Amazon Web Services (AWS) has become one of the most popular cloud service providers on the market. As with most reputable cloud providers, AWS is relatively easy to use, scalable, affordable and flexible.
They typically provide reliable encryption and security features, and various collaboration services that can help organizations streamline their business operations. However, when using any cloud service provider, there are a number of security and privacy issues, primarily relating to the loss of visibility and control over their critical assets.
Below are some basic tips that can help organizations mitigate the inherent privacy and security risks associated with AWS.
1. Configure AWS network security features
Even-though Amazon are chiefly responsible for maintaining their servers and protecting them from intruders, organizations still have a responsibility to ensure that the services they use have been correctly configured.
This includes checking both the firewall and web application firewall settings, and ensuring that all sensitive data is encrypted, both at rest and in transit. Using the AWS Firewall Manager and Amazon WAF, you can manage the rules which are used to block suspicious network traffic.
Additionally, you can use AWS Key Management Services to manage the encryption keys used to secure your encrypted data.
2. Monitor suspicious activity
It is imperative that user activities, such as changes to privileged accounts, file and folders containing sensitive data, failed logon attempts, API calls, and so on, are carefully monitored to protect your network and data from both internal and external threats, and satisfy the regulatory compliance requirements that are relevant to your industry.
Amazon provides a number of services that enable you detect and respond to such threats. The first is Amazon CloudWatch, which aggregates event data across over 70 AWS services, and the second is AWS CloudTrail, which monitors AWS account activity and API usage. However, if you want to audit a dedicated EC2 server, or aggregate data from multiple cloud service providers, you will need to use a dedicated change auditing solution.
Amazon GuardDuty is another feature that will monitor all AWS accounts for suspicious activity. GuardDuty uses machine learning and threat intelligence feeds to detect anomalous activity.
Additionally, Amazon Lambda can be used to provide an automated response and/or to communicate with third-party auditing solutions.
It should be noted that third-party Data Security Platforms provide a number of additional features to help audit AWS security states and changes, such as automated inactive user account management, password rotation, and threshold alerting.
Threshold alerting allows organizations to detect and respond to events that match a pre-defined threshold condition, such as multiple failed login attempts, or when multiple files are encrypted within a given timeframe.
3. Check for holes in your S3 buckets
Data leakage caused by misconfigured AWS S3 storage buckets is a common problem for AWS users. In simple terms, the problem is that S3 buckets are configured to be open to the public by default.
Many users are not aware of this, and thus fail to change the settings accordingly. Users will need to ensure that write access is disabled under the “any authenticated AWS user” group.
As always, it’s a good idea to monitor access to the buckets for anomalous activity.
4. Mitigate Distributed Denial of Service (DDoS) attacks
All public-facing applications are prone to DDoS attacks, which need to be promptly identified and shutdown to minimize disruption. Amazon provide a service called AWS Shield, which can be used to automatically detect and respond to DDoS attacks. The standard service is free, although you will need to pay if you want to protect a dedicated EC2 server or if you are using Elastic Load Balancing (ELB).
5. Discovery and classify sensitive data
In order to protect your sensitive data you first need to know exactly what data you have, where it is located, and how sensitive the data is.
Amazon Macie is a security and privacy service that provides more visibility into the location and type of data that is being stored. Using Macie you can automatically discovery and classify data based on its content, although it is limited to data residing in S3 buckets.
If you wish to discovery and classify data across multiple platforms, you will need to use a dedicated data classification solution. A dedicated solution will also classify the types of data that are relevant to your industry, including PII, PHI, PCI, and IP.
6. Manage identities via a centralized console
For maximum visibility and control, all AWS resources should be accessed via a single sign-on (SSO). AWS Identity and Access Management (IAM) provides granular Role-Based Access Control (RBAC) to ensure that users are granted least privileges they need to carry out their role.
AWS IAM also has the ability to integrate with on-premise solutions such as Microsoft Active Directory, and third-party IAM solutions which manage identities across multiple platforms. AWS IAM can be used in conjunction with AWS Directory Service, to provide secure access to AWS resources.
7. Enable Multi-Factor Authentication (MFA)
AWS Multi-Factor Authentication provides a more robust layer of protection than the traditional username and password. With MFA enabled, users will not only be asked to enter their username and password, but will need to enter an authentication code, which they can get from their AWS MFA device.
The MFA device could be a smartphone or tablet running the MFA software, or some other device, such as a hardware key fob or display card, which they will need to purchase from Amazon. MFA can be enabled for your AWS account, individual users and API calls.
8. Scan for vulnerabilities
While it is not your responsibility to scan for vulnerabilities and install patches for regular AWS services, you will need to use the AWS Inspector to scan for vulnerabilities if you are using an EC2 instance, or some other dedicated virtual resource provided by AWS.
9. Perform penetration tests
Naturally, AWS will carry out penetration tests against their own infrastructure, however, customers using AWS EC2 and AWS RDS services, will have access to additional tools which they can use to perform their own independent security assessments and penetration tests. That said, activities such as DNS zone walking and DoS tests, are prohibited.
If you would like to see how Lepide can help you ensure the security of your AWS environment, schedule a demo with one of our engineers today.