9 Ways to Protect Your Cloud with AWS
Cloud computing may be the best thing since sliced bread, but it also comes with its fair share of risks. Putting your IT resources on the cloud can expose your sensitive data and applications to a broad array of attacks and vulnerabilities.
So, before you get gung ho about creating servers and migrating databases, it's best to secure your new infrastructure using effective cloud security practices. Here are some best practices you should implement at the beginning of your AWS cloud journey.
1. Enforce Least Privileges
Our first recommendation is both a well-known principle of network security and good practice for limiting cloud access: least privilege.
Suppose you have decided to put some important data on the cloud so that key people across your global organization can log in and review it when necessary. Just as the military protects its intelligence information on a need-to-know basis, your company's cloud privileges should be limited to only those personnel who have a significant reason to access the cloud resource.
2. Delete Root Account Access Keys
Along these lines, AWS recommends getting rid of the access keys associated with your AWS root account. AWS documentation puts this in no uncertain terms:
"We strongly recommend that you do not use the AWS account root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user."
Once you have set up your IAM user account, make sure to give yourself administrative privileges. Then as you create new IAM accounts for other users, you will be able to set their privileges accordingly.
3. Manage Access with Security Groups
This one is pretty important. In fact, Becky Weiss, Senior Principal Engineer at AWS, made this statement in a presentation recorded on YouTube: "If you get your security groups right, your network is secure."
Rather than managing individual access rights for each person in your organization, simply put everyone into particular groups that correspond to their required access privilege level. These may be organized by department, job role, or special teams.
To change privileges for everyone in a group, simply change the permissions for the security group.
4. Require Strong Passwords
You would think this would go without saying, but it's important enough to state here. Make sure you have clear policies about creating passwords, whether you're a network administrator or a user.
You've probably heard this many times before, but the use of strong passwords is an essential part of network security. For more on this, have a look at the AWS documentation on Setting an Account Password Policy for IAM Users.
5. Set Up Multi-factor Authentication (MFA)
You can create an extra layer of protection for your AWS cloud environment by establishing multi-factor authentication (MFA) for all your access accounts. Network administrators have learned that MFA makes it much more difficult to hack someone's password and use it to access sensitive data.
Along with what you know, such as a user name and password, MFA takes advantage of something that you have, like a token device or your mobile phone.
6. Encrypt Everything
You can protect Amazon S3 data with either server-side or client-side encryption. Using the proper tools, you can encrypt all data while in transit as well as while stored on the cloud.
AWS Key Management Service (AWS KMS) for instance, uses the AES algorithm with 256-bit secret keys. AWS encryption uses public and private keys to keep data from the prying eyes of hackers.
7. Enable CloudTrail
AWS recommends that you turn on CloudTrail as soon as possible — even if you're not really sure what it is or how to use it yet. While you're working on figuring it out, AWS CloudTrail will already be busy tracking user activity and API usage.
With CloudTrail, you'll be able to "automatically identify and respond to anomalous API activity across your account". The service is effective for:
- Operational auditing
- Risk auditing
Similar to server logs in traditional data centers, CloudTrail logs events and activities all through your cloud infrastructure. It can also alert you to unusual activity so that you can take quick action to deal with possible malicious intrusions.
8. Backup All Data
A proper backup system is a good idea for any IT environment, whether conventional or in the cloud. The same principles apply to the cloud that IT managers have always used. Backup often and use resources in another geographical location. Make backup as automated as possible, and be sure that you can quickly restore data if needed.
AWS offers a centralized backup service that is robust and automatic. You will need to set up policies and processes and verify their effectiveness with proper testing. Whatever you do, don't forget to back up your data!
9. Implement Web Application Firewalls
Your AWS security strategy is incomplete without a web application firewall (WAF). Amazon offers its own Managed Rules for AWS WAF, but you can tinker to customize them to your infrastructure.
The default rules address issues raised in OWASP Top 10 list, among other things.
As much as you might want to blame AWS for any security issues you may encounter, the cloud provider may counter with some objections. That's because they adhere to something called the Shared Responsibility Model.
Both AWS and the customer work together to secure the entire environment, but there are some divisions. AWS may be responsible for the security of the cloud, but the customer is responsible for security in the cloud. You can't just set it up and forget it. The customer has to do their part to secure his cloud implementations. And we hope that this article will give you a good head start to do just that.