As cloud computing becomes more popular, cloud security becomes the most important concern for businesses. Attackers try to steal sensitive information, distribute malware or disrupt computing processes by targeting cloud environments.
According to Security Magazine, 80% of companies have experienced at least one cloud data breach in the last two years. The risk is significant.
However, AWS security services helps customers secure their cloud infrastructure. Thus, we will provide an overview of AWS security services and how they can help you secure your cloud environment.
Let’s dive in!
AWS Security: Strengthen your security posture
Amazon Web Services (AWS) is one of the most flexible and secure cloud computing environments today. Millions of customers trust and use AWS infrastructure and services for their systems, applications, and development processes. AWS security starts on AWS core infrastructure that is designed to meet all security requirements. AWS builds its infrastructure to satisfy requirements for global banks, the military, and other high-sensitivity organizations.
In addition, AWS monitors its own infrastructure 24/7 to help ensure the confidentiality, integrity, and availability of customers’ data.
Besides these, security considerations are not a related topic that only AWS should fix, implement or consider. Security is a shared responsibility between AWS and its customers. AWS’s ultimate responsibility is the security of the cloud. AWS must protect the infrastructure and software related to storage, database, computing, or networking. AWS should manage security issues between regions, availability zones, and edge locations synchronously.
Secondly, customer responsibility is the security in the cloud. Customers’ security responsibilities will vary depending on the AWS resources that they use.
For example, if customers use s3 buckets as a storage area, they should consider all access management, encryption, and storage security standards and rules for AWS S3. As a responsibility, AWS offers many security-related services for its customers. Usage of these AWS security services, evaluating security results, and taking remediation steps for configuration are customers’ responsibilities.
To provide an AWS security perspective for customers, let’s overview these AWS security services together:
AWS Identity and Access Management Services:
AWS Identity and Access Management (IAM)
AWS IAM provides management of all IAM users and resource access. All IAM users, roles, and policies should be managed with at least the privilege principle. If there is a misconfiguration related to users, roles, and policies, there could be unauthorized access to your resources which is too critical. To audit your IAM environment, you could use IAM Access Analyzer and open-source tools such as Cloudsplaining.
AWS Single Sign-On
AWS Single Sign-on is a very popular phrase nowadays. It means with one login, users can access all accounts and applications. In AWS, SSO is a cloud-based solution to manage access to all of the accounts configured in your AWS Organization. It can also integrate with other third-party applications.
It is a very useful solution, especially for enterprise customers.
Amazon Cognito
Amazon Cognito is an authentication and authorization server for your clients. It has two concepts:
a. User Pools: User pools provide user management, Oauth2.0 Authorization for tokens, identity provider (Google, Facebook, etc.) support, advanced security options such as MFA, compromised credentials detection, ease of use, lots of SDK and API support.
b. Identity Pools: Identity Pools provides temporary AWS Security credentials (access key, secret key) to access other AWS services for the client side.
AWS Directory Service
AWS Directory Service allows you to connect your AWS resources with an existing on-premises Active Directory or set up a new stand-alone directory in the AWS cloud. All of your users can access AWS resources and applications with AWS Directory Service easily from the on-premises directory.
AWS Resource Access Manager
AWS Resource Manager (RAM) allows you to securely share AWS resources between a single AWS account or within an AWS organization. RAM audits usage details for shared resources using CloudWatch and CloudTrail. It also provides centralized security controls with AWS Organizations.
AWS Organizations
AWS Organizations is designed for making central account management simple. You can create groups of accounts and then apply policies to those groups that centrally control the use of AWS services down to the API level across multiple accounts.
Additionally, AWS Organizations offers you billing management with a consolidated billing option.
AWS Detection Services
AWS Security Hub
AWS Security Hub provides a centralized structure for security alerts related services such as AWS GuardDuty, AWS Macie, AWS Inspector, or other 3rd party security tools. Security Hub monitors all CIS Benchmarks automatically and sends notifications for alerts. It’s useful for companies that have lots of AWS accounts and want to monitor detection results. You could review all your results and findings related to your AWS accounts on Security Hub.
Amazon GuardDuty
AWS GuardDuty performs intelligent threat detection and can alert us when things go wrong. It uses machine learning algorithms and threat intelligence to analyze groups of events. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs.
AWS GuardDuty finds lots of threat patterns such as compromised EC2 instances, stolen credentials, and mining operations on EC2 instances, and prioritizes them with ‘HIGH’, ‘LOW’, and ‘MEDIUM’ tags.
AWS Inspector
AWS Inspector tests the network accessibility of your Amazon EC2 instances and the security status of your applications. It performs an assessment of the target EC2 instances and checks for any vulnerabilities and potential security threats related to CVEs and CIS benchmarks. It integrates your security testing as a part of your development.
Additionally, it recommends corrective actions for your vulnerabilities. It could be used with AWS CloudWatch and CloudTrail for monitoring and alerting.
AWS Config
AWS Config ensures AWS accounts have security configuration standards. AWS Config uses rules to define security standards and finds non-compliant resources and configuration changes. It also automatically remediates problems. With AWS Config, you achieve “Compliance as Code” and continuous compliance.
AWS CloudTrail
AWS CloudTrail monitors all activities in your accounts. It records all API events such as login into an AWS account, deleting an S3 bucket, launching an EC2 instance, and storing historical logs related to all of them. It could be integrated with other AWS services such as CloudWatch, GuardDuty, etc. CloudTrail helps us answer these questions:
- Who made the change?
- When did these changes happen?
All AWS CloudTrail usage is recommended for all AWS CIS benchmarks, it should be enabled for all regions in your account.
AWS IoT Device Defender
AWS IoT Device Defender is an audit service that could be useful for the IoT world. It audits IoT configurations such as IoT policy and client certificate misconfigurations to make sure that they aren’t deviating from security best practices. It also monitors security metrics from IoT devices and compares results with expected device behaviors.
WS Infrastructure Protection Services:
AWS Firewall Manager
AWS Firewall Manager configures and manages firewall rules across an AWS organization. With AWS Firewall Manager, you can easily manage your WAF Rules, AWS Shield Advanced Protections, VPC security, and DNS Firewall rules.
AWS Shield
AWS Shield protects your environment against DDoS attacks. It has two different types:
Standard: The standard type is enabled by default and no additional cost is charged. It protects against SYN/UDP floods, reflection attacks, etc. AWS Shield Standard stopped DDoS attacks on AWS environments in February 2020.
Advanced: AWS Shield Advanced costs $3000 per month per organization. It provides enhanced protection for EC2, CloudFront, Global Accelerator, Route53, etc. Also, it has business and enterprise support.
AWS WAF
AWS WAF is a web application firewall that helps protect your web applications or APIs against common attacks such as XSS, SQL injection, etc. It also limits the number of calls, and limits request size for your APIs. WAF detects and prevents malicious traffic that could affect your AWS resources. To do these, WAF uses access control lists (ACLs) that consist of rules and action sets. API Gateway, CloudFront, or Load Balancers could be integrated with WAF.
Nowadays, when web applications are becoming a target, therefore the use of WAF can be life-saving.
AWS Network Firewall
AWS Data Protection:
AWS Network Firewall is a managed firewall service that works for your AWS VPC. Network Firewall is one of the powerful services introduced in AWS 2020 re:Invent event. It provides intrusion prevention and detection, and web filtering to protect your virtual networks on AWS.
AWS Macie
AWS Macie is an intelligent threat detection service for AWS S3. As we all know, S3 security is one of the main points of the AWS environment. Macie gives us an overview of the S3 bucket security posture, monitors API calls related to S3, and raises alarms for potential threats. It could find your API keys uploaded to S3 buckets by mistake during the development process, it could detect personally identifiable info (credit card numbers, addresses, etc.) and it can detect your data being stolen.
AWS Key Management Service (KMS)
AWS KMS is a service that enables you to easily create and manage the keys used for cryptographic operations. It supports symmetric and asymmetric encryption. KMS has FIPS 140-2 Level 3 compliance. Lots of AWS services (EC2, RDS, S3, etc.) could be integrated with KMS. It provides data integrity and confidentiality in the AWS environment with CloudHSM components.
AWS CloudHSM
AWS CloudHSM is a cloud-based dedicated hardware module for your encryption key management. Companies that have regulatory compliance requirements should use CloudHSM. CloudHSM meets FIPS 140-2 Level 3 security requirement standards. It is more expensive than other AWS security services, so you need to determine your needs for your environments.
AWS Certificate Manager (ACM)
AWS ACM is a manager for your SSL/TLS certificates in the AWS environment. It manages to validate and configure SSL/TLS certificates. Server certificates (EC2, ECS, CloudFront), client certificates (API GW client certificates), and IoT device certificates (for mutual authentication) are managed by the AWS certificate manager.
AWS Secrets Manager
AWS Secrets Manager provides a secure area for storing secrets such as passwords, user credentials, third-party keys, or any sensitive information. In this secure area, all secrets could be stored, managed, and rotated regularly.
The most common scenario for the AWS Secrets Manager usage is creating a secret and using this for the RDS connections.
CloudEndure Disaster Recovery
CloudEndure Disaster Recovery provides customers to shift their disaster recovery strategy to AWS from existing physical or virtual data centers, private clouds, or other public clouds. It also supports cross-region / cross-AZ disaster recovery in AWS.
AWS Detective
At AWS re:invent 2019 event, AWS announced a preview of Amazon Detective. When there is a security finding that you want to find the root cause of and take action, AWS Detective comes to mind. AWS Detective uses machine learning, statistical analysis, and threat intelligence tools to make sense of potential security issues.
To conclude, businesses can confidently move their operations to the cloud with a strengthened security posture by understanding the shared responsibility model and utilizing the AWS security services available. As cloud computing continues to grow and evolve, it is essential that security stays at the forefront of every business’s cloud strategy.
In the next weeks, we will talk about these AWS security services deeply one by one. We will do some basic PoC designs on different user scenarios. Until then, please stay safe in the cloud!
If you want to learn about our cloud security services, visit our Cloud Security page.
