AWS security is a set of practices you can use to secure your data and resources in AWS. These practices are based on a model of shared responsibility in which AWS secures infrastructure and you secure data, applications, and connections. You can manage this security through a combination of your own tools and configurations and those provided by AWS.
In this article, you will learn:
- AWS Security Services
- Design Principles for Security in AWS
- 6 Critical AWS Security Best Practices
- AWS Security with NetApp Cloud Insights
AWS Security Services
Within AWS, there are many native security services and tools that you can apply to secure your assets. Some services are included in your account or service costs and others are elective services.
Learn more in our in-depth guides: AWS security services (coming soon) and AWS security as a service (coming soon)
AWS data protection services focus on protecting workloads, accounts, and data from illegitimate access. These services can provide continuous monitoring, threat detection, encryption, and encryption key management capabilities.
Services for data protection include:
- AWS Key Management Service (KMS)
- AWS Secrets Manager
- AWS CloudHSM (hardware security module)
- AWS Certificate Manager
- Amazon Macie
AWS network protection services focus on filtering traffic according to security policies. You can use these services to protect your endpoints and web applications with filtering based on HTTP request content, IP addresses, and URI strings. This can help you block a range of web application threats, including cross-site scripting and denial of service attacks.
Services for network protection include:
- AWS Web Application Firewall (WAF)
- AWS Firewall Manager
- AWS Shield
Identity and Access Management
AWS identity and access management (IAM) services focus on managing user permissions and identities, and controlling access to resources. You can use these services to secure workloads, internal resources, and applications.
Services for IAM include:
- AWS Identity and Access Management (IAM)
- AWS Resource Access Manager
- AWS Single Sign-On
- AWS Directory Service
- Amazon Cognito
Continuous Monitoring and Threat Detection
AWS provides multiple services for continuously monitoring network and account activity and identifying threats. These services enable you to collect log and metrics data to track events in your systems and alert to potential threats.
Services for monitoring and detection include:
- AWS Security Hub
- AWS CloudTrail
- Amazon GuardDuty
- AWS Config
- Amazon Inspector
- AWS IoT Device Defender
Data Privacy and Compliance
AWS can provide compliant environments for the most common regulations, including PCI and GDPR. It also offers services to help you audit compliance and evaluate your current configurations.
Services for data privacy and compliance include:
- AWS Artifact
Design Principles for Security in AWS
When configuring your AWS resources, following these principles can help you ensure greater security:
- Implement strong identity controls—base access and permissions on the principle of least privilege. You should also use role-based controls to separate permissions and enable the layering of authorization. Additionally, centrally managing identities makes maintenance easier and decreases the chance that permissions are distributed inconsistently.
- Enable traceability—configure monitoring services to integrate log and metrics data from across your resources. These services should enable you to track a chain of events or requests across your assets and provide alerts when activity is suspicious.
- Layer your security—apply multiple security controls to each layer of your operations with your highest priority or most sensitive services and data at the bottom. Proper layering and access restrictions can prevent lateral movement through your system and help you isolate threats.
- Automate security best practices—automation can help you ensure that resources and users are created with the proper security controls from the start. You can also use automation to routinely audit your system activity to detect threats that may have bypassed your controls.
- Secure your data—this involves encrypting data in-transit and at-rest. It is also helpful to classify your data according to privacy or sensitivity to ensure that controls are appropriately applied.
- Prepare for security events—create an incident response plan ahead of time and proactively audit your security configurations. This includes testing systems to ensure they work correctly and practicing response procedures.
6 Critical AWS Security Best Practices
In addition to the above design principles, these best practices can help you increase your security posture.
Learn more in our in-depth guide to aws security best practices (coming soon)
The dynamic and distributed nature of cloud resources can make it challenging to maintain consistent visibility of your assets. However, this visibility is essential to ensuring your data and applications are protected and that no resources are being abused.
To ensure visibility, you need to adopt services and solutions that can centralize your monitoring and alerting. These solutions should enable you to correlate activity across your resources regardless of host or location. Additionally, services should integrate service discovery capabilities. These capabilities help ensure that no resources are overlooked.
Eliminate Unnecessary Privileges
While you cannot entirely prevent abuse of privileges, you can significantly reduce the damage that attackers can cause. Make sure to limit the privileges given to users or roles and separate high level privileges.
When privileges are distributed across users, each individual identity is less powerful. This makes it harder for users to intentionally or accidentally harm systems or data. It also makes it more difficult for attackers to increase their own privileges if they gain compromised credentials.
Enforce Strong Authentication
Compromised credentials are a huge liability that can be minimized with strict authentication measures. This means enforcing strong password policies with password rotation and complexity limits. You should also consider adopting multi-factor authentication (MFA). MFA requires multiple proofs of identity before access is granted, making credentials harder to steal.
Additionally, you should make sure to educate staff and users about the importance of secure authentication. This includes training them to spot authentication vulnerabilities, such as phishing attempts, writing down passwords, or sharing credentials.
Limit Your Network Access
Cloud environments are naturally more vulnerable to attacks due to their connectedness to the Internet. Every resource, port, and interface you have is a gateway to your systems; known as an endpoint. To prevent breaches, you need to secure these endpoints with monitoring, traffic filtering, and intrusion detection and prevention measures.
One way to limit this access is by disabling any endpoints that you are not actively using, such as unnecessary ports. Another is to create policies limiting which IP addresses or IP ranges are allowed. Ideally, you should only allow addresses you know are safe in a process known as whitelisting.
Comply With Regulations
Depending on your operations and your data, there are multiple regulations that you may need to comply with. In addition to helping you avoid fines for failing to secure data properly, these regulations can help you protect your broader assets.
To ensure that you are following compliance guidelines and best practices, you should periodically audit your systems. Depending on the regulations that apply to use, tools may be available to automate this process. You also have the option of hiring compliance experts to periodically audit and verify your compliance. For compliance measures specific to AWS, including built-in practices, you can visit the AWS Compliance Center.
Because no security measures are 100% effective at all times, you need to have a recovery plan in place. This means creating and maintaining active backups of your data and configurations. Although AWS services automatically duplicate data for availability, this data does not help recover lost or corrupted data.
Depending on your services, there may be built-in mechanisms for snapshot backups. Alternatively, you can use the AWS Backup, which enables you to create, automate, monitor, and manage backups. Whichever method you choose, make sure that you are taking frequent backups and storing those backups in one or more separate locations.
AWS Monitoring and Visibility with NetApp Cloud Insights
NetApp Cloud Insights is an infrastructure monitoring tool that gives you visibility into your complete infrastructure. With Cloud Insights, you can monitor, identify security issues, troubleshoot and optimize both public clouds and private data centers.
Cloud Insights helps organizations reduce mean time to resolution by 90%, prevent 80% of cloud issues from impacting end users, and reduce cloud infrastructure costs by an average of 33%. It can even reduce your exposure to insider threats by identifying risks to sensitive data.
In particular, NetApp Cloud Insights protects organizational data from being misused by malicious or compromised users, through advanced machine learning and anomaly detection.
Learn More About AWS Security
AWS Security Best Practices: How to Protect Your Cloud
When setting up your resources and data in AWS, it can take a few tries to get your security configurations right. This may be okay if you test your deployment with dummy data but if you have live data in AWS, you need to get security right from the start. Discover 9 AWS security best practices you can adopt to ensure your AWS resources and any connected environments remain safe from critical risks.
Read more: AWS Security Best Practices: How to Protect Your Cloud (coming soon)
Types of AWS Security Services: How to Choose?
Amazon Web Services (AWS) provides a host of dedicated security services that you can use across your environments. Many AWS security services integrate with resources across AWS and some also support on-premises resources. Explore different types of AWS security services for data protection, IAM, infrastructure protection, threat management, and data compliance.
Read more: Types of AWS Security Services: How to Choose? (coming soon)