AWS Cloud Security Best Practices
In this article, we will take a look at the AWS Cloud security best practices.
1. Introduction
Amazon web services is a popular cloud platform that has services like compute power, content delivery, database storage, and other features to help businesses globally.
2. AWS Cloud Security Best Practices
2.1 Authentication
In AWS, root account username & password are used for accessing resources. This also creates vulnerabilities from a security point of view. IAM based users are created to avoid root account issues. IAM (Identity & Access Mgmt) users can have access permissions. IAM Roles are created for different system users. MFA helps in adding a security layer to the system. Password policies are standardized in the AWS security framework for securing the system. IAM users need to have a complex password policy set. These practices help in avoiding security issues such as password cracking, brute force attacks, and credentials stuffing.
Some of the best practices which are followed are :
- Root API access and secret keys are disabled
- Access to AWS EC2 instances are restricted for IP ranges
- Security Groups are used for restricting access to AWS instances
- .pem file is created with password protection
- Authorized keys file is permanently removed and deleted from the AWS instances
- AWS access and database credentials are rotated
- Security privilege checks are executed regularly using IAM
- Bastion hosts are used to provide visibility and control
2.2 Authorization
In AWS, Access control lists are managed in the security framework for accessing the applications and databases. Access control lists have permissions for the roles and user groups. Resource policies are used to provide user access to resources. The policy consists of the access control lists. The owner of all the policies is the root user. The other option is to provide granular permissions to the resource.
Capability policies help in providing access permissions to the IAM groups for an organization. The policy has information related to actions that can be performed and which are denied. Capability policies have higher precedence to resource policies.
2.3 Data Security
Data is encrypted for securing the information. Sensitive data like protected health data and personal identifiable data are encrypted. The native encryption in the Amazon Web Services cloud has features such as HTTPS and SSL/TLS for AWS services and APIs. Data is archived and backed up on AWS using a backup strategy.
Amazon Relational Database service can be provided with data protection features such as encryption, authentication, integrity, compliance, and cryptographic functions. Application-level protection can be provided using encryption functions to protect the application data before persisting into the datastore. The application has the capability to manage encryption keys which can be based on symmetric and asymmetric techniques.
2.4 Network Security
AWS security framework has features to manage network latency and region-wise regulatory compliance. The network security framework has features like firewall ports and access control lists. Network latency and regulatory compliance can be managed based on the geographic region.
The best practices related to AWS cloud network security are :
- Security groups need to be used.
- ACLs are used as they are stateless. They help to provide another layer of control.
- ACL and security groups need to be separated based on the type of control and access.
- AWS Direct Connect needs to be used for trusted connections.
- VPC based resources need to be protected by Virtual Gateway.
- Data in Transit need to be protected to provide data integrity and confidentiality.
- Network security layers are designed for large scale deployments.
- External, Demilitarized Zone and internal layers are designed using the network security layer.
- Virtual Private Cloud Flow logs help in storing the IP Traffic moving in and out from the VPC network instance.
2.5 Additional Best Practices
The other best practices used for AWS Cloud Security are listed below:
- Vendor supplied defaults need to be changed while deploying applications on newly created AMIs
- Unnecessary user accounts need to be deleted
- A primary function needs to be created for every AWS EC2 instance to provide multiple security levels for different servers such as web servers, database servers, and other types of servers.
- The system will have secured services, protocols, and daemons. The other services will be disabled which are not essentials.
- The scripts, drivers, subsystems, EBS volumes, features and other functional code which is not necessary are deleted.
3. Summary
Overall, the AWS Cloud security framework has features to provide authentication, authorization, data security, network security, and functionality for application and server protection.
You can find more articles about AWS here.