’re protecting your secrets. There are two ways to access AWS you need to protect: console access and programmatic access.
Secure your root account password
- Make it strong
- Don’t write it down (use a password manager)
- Use multi-factor authentication
- Create an administrative group and add individual users to the group.
Don’t give out the root password. Don’t use the root account for everyday administrative tasks.
AWS uses an access key and secret key to provide programmatic access to the AWS API. Secure Token Service (STS) can also be used.
- Delete access and secret keys for the root account if they exist. If an attacker is able to grab these, they’ll have full control of your environment.
- If you have to use keys, assign them to individual users (not the root account)
- Rotate keys regularly
- Password protect PEM files used for SSH access into EC2 instances
- Don’t store access or secret keys in a code repository
- Use STS for programmatic access
- Use IAM Role Delegation to give access to compute resources
Make Wise Use of Encryption
Solid encryption is table stakes for cloud deployments. Use this checklist to make sure your data is safe from theft.
Use AWS Key Management System to encrypt dataIt’s easy, but AWS is controlling the keys. If you’re not okay with that, then a solution such as StrongKey or Vault could be a better choice.
Enable encryption wherever it’s an option. AWS makes it easy, so there’s no reason to leave data unencrypted.
- S3 buckets
- RDS and Aurora databases
- EC2 EBS Volumes
Use HTTPS everywhere
If you’re using CloudFront, you’ll need certificates to set up HTTPS connections. Use the AWS Certificate Manager to create them.
Configure your databases to accept secure connections
Monitor Your Infrastructure
AWS has no shortage of logging options. Make sure you’ve configured the following logging services to greatest effect.
- CloudTrail Logs
- VPC Flow Logs
- S3 Access Logging
- Billing Logs
AWS has published a Centralized Logging Implementation Guide. Check it out to get the most out of your monitoring capabilities.
Keep Checking Yourself
We’re programmers at heart here, so we can’t leave this list without a bit of recursion. Check back to this list every once in a while to make sure everything’s still in top shape in your cloud environment.
There are a few options from AWS to help you audit your configuration as well.
- Trusted Advisor - AWS audits your resources for you
- AWS Config - You can use this to audit your configurations yourself with customizable templates
- You can write custom scripts using AWS CLI and Bash
Need some help with your AWS environment? Did we miss an important item? Get in touch with us and let us know!