11 Simple Yet Important Tips to Secure AWS Deployments

With cloud security constantly improving and the volume of data growing exponentially, companies of all sizes are increasingly migrating applications and workloads to the cloud. In fact, Gartner Research recently predicted that the worldwide public cloud services market will grow from $209 billion in 2016 to $247 billion in 2017. As cloud computing continues to gain traction in the enterprise, it’s important to be aware of the security challenges associated with cloud environments, in particular, Amazon Web Services. AWS currently owns about 31 percent of the overall global cloud services market. In this eWEEK slide show, using industry information from Jaime Blasco, VP and chief scientist at AlienVault, we present 11 simple yet important tips to help organizations secure their AWS environments.

Root account credentials provide users with full access to the resources in the account. As a best practice, delete the root account access keys and create an Identity and Access Management (IAM) admin user instead. In addition, enable multifactor authentication (MFA) for another layer of protection.

Use AWS Security Groups to limit access to databases and administrative services, as well as to restrict the network ranges able to access services when possible. Be sure to also monitor and delete security groups that are inactive, and to audit them regularly.

AWS CloudTrail is an effective way to monitor your AWS environment as it logs every event related to your AWS infrastructure, including Application Program Interface (API) calls and changes made from the AWS Console, SDKs or command line tools. This level of detail related to your AWS account activity can be overwhelming from a security perspective, so it’s beneficial to leverage a security solution that has out-of-the-box correlation and alerting capabilities for CloudTrail events.

Identity and Access Management (IAM) roles can be very granular, e.g., you can use IAM roles to define permission levels for different resources and applications that run on Elastic Compute Cloud (EC2) instances. Assigning an IAM role to an EC2 instance eliminates the need for your applications to use AWS credentials to make API requests.

An Amazon VPC is a virtual network that runs in your AWS account. It is isolated from other resources and does not route you to the internet by default, which presents key advantages from a security perspective. You can also apply security groups and access control lists to reduce the attack surface.

A bastion host provides access to Linux instances deployed in a private subnet of your Virtual Private Cloud, removing the need to expose the Secure Shell (SSH) service of your Linux instances and centralizing SSH access to every system. This reduces your attack surface and simplifies access control, auditing and monitoring of SSH access.

In order to launch network scans or perform penetration tests in AWS, you must get permission from Amazon first. That being said, you can scan your EC2 instances for vulnerabilities as long as your vulnerability scanner can launch authenticated scans after logging into the system.

New EC2 instances can be terminated by default upon deployment via the console or the API. By enabling “Termination Protection,” you can prevent accidental terminations that have been known to happen.

Always remember to check the “Enable Encryption” checkbox when deploying your databases into Amazon RDS. This can be done without customization and adds another layer of security to your relational database workloads by encrypting data on the server that hosts your RDS instance.

When deploying web workloads, remember to use Elastic Load Balancers. This helps with auto-scaling, traffic encryption and access logs storage.

VPC Flow Logs can be created from a network interface, a subnet or the VPC itself, providing visibility into network traffic going through your VPCs, including the source and destination address, source and destination port, number of packets, bytes, duration and whether or not the traffic was accepted or rejected. This information can be used to detect suspicious traffic, check for Indicators of Compromise (IOCs) and help during an incident response or a forensic analysis after an incident.