Search
AWS Security Best Practices
Posted on

AWS Security Best Practices

Ted Kaminski's Picture
Ted Kaminski

My Experience with AWS Security:

Working at AWS over the past year, I’ve had the opportunity to see the most common cloud security vulnerabilites firsthand in the wild. Surprisingly many of the issues needing mitigation were largely trivial. I’m here to report a security best practice checklist every cloud admin should cover to verify their AWS cloud environment is secure.

Securing IAM:

Enabling Multi-factor authentication (MFA): Requiring MFA for all IAM users protects against unauthorized access. Many instances fail to do so even on the root account. This is one of the many checks Prowler looks for.

Setting a strong password policy. Not only should this be enforced, but it should also be rotated frequently.

{
    "PasswordPolicy": {
        "MinimumPasswordLength": 12,
	"RequireSymbols": true,
	"RequireNumbers": true,
	"RequireUppercaseCharacters": true,
	"RequireLowercaseCharacters": true,
	"AllowUsersToChangePassword": true,
	"ExpirePasswords": true,
	"MaxPasswordAge": 90,
	"PasswordReusePrevention": 3,
	"HardExpiry": false
    }
}

Check the status of IAM user credentials: leverage IAM Credential Report to detail all users in an AWS account. This will show the status of passwords, access keys, and MFA devices. You can see if there’s any suspicious activity here and take action.

Using IAM roles, policies, and groups to delegate access permissions to AWS resources. IAM policies control what actions users, groups, or roles can take on resources and services. Using the priciple of least privilege to grant only the permissions required for the specific task. Make sure to avoid using wildcard * permissions!

roles

Avoid comitting access keys and credentials into source code: these are not meant to be used as secrets. They shouldn’t be used in code, but instead have them in AWS secrets manager or AWS parameter store.

Use a central identity provider: This will reduce operational overhead and will simplify the management of multiple AWS accounts. You don’t need to create IAM users and it will ensure that authentication processes are consistent across the organization.

identity

Securing Data

Server-Side Encryption: SSE provides encryption at rest within services such as S3, EBS, and RDS.

Client-Side Encryption: Client-side encryption encrypts data before it’s uploaded to AWS. You can manage encryption keys, making it ideal when you need full controll over your data.

Using SSL/TLS: Secure Sockets Layer or Transport Layer Security are protocols that provide encryption and authentication for data in transit. Use SSL/TLS to encrypt data transmitted over the network.

Use private connections: such as AWS Direct Connect to transmit data between your on-premises data center and AWS. It bypasses the public internet and establishes a secure dedicated connection from your infrastructure into AWS.

Use AWS VPN to create a secure, encrypted connection between your on-premises network and your AWS resources.

Secure Network:

Limit inbound traffic to only necessary ports: Open only the ports and protocols required for the resource to function.

Use security groups as a method to control inbound and outbound network traffic to and from AWS resources.

Separate security groups for different resource types: Use different groups for resources that require different levels of access.

AWS WAF: to protect from common web exploits such as SQL injection and cross-site scripting (XSS).

AWS Shield: to protect from DDoS attacks. Use shield advanced if the extra bells and whistles are necessary.

GuardDuty: for threat detection. It continuously monitors accounts for malicious activity. It can detect an alert you to potential threats.

Monitoring

AWS CloudTrail/AWS CloudWatch: CloudTrail provides a detailed record of all activity including API calls. CloudWatch tracks metrics collects and monitors log files, and notifies when security thresholds are met.

AWS Inspector: runs security accessments using configured templates that include various targets and rules packages.

AWS Systems Manager: monitor for updates using AWS Systems Manager and set it to run during non-business hours to minimize the impact on users.

Conclusion:

Taking special measures is necessary to protect sensitive data. Today, many security best practices are not being met. Proactive steps must be taken to prioritize security so we can reduce the risk of breaches and ensure the confidentiality, integrity, and availability of data.