An article to help you understand the basics of AWS security
AWS security basics include using a documented plan, preparing and rehearsing for security threats, securing all layers of your infrastructure, using an identity system and enforcing permission levels, monitoring the cloud environment, using automated tools when possible, and protecting Data at rest and in transit.
Using AWS does not mean that the organization is not responsible for securing the entire cloud infrastructure, but rather that the responsibility is shared with AWS.
In short, AWS secures its cloud infrastructure as a whole, the hardware, software, network, and facilities that create AWS and provide AWS cloud services to customers. Customers are responsible for protecting the infrastructure they create on AWS: their data, operating systems, networks, applications, and other resources. This may be different for each cloud provider.
Be Prepared: Develop a Plan and Strategy for Security Threats
Before starting to use any security service, an organization must develop a plan and strategy for how to deal with security threats. Being prepared is one of the most important AWS security basics. AWS recommends that organizations develop a process for incident management based on their security requirements, such as regulations.
According to AWS, organizations should run incident drills to ensure teams are prepared. Exercises can also identify organizational weaknesses, inefficiencies in detecting threats, improve methods of security incident investigation, and how to recover from security incidents.
Protect all infrastructure layers
All layers of cloud infrastructure need to be protected. In a shared responsibility model, AWS is responsible for the base layer that runs AWS, and customers are responsible for the environments they run on AWS. It is best practice for organizations to understand what they are responsible for and what security tools are available to them.
AWS recommends using its Virtual Private Cloud (VPC) to create an isolated, private virtual network environment in AWS. Additionally, adding a firewall such as AWS WAF (Web Application Firewall) can prevent unauthorized access to critical applications and data.
AWS WAF is the foundation of AWS security, protecting web applications and APIs from typical web vulnerabilities. Organizations can create security rules to block common attack traffic patterns while allowing other traffic to pass to applications.
AWS Firewall Manager enables organizations to have consistent firewall rules across all of their AWS accounts and applications. Organizations using AWS Firewall Manager can configure and manage all firewall rules and policies from a central location. In this way, AWS Firewall Manager is able to protect an organization's entire cloud infrastructure.
Be Prepared: Develop a Plan and Strategy for Security Threats
Before starting to use any security service, an organization must develop a plan and strategy for how to deal with security threats. Being prepared is one of the most important AWS security basics. AWS recommends that organizations develop an incident management process based on their security requirements (such as regulations).
According to AWS, organizations should run event simulations to ensure teams are prepared. Simulations can also identify organizational weaknesses, inefficiencies in detecting threats, improve methods of security incident investigation, and how to recover from security incidents.
Protect all infrastructure layers
All layers of cloud infrastructure need to be protected. In a shared responsibility model, AWS is responsible for the base layer that runs AWS, and customers are responsible for the environments they run on AWS. It is best practice for organizations to understand what they are responsible for and what security tools are available to them.
AWS recommends using its Virtual Private Cloud (VPC) to create an isolated, private virtual network environment in AWS. Additionally, adding a firewall such as AWS WAF (Web Application Firewall) can prevent unauthorized access to critical applications and data.
AWS WAF is the foundation of AWS security, protecting web applications and APIs from typical web vulnerabilities. Organizations can create security rules to block common attack traffic patterns while allowing other traffic to pass to applications.
AWS Firewall Manager enables organizations to have consistent firewall rules across all of their AWS accounts and applications. Organizations using AWS Firewall Manager can configure and manage all firewall rules and policies from a central location. In this way, AWS Firewall Manager is able to protect an organization's entire cloud infrastructure.
Use an identity system and enforce permission levels
Identity systems such as Identity Access Management (IAM) go a long way in protecting cloud resources from inappropriate use. Such systems are fundamental to AWS security and overall security. IAM enables organizations to follow the principle of least privilege, where users are only granted access to the data they need to do their jobs.
With AWS IAM, organizations can use the service as a way to grant different levels of access and influence users' impact on cloud resources. Account administrators can use identity-based policies to grant permissions to users. This policy affects different users and groups differently.
An identity can be bound to a user or a group of users. This identification informs the security policy whether the user is allowed to perform certain actions or access certain resources. The degree to which operations and resources a user is allowed to perform is a sign of how much privilege has been granted to them.
In addition to AWS IAM, other AWS services that control user access include Amazon Cognito and AWS Single Sign-On (SSO).
Cognito grants authorized users access to an organization's applications. Users can be employees who have authorized access to the backend of the application, or they can be everyday users who only need access to the frontend.
AWS SSO allows an organization's employees to access multiple AWS accounts using a single set of credentials. Applications, accounts and associated permissions can all be managed centrally.
Monitor cloud environments
Organizations cannot protect themselves from undetectable threats. This is why monitoring your cloud environment is critical to security. With adequate monitoring, organizations are quickly alerted when a security incident occurs.
After a security incident, it's a good idea to have logs that provide a history of the actions performed leading up to the security incident and by whom. Various Amazon security services have such monitoring and logging capabilities.
Amazon Detective automatically collects log data from all your organization's cloud resources and uses that information to determine the source of possible security issues.
Amazon GuardDuty also continuously monitors cloud environments and analyzes log data for threats, anomalous activity, and anomalous behavior.
Amazon Macie is a machine learning-based service that automatically finds, classifies, and protects sensitive data. For example, personally identifiable information (PII) or intellectual property can be found and protected by Amazon Macie.
AWS Security Center is a control panel that compiles notifications and alerts from various AWS security services. The center aggregates, organizes and prioritizes monitoring information for administrators who view it.
Automated security features
Many of the services mentioned in the previous section are automation tools. This is important for administrators because it removes many tedious and time-consuming tasks from their plate and makes unnecessary tasks the responsibility of various services.
By letting software take over tasks such as data analysis or monitoring activities, administrators have more time to devote to projects that directly impact their organization's business needs. Additionally, processes such as automated policy deployment and enforcement make it easier for cloud instances to scale quickly.
Protect data at rest and in transit
Another AWS security foundation is protecting data while it's not being accessed or moved, as well as protecting data while it's in transit across an organization's network.
Data at rest can be protected through encryption and the use of access controls as described above. Data in transit can be protected through encryption, secure key and certificate management, security protocols such as Transport Layer Security (TLS), VPNs, and tools that can detect attempts to move data outside specific boundaries. Likewise, there are several AWS services can perform these tasks.
AWS has two security services that provide encryption: AWS CloudHSM and AWS Key Management Service (KMS).
AWS CloudHSM is a cloud-based Hardware Security Module (HSM) service that organizations can use to create their own encryption keys in the cloud. These modules are FIPS 140-2 Level 3 validated, which means they comply with U.S. federal information processing regulations.
AWS KMS is a managed way to create and control encryption keys. This service allows organizations to control the use of keys across multiple AWS services and within their own applications. AWS KMS also uses HSM. Both provide the encryption needed to prevent data from being accessed by attackers while it's at rest.
Security protocols for data transmission are key to ensuring the security of data during transmission. Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates can be provisioned, managed, and deployed through AWS Certificate Manager. With these security protocols, data is encrypted as it is transmitted over the network.
AWS Key Manager keeps secrets such as database credentials or API keys safe. Storing and controlling secrets is done centrally via the console, CLI, or API. With this service, secrets are not hardcoded into the application. Instead, an API call to AWS Key Manager retrieves the key.
Doing so means that someone examining the application code cannot find secrets that would grant them further access. This protects data within the application in any state.
Summary: Key takeaways from AWS security basics:
1. Every organization should have a plan on how to secure its cloud environment and execute it effectively.
2. Firewalls are a great way to protect different layers of your cloud infrastructure.
3. Identity access management and the principle of least privilege are fundamental elements of cloud security.
4. By monitoring and logging cloud activity, it becomes easier to identify who or what caused the security incident.
5. Automation makes the lives of IT administrators easier as they no longer need to focus on monotonous and demanding tasks.
6. Encryption is a common and effective method of protecting data at rest and in transit.
Original link: https://www.sdxcentral.com/cloud/definitions/aws-security-fundamentals/