There are a lot of benefits that come with having AWS services as your cloud platform, alone or as part of a hybrid or multicloud environment. The agility and flexibility of AWS’s platform as a service and infrastructure as a service can make it possible for your organization’s network to be responsive, innovative, and ready for change.
But there are special challenges that come with having AWS as your cloud platform. Amazon makes a lot of excellent security features available, but organizations frequently don’t use them properly. Cloud security can seem overwhelming. But it’s possible to have excellent cybersecurity, as long as you’re mindful of these mistakes and best practices.
Cloud resources are ephemeral which makes it difficult to keep track of assets. According to RedLock’s research, the average lifespan of a cloud resource is two hours and seven minutes. There are movies you can’t finish watching in that time! In addition, many companies have environments which involve multiple cloud accounts and regions. This leads to decentralized visibility and makes it harder to detect risks. Clearly, you can’t secure what you can’t see.
Best Practice: Use a cloud security solution that provides visibility into the volume and types of resources (virtual machines, load balancers, security groups, users, etc.) across multiple cloud accounts and regions in a single pane of glass. Having an understanding of your environment enables you to implement more granular policies and reduce risk.
Your root accounts have the ability to do the most harm when unauthorized parties acquire access to them. Administrators often forget to disable root API access.
Best Practice: No one should have access to your AWS root account the vast majority of the time, not even your top admins. Never share them across users and applications. Root accounts absolutely must be protected by multi-factor authentication and used as sparingly as possible.
IAM access keys are often not rotated. That weakens IAM’s ability to secure your user accounts and groups, giving cyber attackers a longer time window to acquire them. Plus it ensures that old keys aren’t being used to access critical services.
Best Practice: Rotate or change your access keys at least once every 90 days. If you have given the users the necessary permissions, then they can rotate their own access keys.
Lost or stolen credentials are a leading cause of cloud security incidents. It is not uncommon to find access credentials to public cloud environments exposed on the Internet, as was the case in the Uber breach. Organizations need a way to detect account compromises.
Best Practice: Strong password policies and multi-factor authentication (MFA) should be enforced in AWS environments. Amazon recommends enabling MFA for all accounts that have console passwords. First determine which accounts already have MFA. Then go into IAM and checkmark “MFA device” for each user. Smartphones and other devices can be used for an extra factor of authentication.
Lost or stolen credentials are a leading cause of security incidents. AWS IAM can be deployed to manage all of your user accounts and groups, with policies and detailed permission options. Unfortunately, admins often assign overly permissive access to AWS resources. Not only does that enable users to make changes and have access that they shouldn’t be allowed to have, but if a cyber attacker acquires their account, more harm can be done.
Best Practice: Your configuration of IAM, like any user permission system, should comply with the principle of least privilege. That means any user and group should only have the permissions that are required to perform their jobs, and no more.
Security groups can be thought of as being like a firewall that controls traffic to the AWS environment. Unfortunately, admins often assign security groups IP ranges which are broader than necessary.
An even greater concern is RedLock’s research shows that 85% of resources associated with security groups don’t restrict outbound traffic at all. The research found an increasing number of organizations were not following network security best practices and had misconfigurations or risky configurations. Industry best practices mandate that outbound access should be restricted to prevent accidental data loss or data exfiltration in the event of a breach.
Best Practice: Limit the IP ranges that you assign to each security group in such a way that everything networks properly but you aren’t leaving a lot more open than you’ll need.
Organizations need oversight into user activities which can reveal account compromises, insider threats, and other risks.
The virtualization that’s the backbone of cloud networks and the ability to use the infrastructure of a very large and experienced third-party vendor affords agility as privileged users can make changes to the environment as needed.
The downside is the potential for insufficient security oversight. But that’s a risk that can be avoided. User activities must be tracked in order to be able to identify account compromises, insider threats, and to assure that a malicious outsider hasn’t hijacked their accounts. Fortunately, businesses can effectively monitor users when the right technologies are deployed.
Best Practice: AWS CloudTrail is a web service that provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. It absolutely should be used. Enabling CloudTrail simplifies security analysis, resource change tracking, and troubleshooting.
As mentioned earlier, it is your responsibility to ensure the latest security patches have been applied to hosts within your environment.
The latest RedLock research report provides insight into a related problem. Traditional network vulnerability scanners are most effective for on-premises networks, but miss an awful lot of crucial vulnerabilities when they’re used to test cloud networks.
Best Practice: Make sure hosts are frequently patched, and apply any necessary hotfixes that are released by your OEM vendors. To do so, you need third-party tools that can map the data from your host vulnerability feeds, such as Amazon Inspector to gain cloud-specific context.
Keeping your AWS cloud secure can seem like a daunting task. Lots of organizations make mistakes which can put their data and network uptime at risk due to poor configuration, bad planning, and inadequate vulnerability scanning and detection.
Amazon has developed some very useful security measures and controls which organizations should take full advantage of, but often don’t. They include AWS CloudTrail, IAM, and permissions on cloud resources which can be configured in a very specific way. Get to know how to use them so you can implement them effectively.
RedLock is an industry leader in AWS security. As an AWS Advanced Technology Partner, RedLock is also a launch partner for Amazon GuardDuty. To optimize your AWS security as the cyber threat landscape evolves and your network changes over time, RedLock’s Security & Compliance Platform for AWS is the clear choice to maintain visibility of your entire cloud and effectively monitor its security dynamically.