AWS Security Best Practices and MTP
Who is liable for Cloud Security? you or the cloud provider?
While most of the companies have many security issues, each business must be able to answer these three key questions:
- Who has access to which applications and when?
- How can we monitor for key file changes?
- Will we be notified promptly when something anomalous occurs?
AWS enables your organization to host and manage their entire workloads in the cloud. Along with the advantages of leveraging infrastructure in the cloud, your organization’s most critical assets may be exposed to threats.
Exposed assets include storage instances with potentially sensitive information, compute resources that operate some of your most critical applications, ports, and virtual private networks that enable access to your organization.
AWS has many of these instances involve publicly-accessible S3 buckets. In the last year alone there were highly publicized incidents, for example, Capital One Data Breach.
Top Security Issues on AWS
But considering the growing complexities of today’s data, use cases, compliance mandates, and so on, companies often struggle to understand how they can protect and secure their data, their customers, and their very existence before moving to (or while expanding on) AWS.
We’ve spoken to many of our Threat Stack customers as well as associates across the security industry to identify the most common challenges when it comes to AWS security, as well as some of the ways they are rising to meet them.
For more information AWS Cloud Security Report
- Avoid using AWS root account user access keys as it gives full access to all resources
- MFA authentication is enabled for the root account to provide two-factor authentication
- Assign individual IAM users with necessary permissions to enable login
- Ensure User Accounts also have MFA authentication
- IAM Access Keys must be rotated at periodic intervals
- Ensure a strong password policy for users
- If required, conditions can be defined for Policies under which access is granted to a resource
- Get rid of unnecessary IAM credentials, those with are inactive or unused
- Use IAM Roles to grant access to applications on EC2 Instances
- Assign permissions to users based on User Groups, instead of individual IAM users
- Provide access to a resource through IAM Roles
- Grant least access while creating IAM Policies, needed to perform the necessary actions
- Attach IAM Policies to Groups or Roles on creation
- Ensure S3 buckets are not publicly accessible (public read or write permissions) – users can enable ‘Amazon S3 block public access’
- Make use of object-level or bucket-level permissions in addition to IAM Policies to grant access to resources
- Enable MFA Delete to prevent accidental deletion of buckets
- Consider encryption of stored data, which can be done in two ways — server-side and client-side encryption
- Configure S3 lifecycle management through rule-based actions and use versioning to store and retrieve multiple versions of an object in a bucket, to deal with accidental deletions
- Ensure S3 access logging is enabled
- Constantly audit and monitor S3 buckets using CloudWatch metrics
- Enable encryption of inbound and outbound data traffic, through SSL endpoints
EC2, VPC & EBS
- Ensure data and disk volumes in EBS are encrypted with AES-256, the industry-standard algorithm
- Restrict access to instances from limited IP ranges using Security Groups
- Limit the range of open ports on EC2 security groups, to prevent exposure to vulnerabilities
- Ensure ELBs have a valid security group attached to it
- Monitor and optimize default security groups, as they allow unrestricted access for inbound and outbound traffic
- Ensure restricted inbound access to SSH, FTP, SMTP, MySQL, PostgreSQL, MongoDB, MSSQL, CIFS, etc; to required entities only
- Use IAM roles to grant access to EC2, instead of access keys for temporary requirements
- If you’re using IAM user access keys for long term permissions, ensure that you don’t embed the keys directly into code, generate different keys for different applications, rotate your access keys, use MFA authentication and decommission unused key pairs.
- Delete unused Virtual Private Gateways and VPC Internet Gateways
- Enable and activate your VPC flow logs to record inbound and outbound traffic in your VPC for better monitoring and early diagnosis
- Make sure that no VPC endpoints are exposed, by checking the principal value in the policy
- Ensure no ACLs allow unrestricted inbound or outbound access
- Make sure both CloudTrail itself and CloudTrail logging are enabled for all regions
- Ensure CloudTrail log file integrity validation is enabled
- Ensure CloudTrail is activated across all regions, and for global services like IAM, STS, etc
- It is recommended to log to a centralized S3 bucket
- Ensure CloudTrail log files are encrypted
- Ensure RDS security groups do not allow unrestricted access
- Ensure encryption of the RDS instances and snapshots, using AES-256 level encryption
- Configure AWS Secrets Manager to automatically rotate the secrets for Amazon RDS
- Ensure RDS database instances and snapshots are not publicly accessible
- Enable the auto minor upgrade feature for RDS
- Monitor control to RDS using AWS KMS and Customer-Managed Keys
- Protect data in transit to RDS through SSL endpoints
- Enable require_ssl parameter in all Redshift clusters to minimize risk for encryption of data in transit for Redshift, and to connect your SQL client with your cluster
- Make sure Redshift user activity logging is enabled
- Enable Redshift Cluster encryption
- It is recommended that Redshift clusters are launched within a VPC for better control
- Ensure Redshift encryption with KMS Customer-Managed Keys
- Ensure that the Redshift clusters are not publicly accessible
AWS and Microsoft Threat Protection (Intro)
Microsoft security platforms provide many security layers such as Identities with Azure AD, Shadow with Microsoft Cloud App Security, unified infrastructure security management with Azure Security Center and others.
About Microsoft Cloud App Security – Connecting AWS to Microsoft Cloud App Security assists you to secure your assets and detect potential threats by monitoring administrative and sign-in activities, notifying on possible brute force attacks, malicious use of a privileged user account, unusual deletions of VMs, and publicly exposed storage buckets.
- Abuse of cloud resources
- Compromised accounts and insider threats
- Data leakage
- Resource misconfiguration and insufficient access control
Microsoft Cloud App Security assists to protect your environment
- Detect cloud threats, compromised accounts, and malicious insiders
- Limit exposure of shared data and enforce collaboration policies
- Stay up to date with latest security configuration recommendation
- Use the audit trail of activities for forensic investigations
Microsoft Cloud App Security with AWS provides the following security connections:
- Security auditing: This connection gives you visibility into and control over AWS app use.
- Security configuration: This connection gives you fundamental security recommendations based on the Center for Internet Security (CIS) benchmark for AWS.
Cloud Security is your liability and therefore you should know the weakness and know how to handle each one and protect with the relevant security layers.
Next article will be focused on how to protect and how to configure Microsoft security with AWS