As more enterprise organisations embrace the shared public cloud resources of AWS, it is important to ensure they adopt best practice towards security.
AWS recommends a Security by Design approach – a systematic approach which:
- Formalises AWS account design
- Automates security controls and streamlines auditing
- Provides control insights throughout the IT management process
- Allows creation for IAM Roles for Enterprise and to implement Tag-based access control
There are a range of native and third party tools that can be used to automate security in AWS.
AWS Identity and Access Management (IAM) enables central management of users and user permissions within AWS. It also supports federated access and can be integrated with corporate identity providers (such as Microsoft Active Directory, LDAP). IT teams should use automated IAM policies to secure the pipeline by defining a least privilege and default-deny security model for their organisation. Create IAM policies that instill security best practices and assign them to IAM users, groups and roles.
AWS Config is a fully managed service that provides resource inventory, resource configuration history, and configuration change notifications to enable security and governance. Using Config Rules, you can create rules that automatically check the configuration of your AWS resources. This continuous assessment allows teams to react and correct deviations in security compliance. AWS Config is extremely helpful in meeting the demands of compliance audits (PCI, HIPAA) which require state of systems updates at arbitrary times.
Amazon Inspector is an automated vulnerability/security assessment service that helps improve the security and compliance of the applications you have deployed on AWS. With Inspector, teams can define standards and best practices for applications. If such policies are not in place, issues can be fixed before they are rolled out into production. Inspector is very useful for on-demand evaluations.
AWS Trusted Advisor identifies gaps against best practices in cost optimization, security, fault tolerance and performance improvement. AWS Trusted Advisor identifies over a dozen best practice security configurations and serves as a basic baseline recommendation tool for periodic evaluations.
AWS CloudTrail records every API call made within an AWS account and delivers log files to enable compliance auditing and security analysis. You can create metric filters to trigger alarms based on patterns found in your CloudTrail Logs. The logs will show you who has logged in to the console without using AWS Multi-Factor Authentication, or you can use them for more forensic analysis to determine who invoked a particular API action, as well as where and when.
AWS CloudWatch allows you to monitor operational changes in your AWS cloud resources as they take place. CloudWatch can be used with AWS Lambda and Simple Notification Service (SNS) to notify and trigger countermeasures against threats on your IT infrastructure. For example, teams can subscribe to events or use other services to identify suspicious activity and invoke Lambda functions to disable access keys for an IAM user, or disable requests from a specific IP address.
It is important to understand that any native or third-party security tools would not be fully effective unless an organisation has a well-defined cloud security strategy. The security boundaries in public cloud may shift as organisations leverage IaaS, PaaS and SaaS solutions.
Designing a comprehensive cloud security strategy within AWS means adapting controls and risk management methodologies to an agile operations model, as well as understanding how to utilise the resources available to maintain visibility.
At SystemsUp we have a well-defined cloud assessment framework to help organisations define their strategy and their approach to security as part of our cloud engagements.
By AbdulKhader AbdulHanif, Cloud Solutions Consultant, SystemsUp
SystemsUp is an AWS Advanced Consulting Partner and an Authorised Public Sector Partner. We have proven expertise in helping organisations successfully migrate to AWS within a formulated public cloud adoption framework and strategy. Please get in touch to find out more.