Safeguarding Your AWS Environment: Important Security Considerations
Posted: Nov 15, 2022
We adopt the practices and procedures to ensure that software is developed, deployed and maintained securely. This includes identifying and mitigating security risks, such as vulnerabilities or threats to the software, and ensuring that the software complies with relevant security standards and regulations. Security operations may involve activities such as threat modeling, security testing, vulnerability scanning, security incident response, and compliance auditing. By prioritizing security throughout the software development lifecycle, security operations help to protect the software and its users from potential security breaches and data loss and maintain the integrity of the software and the organization.
As a leading cloud provider in the region, AWS offers security features and services to host and deploy your applications. The platform-as-a-service model of AWS comes with built-in security and scalability features, enabling customers to effortlessly deploy applications with minimal concerns about the underlying infrastructure.In the AWS cloud environment, securing our resources is of utmost importance. AWS emphasizes that security and compliance are a joint responsibility shared between AWS and its customers. AWS's responsibility “Security of the Cloud” and Customer's responsibility “Security in the Cloud” This shared model can help relieve the customer's operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.
The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS-provided security group firewall. Customers should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations. Please see the link Shared Responsibility Model. Security is the primary concern at AWS, but all developers/operations have a role to play in developing and deploying secure applications. This covers the shared responsibility model; applying the principles of least privilege; handling sensitive data; IAM roles and resource policies; authorization and authentication; code signing; protecting applications with public endpoints.
Ensuring the security of the application component during the design phase of infrastructure is of utmost importance. Making changes to the existing infrastructure later can be challenging and time-consuming, akin to removing bricks from the foundation, potentially compromising its stability and reliability. Let’s now explore the security features, best practices, and recommendations provided by AWS for both the underlying infrastructure and the application. During this discussion, we’ll focus on maximizing security by thoroughly examining the various components offered by AWS.
The principle of least privilege is a powerful part of your security posture. If someone doesn’t need access to your AWS resources, they shouldn’t have access. AWS Identity and Access Management (IAM) enables us to manage access to AWS services and resources securely. Using IAM, we can create and manage AWS users and groups, and use permissions to allow and deny their access to resources.
The first thing you require is to ensure that we do not use the root user for everyday tasks, even administrative ones. Anyone who has root user credentials for the AWS account has unrestricted access to all the resources in your account, including billing information. Create IAM users and access have been granted with the least privilege, that is granting only the permissions required to perform the required task. As a best practice, please refer to the link IAM Best Practices. Root user credentials are only used to perform a few account and service management tasks. To view the tasks that require you to sign in as the root user, see tasks that require root user credentials here Root User Tasks.
Enhancing the security of IAM user logins is possible through the implementation of two-factor authentication. Additionally, for third-party applications that require access to perform specific tasks in AWS, it is crucial to restrict the permissions of the AWS Access Key/Secret Key combinations to only what is necessary. To achieve this, an IAM policy should be applied based on the precise requirements of the third-party application. Implement IAM role-based authentication always if it permits by the third party. You can refer here to one of the use cases(aws +github IDP auth) I wrote in Medium. Make use of the temporary credentials provided by IAM roles and federated users instead of the long-term credentials provided by IAM users and access keys. As a security best practice, it is recommended that regularly rotate (change) IAM user access keys.
AWS Security Groups, Network ACLs, and Web ACLs:
The role of AWS Security Groups, Network ACLs, and Web ACLs in AWS cloud security operations plays a pivotal role. In our exploration, we will get into the distinctions among these tools and how they collectively contribute to establishing a strong and reliable cloud security framework.
AWS Security Groups: Security Groups act as virtual firewalls that control inbound and outbound traffic at the resource level. They allow you to define granular rules, permitting specific traffic based on IP addresses, ports, or protocols. By configuring Security Groups correctly, you can restrict access to only necessary services and applications, reducing the attack surface and minimizing potential security risks.
Network ACLs: Network ACLs operate at the subnet level and control traffic between subnets in your VPC. Unlike Security Groups, Network ACLs are stateless, meaning you must define rules for both inbound and outbound traffic separately. These network ACLs provide individual controls that we can customize as a second layer of defense. Properly configuring Network ACLs helps prevent unauthorized access and helps protect sensitive data as it moves across subnets within your VPC.
RouteTables: Subnet-specific route tables contain a set of rules, called routes, that are used to determine where network traffic from the subnet or gateway is directed. Route tables are configured in a way that to maximum eliminates unauthorized access to both private and public subnets in AWS VPC.
Web ACLs: Web ACLs are specific to Amazon WAF and protect your web applications from common web exploits and attacks, such as cross-site scripting (XSS) and SQL injection. By configuring Web ACLs, you can set up rules to allow or block traffic based on request attributes, IP addresses, or geographic locations. This adds an extra layer of security to your web applications, safeguarding them from malicious activities.
When it comes to cloud security, remember that a layered defense is the key to a strong security posture. Understanding the differences between these tools is crucial for implementing a comprehensive security strategy in your AWS environment. Developing a comprehensive security strategy within your AWS environment involves adeptly configuring AWS Security Groups, Network ACLs, and Web ACLs. By doing so, you gain the ability to control access, monitor traffic, and fortify your valuable resources against unauthorized access and potential cyber threats.
As a managed service, AWS Certificate Manager is protected by AWS global network security. It handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications. ACM also simplifies security management by automating the renewal of expiring certificates.
AWS offers two options to customers deploying managed X.509 certificates. Choose the best one for your needs.
1. AWS Certificate Manager (ACM) — This service is for enterprise customers who need a secure web presence using TLS. ACM certificates are deployed through Elastic Load Balancing, Amazon CloudFront, Amazon API Gateway, and other integrated AWS services. The most common application of this kind is a secure public website with significant traffic requirements.
2. AWS Private CA — This service is for enterprise customers building a public key infrastructure (PKI) inside the AWS cloud and is intended for private use within an organization. With AWS Private CA, you can create your own certificate authority (CA) hierarchy and issue certificates with it for authenticating users, computers, applications, services, servers, and other devices. Certificates issued by a private CA cannot be used on the Internet.
Network Intrusion Detection
Amazon GuardDuty is a threat detection service that continuously monitors malicious activity and unauthorized behavior to protect the AWS accounts, workloads, and data stored in Amazon S3. With the cloud, the collection and aggregation of account and network activities are simplified, but it can be time-consuming for security teams to continuously analyze event log data for potential threats. With GuardDuty, we have an intelligent solution for continuous threat detection in AWS. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. Emails have been configured to send alerts when Guardduty detects any malicious activity in AWS resources.
A key security consideration that can be implemented considering your application use case is network layering. Layered networks help logically group similar networking components. They also shrink the potential scope of impact of unauthorized network access. A properly layered network makes it harder for unauthorized users to pivot to additional resources within your AWS environment. Allowing direct access to data stores such as databases is not recommended. That is to isolate sensitive data by network isolation of the database subnet. Network isolation makes the database accessible only on a private IP address range and to only those components that require access to it. The data subnet for each environment can be isolated from the public subnet by network level in AWS. Only components from the private subnet can access the data subnet. The public subnet is ideal for hosting VPN and other public-facing components.
Enabling encryption at rest and in transit is important. At rest ensures that the volumes underpinning the database and snapshots (if encrypted) can be read outside of the AWS account only with AWS KMS encryption key permissions explicitly granted. Encryption is enabled with customer-managed KMS keys of databases and snapshots that deal with sensitive data. Encryption can be enabled for databases, passwords/secret keys, EBS volumes, etc which deal with sensitive data.
Secret management is the practice of securely storing, distributing and managing sensitive information, such as passwords, API keys, certificates, and other credentials. Proper secret management is essential for ensuring the security of applications and infrastructure, as sensitive information can be a valuable target for attackers.
AWS SSM Parameter Store and Secret Manager:
AWS SSM Parameter store ad secret manager is used to store sensitive values, Sensitive data is encrypted with KMS and decrypted within applications, anytime it needs.
Secret manager and password rotation schedule
AWS Secrets Manager helps you manage, retrieve, and rotate database credentials, application credentials, OAuth tokens, API keys, and other secrets throughout their lifecycles. Secrets Manager helps you improve your security posture because you no longer need hard-coded credentials in the application source code. Storing the credentials in Secrets Manager helps avoid possible compromise by anyone who can inspect your application or the components. You replace hard-coded credentials with a runtime call to the Secrets Manager service to retrieve credentials dynamically when you need them. With Secrets Manager, you can configure an automatic rotation schedule for your secrets. This enables you to replace long-term secrets with short-term ones, significantly reducing the risk of compromise. Since the credentials are no longer stored with the application, rotating credentials no longer require updating your applications and deploying changes to application clients. The below diagram shows the setup of the Postgres database with secrets rotation scheduled for 30 days.
Vulnerability management tools help to detect and mitigate vulnerabilities earlier in the SDLC lifecycle, improve security posture, ensure compliance, and reduce costs.
Vulnerability Management Tools in AWS
Amazon Inspector: Amazon Inspector is an automated and continuous vulnerability management tool. Amazon Inspector automatically discovers workloads hosted in AWS, such as Amazon EC2 instances, containers, and Lambda functions, and scans them for software vulnerabilities and unintended network exposure. Below shows a sample image of listing vulnerabilities in the Inspector AWS console.
Sensitive Data Recovery
Identifying sensitive data in the application infrastructure environment is essential for ensuring compliance, effective risk management, data protection, and reputation management. By implementing appropriate security controls, organizations can ensure that sensitive data is protected from unauthorized access, misuse, and breaches. Below is an example of a sensitive data recovery dashboard in AWS for data stored in S3 with Amazon Macie.
Monitoring and Alerts
AWS provides a wide array of monitoring tools, such as Amazon CloudWatch, AWS Config, AWS CloudTrail, and AWS Security Hub, which offer comprehensive insights into the infrastructure, applications, and user activities within the AWS ecosystem. These tools enable security teams to track resource usage, detect configuration changes, monitor API activity, and analyze logs to identify security events and potential risks.
Enable Cloudtrail: CloudTrail enables you to monitor your AWS deployments by retrieving a history of AWS API calls for your account, including API calls made via the AWS Management Console, the AWS SDKs, the AWS Command Line Interface, and higher-level Amazon Web Services. You can also identify which users and accounts called the ACM APIs, the source IP address the calls were made from, and when the calls occurred. You can integrate CloudTrail into applications using the API, automate trail creation for your organization, check the status of your trails, and control how administrators turn CloudTrail logging on and off. For more information, see Creating a Trail.
To enhance security, AWS monitoring, and alerting allow organizations to set up custom alarms based on predefined thresholds and security rules. These alarms trigger real-time alerts whenever suspicious activities, unauthorized access attempts, or unusual patterns are detected, empowering security personnel to respond swiftly to potential security breaches.
One of the scenarios is using the AWS EventBridge for login Alerts, which enables you to capture and process events from various AWS services and integrate them with other AWS resources. Additionally, AWS Simple Notification Service (SNS) allows you to send notifications to different endpoints, such as email, SMS, or mobile push notifications. Once the setup is complete, AWS EventBridge will capture login events from AWS CloudTrail and send them to the SNS topic. Subscribers of the SNS topic will then receive notifications in real-time whenever a login event occurs in their AWS account.
AWS Security Hub
AWS Security Hub is a cloud security posture management tool designed to enhance the security of your AWS environment. It provides a comprehensive view of your security, operations, and compliance data, offering a unified perspective of security alerts and posture across all AWS accounts. This enables easy tracking, prioritization, and identification of trends and patterns in security issues. By correlating security findings with operational data like AWS CloudTrail logs and customer logs, Security Hub facilitates a deeper understanding of the root cause of security problems, allowing for quicker corrective action.
Moreover, it incorporates automated security checks based on AWS best practices and industry standards, aiding in the swift identification and remediation of security vulnerabilities. The platform generates findings from various AWS services and partner products, allowing users to filter, aggregate, and visualize these insights. AWS Security Hub’s benefits include a single view of security posture, root cause identification of security issues, automated security checks for AWS resources, and an easy-to-use console for streamlined management. If you’re seeking to improve your AWS environment’s security, AWS Security Hub is an excellent choice, providing a user-friendly and efficient solution to identify and resolve security concerns promptly.
By leveraging AWS security standards, monitoring and alerting services, organizations can strengthen their security posture, effectively detect and respond to security incidents, and maintain compliance with industry regulations. As cloud environments become increasingly complex, having robust monitoring and alerting mechanisms is essential to safeguarding sensitive data and maintaining a resilient security infrastructure in the cloud.