Amazon AWS

AWS Cloud Security Best Practices

In this article, we will take a look at the AWS Cloud security best practices.

1. Introduction

Amazon web services is a popular cloud platform that has services like compute power, content delivery, database storage, and other features to help businesses globally.

2. AWS Cloud Security Best Practices

2.1 Authentication

In AWS, root account username & password are used for accessing resources. This also creates vulnerabilities from a security point of view. IAM based users are created to avoid root account issues. IAM (Identity & Access Mgmt) users can have access permissions. IAM Roles are created for different system users. MFA helps in adding a security layer to the system. Password policies are standardized in the AWS security framework for securing the system. IAM users need to have a complex password policy set. These practices help in avoiding security issues such as password cracking, brute force attacks, and credentials stuffing.

Some of the best practices which are followed are :

  • Root API access and secret keys are disabled
  • Access to AWS EC2 instances are restricted for IP ranges
  • Security Groups are used for restricting access to AWS instances
  • .pem file is created with password protection
  • Authorized keys file is permanently removed and deleted from the AWS instances
  • AWS access and database credentials are rotated
  • Security privilege checks are executed regularly using IAM
  • Bastion hosts are used to provide visibility and control

2.2 Authorization

In AWS, Access control lists are managed in the security framework for accessing the applications and databases. Access control lists have permissions for the roles and user groups. Resource policies are used to provide user access to resources. The policy consists of the access control lists. The owner of all the policies is the root user. The other option is to provide granular permissions to the resource.

Capability policies help in providing access permissions to the IAM groups for an organization. The policy has information related to actions that can be performed and which are denied. Capability policies have higher precedence to resource policies.

2.3 Data Security

Data is encrypted for securing the information. Sensitive data like protected health data and personal identifiable data are encrypted. The native encryption in the Amazon Web Services cloud has features such as HTTPS and SSL/TLS for AWS services and APIs. Data is archived and backed up on AWS using a backup strategy.

Amazon Relational Database service can be provided with data protection features such as encryption, authentication, integrity, compliance, and cryptographic functions. Application-level protection can be provided using encryption functions to protect the application data before persisting into the datastore. The application has the capability to manage encryption keys which can be based on symmetric and asymmetric techniques.

2.4 Network Security

AWS security framework has features to manage network latency and region-wise regulatory compliance. The network security framework has features like firewall ports and access control lists. Network latency and regulatory compliance can be managed based on the geographic region.

The best practices related to AWS cloud network security are :

  • Security groups need to be used.
  • ACLs are used as they are stateless. They help to provide another layer of control.
  • ACL and security groups need to be separated based on the type of control and access.
  • AWS Direct Connect needs to be used for trusted connections.
  • VPC based resources need to be protected by Virtual Gateway.
  • Data in Transit need to be protected to provide data integrity and confidentiality.
  • Network security layers are designed for large scale deployments.
  • External, Demilitarized Zone and internal layers are designed using the network security layer.
  • Virtual Private Cloud Flow logs help in storing the IP Traffic moving in and out from the VPC network instance.

2.5 Additional Best Practices

The other best practices used for AWS Cloud Security are listed below:

  • Vendor supplied defaults need to be changed while deploying applications on newly created AMIs
  • Unnecessary user accounts need to be deleted
  • A primary function needs to be created for every AWS EC2 instance to provide multiple security levels for different servers such as web servers, database servers, and other types of servers.
  • The system will have secured services, protocols, and daemons. The other services will be disabled which are not essentials.
  • The scripts, drivers, subsystems, EBS volumes, features and other functional code which is not necessary are deleted.

3. Summary

Overall, the AWS Cloud security framework has features to provide authentication, authorization, data security, network security, and functionality for application and server protection.

You can find more articles about AWS here.

Bhagvan Kommadi

Bhagvan Kommadi is the Founder of Architect Corner & has around 20 years’ experience in the industry, ranging from large scale enterprise development to helping incubate software product start-ups. He has done Masters in Industrial Systems Engineering at Georgia Institute of Technology (1997) and Bachelors in Aerospace Engineering from Indian Institute of Technology, Madras (1993). He is member of IFX forum,Oracle JCP and participant in Java Community Process. He founded Quantica Computacao, the first quantum computing startup in India. Markets and Markets have positioned Quantica Computacao in ‘Emerging Companies’ section of Quantum Computing quadrants. Bhagvan has engineered and developed simulators and tools in the area of quantum technology using IBM Q, Microsoft Q# and Google QScript. He has reviewed the Manning book titled : "Machine Learning with TensorFlow”. He is also the author of Packt Publishing book - "Hands-On Data Structures and Algorithms with Go".He is member of IFX forum,Oracle JCP and participant in Java Community Process. He is member of the MIT Technology Review Global Panel.
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Back to top button