AWS Security - Best Practices
- Salil Natoo
- Dec 24, 2024
- 3 min read
Introduction
Amazon Web Services (AWS) is the leader of the public cloud service market with up to 32% in global share. It offers a broad variety of services such as compute, database, analytics, applications, storage and deployment services. These services help an organization to lower its IT cost, scale applications according to requirements and provide easy migrations. AWS operates under a shared responsibility model which means that both AWS and its Customers are responsible for security and compliance. AWS takes care of the infrastructure that runs all of the services offered in AWS Cloud. While customers are responsible for the configuration of infrastructures & applications, it accesses rules, security group firewalls, guest OS updates and many more.
Security Challenges
There are multiple threats to applications running AWS -
AWS Platform Compromise
Amazon has taken substantial care to protect its infrastructure from any interventions. Nonetheless, there is a small chance that an attacker can compromise a component in the AWS platform and gain access to private data, shutdown an application running on the platform or destroy data permanently.
Exposed Keys or Weak Passwords - AWS Account Compromise
It's the customer's responsibility to provide strong passwords and protect keys. If keys are exposed in public environments, an attacker can use those credentials to access or delete resources, data or applications. For example, if the access of AWS SageMaker is provided to a user and his keys are compromised, the attacker can use those credentials to mine data or perform invalid transactions.
Denial of Service attack
Although AWS has DoS prevention capabilities using AWS Shield, a large attack could shut down an application running on the platform, until the attack is corrected.
Sensitive Data Upload - Policy Violation
Data upload against policy or regulation of organisation or country. If any attacker uploads data violating those policies, AWS user may land in trouble for the same.
Privileged/Negligent Users
Many organisations do not provide user access to its requirement creating unnecessary privilege members with access to multiple services on AWS. Thus, there malicious or negligent behavior can cause harm
Checklist for AWS Security
Following is a checklist to be followed for AWS Security
IAM
Multifactor Authentication for root account -
Multifactor Authentication for IAM Users
Enable multimode Access for IAM Users
Attach IAM Policies to group and users
Rotate IAM Keys and Credentials per 90 days or less
Set up strict password policies
Set up password expiration to 90 days or less
Give minimum permissions to services while creating policies/role
Rotate SSH Keys periodically
Delete unused SSH Public Keys
Deactivate inactive users and their credentials
CloudTrail & Logs
Enable CloudTrail Logging across all AWS
Enable CloudTrail Log Validation
Enable CloudTrail Multi-Region Logging
Incorporate CloudTrail with CloudWatch
Enable logging for CloudTrail S3 buckets
Enable Logging for ELB's (Elastic Load Balancer)
Enable RedShift Logging
Enable Virtual Private Cloud (VPC) logging
Restrict Access to CloudTrail Buckets
SSL & Encryption
Use HTTPS for CloudFront Distributions
Don't use expired TLS/SSL Certificate
Encrypt CloudTrail Log Files
Encrypt ELB Database
Encrypt Amazons Relation Databases
Firewalls & Access Restrictions
Configure security groups and reduce inbound traffic to a limited amount
Configure bastion host - to ensure all other servers aren't open to the public network
Do not provide public write access to S3 buckets, use IAM Role's instead
Backups
Perform periodic Backups for databases, storage, media files to Amazon S3
Perform periodic Archiving using S3 Glacier
Comments