The shared responsibility model of public cloud can be confusing, and requires vigilance, especially as security teams learn how to manage multiple cloud environments in hybrid cloud settings.
Given the enormous popularity of Amazon Web Services (AWS), this article will take a deep dive into the different methods of securing your data and applications in this environment, and offers ten top tips for IT managers looking to secure their AWS accounts and infrastructure.
1. Lock down your root account credentials
One of the biggest security concerns in public cloud environments is the safety of access keys and root credentials, because an attacker who compromises those can take control of your entire cloud account, steal your data, run malicious software on your resources, and even set up their own cloud resources on your account.
To minimise these risks, AlienVault recommends deleting the root account keys for all but the most critical users, and creating an identity and access management (IAM) admin user instead. You should also enable multi-factor authentication (MFA) to protect your account.
2. Use security groups
AWS Security Groups act as a virtual firewall, allowing you to control inbound and outbound traffic. Use AWS Security Groups to limit access to administrative services (SSH, RDP, etc.) as well as databases.
In addition, try to restrict access and allow only certain network ranges when possible. It is also important to monitor and delete security groups that are not being used and to audit them periodically.
As with all security operations, it is vital to collect and analyse all threat indicators across your environment so that you can successfully detect and respond to intrusions.
AWS CloudTrail is a critical resource for monitoring your AWS environment. CloudTrail logs every event related to your AWS infrastructure, including API calls and changes made from the AWS Console, SDKs, or command line tools.
>See also: 3 considerations for a smooth cloud adoption
The sheer volume of CloudTrail data can be hard to evaluate from a security point of view, so we recommend using a unified solution with out-of-the-box correlation and alerting capabilities for CloudTrail events.
4. Use virtual private cloud (VPC)
An Amazon virtual private cloud (or VPC) is a virtual network that runs in your AWS account. This virtual network presents some key advantages from a security point of view: the network is isolated from other resources, it is not routable to the Internet by default, and you can apply security groups and access control lists to reduce the attack surface.
5. Implement a bastion host
A bastion host provides access to your Linux instances deployed in a private subnet of your VPCs. The bastion host removes the need to expose the SSH service of your Linux instances and it centralises SSH access to every system.
This allows you to reduce your attack surface and to simplify access control, auditing, and monitoring of SSH access.
6. Scan fo vulnerabilities
It’s important to know that you can’t launch network scans or perform penetration tests in your AWS infrastructure. You need to ask Amazon for permission first.
That being said, you can scan your EC2 instances for vulnerabilities if your vulnerability scanner allows you to launch authenticated scans that check for vulnerabilities after logging into the system.
7. Protect EC2 instances against accidental termination
By default, when you deploy a new EC2 instance, it can be terminated via the console or the API. A good practice is to enable “Termination Protection” in your instances. This will prevent accidental terminations that have been known to happen.
8. Activate RDS encryption
When deploying your databases into AWS RDS (Amazon relational database service), remember to check the “Enable Encryption” checkbox. This is easily done without customisation, and it adds another layer of security to your RDS workloads.
9. Use load balancers
When deploying web workloads, it is a good practice to use Elastic Load Balancers. This not only helps you with auto-scaling but also allows you to encrypt your traffic, store access logs, and even use AWS’s web application firewall (WAF) services out-of-the-box.
10. Activate VPC flow logs
VPC Flow Logs allow you to record information about the network traffic going through your VPCs. You can create VPC Flow Logs from a network interface, a subnet, or the VPC itself.
This will generate a flow log for each network flow, containing information such as the source and destination address, source and destination port, number of packets, bytes, duration, and whether or not the traffic was accepted or rejected.
The VPC Flow Logs can be used to detect suspicious traffic, check for Indicators of Compromise (IOCs), and help during an incident response or a forensic analysis after an incident.
In conclusion, for today’s resource-strained IT teams, the explosion of public cloud services has only increased the complexity of securing critical infrastructure.
While AWS remains one of the dominant players in the market, many organisations choose to use a variety of different public cloud providers as well as on-premises infrastructure.
This can reap benefits in terms of business continuity, it can also create substantial issues for those responsible for monitoring their IT infrastructure for potential threats. The only way to do this effectively is to use a unified security solution that offers centralised security visibility into all environments.
Centralising your public cloud, private cloud, virtual and on-premises security monitoring through a single security solution can save on operational costs without sacrificing reliability, and scale security monitoring as business requirements change.
Sourced by Jaime Blasco, chief scientist at AlienVault