7 Most Important AWS Security Tools
Amazon Web Services (AWS) is revolutionary in its ability to let companies dynamically scale their applications and infrastructure. They've also been great at baking security features into their offerings. While they take responsibility for securing their infrastructure, AWS makes it clear it's up to users to ensure AWS services are properly configured according to best practices. They have provided many offerings to make this possible.
AWS takes layered security very seriously and gives administrators tools to ensure their AWS deployments are as secure as possible. One of the greatest advantages of the AWS security stack is the ease of deployment. In many instances, it is a simple matter of subscribing to the service.
Here are some of the available AWS tools available.
AWS Shield is a managed DDoS protection service. Shield can protect EC2, Load balancers, CloudFront, Global Accelerator, and Route 53 resources. While DDoS protection may not seem revolutionary, consider that Amazon claims that 99 percent of all infrastructure flood attacks detected by shield are mitigated in less than one second on CloudFront.
Sometimes attacks are simply designed to prevent a company from doing business. Having a tool that allows you to stay up, without engaging your security teams, can be a significant competitive advantage. AWS shield can even protect websites that are not hosted inside AWS.
The bottom line: AWS Shield keeps your services available at an unmatched success rate.
GuardDuty is the "watcher on the wall". GuardDuty is a managed threat detection service that is simple to deploy, and scales with your infrastructure. It will analyze logs across all of your accounts and services, making sure that nothing is left unprotected. Amazon boasts that GuardDuty analyzes tens of billions of events across AWS — and leverages machine learning to ensure you get accurate and actionable alerts. There are very few other companies that can boast that kind of data set.
GuardDuty is capable of detecting activities related to reconnaissance, instance compromise and account compromise. This encompasses things like, port scanning, data exfiltration, malware, unusual API calls, and attempts at disabling logging.
It's not possible to write your own custom alerts for GuardDuty because AWS says it's meant to be a "hands off" tool.
It can, however, automate remediation of alerts through AWS Lambda and integrate into CloudWatch to make sure that administrators have a single pane of glass.
The bottom line: Guard Duty analyzes your logs so that you don't have to.
CloudWatch is the AWS monitoring tool for, well, everything. CloudWatch ingests logs, events, and metrics across your AWS infrastructure to ensure you have visibility into everything going on in your environment.
As anyone who has operated a SIEM knows, having a tool that can aggregate a ton of data and make it accessible to engineers is crucial. Because CloudWatch integrates with GuardDuty, and can provide a huge amount of surrounding information, it can also make it easier to troubleshoot security incidents.
Aside from its security applications, CloudWatch also aggregates performance and resource utilization data. It can be used to set up auto scaling for EC2 instances to automatically add or remove compute resources to make sure organizations get the best value out of their spend for AWS services.
The bottom line: CloudWatch provides a single pane of class for visibility into log events and other security services.
Macie is all about protecting data. It is a machine learning service that watches data access trends and finds anomalies to spot data leaks and unauthorized data access. It can send all of its alerts to Cloudwatch to leverage all of the automation and custom alerting. It is a fully managed service. It's always nice to be able to add additional visibility and alerting without any additional work. It currently only supports monitoring S3 buckets.
It seems like it is a simple service, but quickly identifying unusual data access or data exfiltration can be incredibly important to containing breaches.
In 2017, Uber reported that it had a breach that affected the personal information of 57 million of its users. The breach was not a result of a misconfiguration or a failure of its AWS security, but a hacker accessing a private GitHub repo that contained its AWS credentials. Uber paid the hackers $100,000 to keep the breach quiet until Uber itself ultimately revealed it to the public. It's unknown whether the attackers approached Uber or Uber detected the attack themselves, but this is an effective illustration of Macie's value proposal.
The bottom line: Macie lets you know if your data is compromised.
It is always nice to be proactive. AWS inspector is a security assessment service that does vulnerability and best-practice scanning for AWS applications. The best part about AWS Inspector is that administrators get consistent improvements, as the AWS security team consistently updates best practices. Building security compliance and standards into infrastructure and application deployment gives organizations a massive head start to staying secure.
The bottom line: AWS inspector is always up to date.
Compliance and Configuration Scanners
Because AWS is a haven of DevOps engineers, it's no surprise that some of the best security tools are third party tools. Scoutsuite and Prowler are two of the best compliance and configuration scanners that have been developed by the open source community.
Prowler describes itself as an AWS Security best practices assessment, auditing, hardening, and forensics readiness tool. It has 89 pages that spans configuration areas like identity management and networking, as well as configurations related to GDPR and HIPAA.
The bottom line: Prowler features extensive documentation.
Scoutsuite is also an auditing tool. The major differentiator between these tools is that Scoutsuite is multi-platform. It supports AWS, Microsoft Azure, and Google Cloud Platform.
While auditing tools may not be as exciting as some of the other tools on the list, the importance of them cannot be overstated. Some of the worst data breaches on AWS have been a result of simple misconfigurations. Allowing public read/write access to AWS S3 buckets have been responsible for data breaches of epic scale.
In 2017, Accenture, a corporate consulting firm mistakenly left four S3 buckets publically available. A security researcher discovered the buckets and alerted the company. In a display of just how easy this would have been to prevent, the buckets were secured the next day. It's reported that there was 137Gb of data on the buckets, including plaintext client passwords, credentials for AWS, and other cloud platforms, decryption keys, certificates etc. If a malicious attacker had accessed the data, the damage they could have done to Accenture and its clients could have been catastrophic.
Again in 2017, a third party partner of Verizon, NICE systems, left an S3 bucket publicly available that contained names, addresses, account details, and PINS of upward of 14 million Verizon customers.
The scale of these breaches illustrates how important an auditing tool could be to keeping your data safe.
The bottom line: Start with a solid security foundation.
Security at Scale
AWS is all about scale — being able to grow quickly has never been easier. Many organizations host their entire application in AWS, from web front end, backend databases, compute resources, and massive amounts of data. The ease of this scaling can also mean that it is easy to build large, poorly configured and insecure deployments quickly.
Following the AWS published best practices and taking advantage of the available security services should allow companies to both grow quickly and securely.