AWS Cloud Security
As we all know what AWS is? And how it’s offering services to its clients. In today’s post, we will discuss how AWS offers security for the most important concern for its clients – Information Security. AWS values customer data and sets security as a highest priority for its public Cloud. And as an AWS customer, you can take advantage of a data center & network architecture that is built to meet the requirements of the most security-sensitive organizations. The protection of an AWS public cloud is like having security with on-premises/brick and mortar data centers without the costs of managing data center facilities and hardware. In an AWS cloud environment, you don’t need to manage physical servers or storage devices, software-based security tools are used to monitor and protect the data in and of out of your cloud environment.
Benefits of AWS Security
AWS provides many benefits in the form of security and here are some of them:
- Keep Your Data Secure: AWS stores all data in highly secure AWS data centers across the globe, and has strong protection mechanisms to protect the customer data and privacy.
- Fulfill Compliance Requirements: AWS brings about tons of compliance programs in its cloud infrastructure which` means that segments of your compliance have already been applied.
- Saving Money: You can save money by maintaining the highest level of security without managing your on-premises environment.
- Scale-out Quickly: No matter the size of your business, the AWS infrastructure is designed in such a way that you can not only protect your data but also scale easily while maintaining safe data.
AWS Security Threats and their Mitigation:
While providing a secure cloud environment to their customers, some will still have security threats which can be mitigated within AWS. Following are some security threats and their mitigations:
User/Group Access & Security Policies
Being an AWS customer the biggest threat is a user’s access & control over the network/systems. Privileged accounts can be mistakenly granted to the wrong people in your company and when that access is given to a person who actually doesn’t require it, things can go horribly downhill. This was what happened with GitLab, when their production database was partially deleted mistakenly.
With security group policies, System Administrators sometimes configure weak policies that leave loopholes for attackers; as group policies are simpler in configuration then setting up granular permissions on a per-user basis. Anybody who has some basic knowledge with configuring security policies can easily take advantage of lax group policy settings to exploit an infrastructure. They may leave your systems/data at high risk of being exploited by a disgruntled employee or by a bot; unmanned scripts that can run on or against your network that look for simple vulnerabilities & weak misconfigured security groups on servers and so much more.
Luckily AWS provides an Identity and Access Management (IAM) control, a control such as Role based Access Control (RBAC). Where without too much effort these user access threats can be controlled and mitigated. Such as the creation of new account & access permissions configurable with the principle of least privilege (PoLP, privileges which are essential to perform their intended function), the ability to implement access control lists (ACL’s) in and out of your environment (by IP addressing, protocol and port) and also taking advantage of VPC methods such as creating isolated networks that connect to only some of the business deployment/critical environment instances/systems. When using IAM controls, company employee education is key, knowing what controls are in place and how it works.
Protecting Your S3 Data (object storage)
According to Detectify report, it was reported there was a vulnerability in AWS servers that allows hackers to detect the name of the S3 buckets. By using this info, the attacker easily started talking to Amazon’s API and the attackers were able to read, write, and update S3 bucket without it being noticed by the bucket owner.
As per Amazon, this is not an actual S3 bug. It was basically an unexpected result of misconfigured S3 access policies. Educating yourself about S3 access configuration is crucial.
Additional AWS Security Tools
AWS sets a very high priority to protect customer data and applications inside AWS cloud infrastructure. For this, AWS has introduced plenty of security tools that protects user data and applications from DDos attacks, apps latency and downtime, and analyzing behavior of AWS resources. Following are additional security services and tools that are used to protect AWS cloud infrastructure.
AWS Web Application Firewall (WAF)
AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume extreme resources. AWS WAF provides control to allow or block traffic to your web applications and programs by defining customized web security rules.
Amazon Inspector allows you to analyze and study the behavior of AWS assets and helps us to identify possible security problems. By using Amazon Inspector the security service in your AWS cloud, you can outline a pool of AWS resources that are included in an assessment target. After this, an assessment template can be created and launched for a security assessment run on that target.
During the assessment run process; the file system, the network, and process activity within the specified target are analyzed and monitored, and configuration data is collected. This data contains communication with AWS services, secure channels usage, running processes details and their network traffic, and more. The collected data is analyzed, correlated, and compared with a set of security rules defined in the assessment template.
AWS Shield is a managed Distributed Denial of Service (DDoS) protection that protects applications that are running on AWS infrastructure. AWS Shield delivers always-on detection and automatic inline mitigations that helps in minimizing application downtime and latency. AWS Shield consists of two tiers – Standard and Advanced.
With Standard tier of AWS Shield, AWS resources are automatically protected from common DDoS attacks. High level of defense can be achieved easily by simply enabling AWS Shield Advanced protection for Elastic IP, Elastic Load Balancing (ELB), Amazon CloudFront or Amazon Route 53 resources using the management console or APIs.
With the advanced tier of AWS Shield, you can write customized rules to overcome most sophisticated application layer attacks. These customized rules can be deployed quickly to mitigate DDoS attacks.
AWS cloud allows their customers to scale and innovate, while maintaining a secure environment. Customers pay only for the services they opt to use, while maintaining the security you need with lower infrastructure and maintenance costs as compared to an on-premises environment.
AWS offers many security services and capabilities to improve privacy and control to network access including but not limited to:
- Network firewalls built into
- Amazon VPC and web application firewall such as AWS WAF allows you create private networks and control access to your applications and instances
- Encryption with protocols that provides confidentiality, integrity and availability between communications across all services
- Secure connectivity options that enable private or dedicated connections from your office or on-premises environment to AWS Cloud