Cloud security is the most critical topic for customers that are already using cloud computing in one form or another. As the technology world's interest in cloud computing increased, it has become the focus of attackers. The scenarios of hacking the cloud are endless. To name a few, attackers could steal sensitive information, deliver malware to a server or prevent computing processes to just damage in the cloud environments. According to Security Magazine, 80% of the companies have experienced at least one cloud data breach in the last two years. The risk is crucial. Let's see how we deal with it!
Amazon Web Services (AWS) is one of the most flexible and secure cloud computing environments today. Millions of customers trust and use AWS infrastructure and services for their systems, applications, and development processes. AWS security starts on AWS core infrastructure that is designed to meet all security requirements. AWS builds its infrastructure to satisfy requirements for global banks, the military and other high sensitivity organizations. In addition, AWS monitors its own infrastructure 24/7 to help ensure the confidentiality, integrity, and availability of customer’s data.
Besides these, security considerations are not a related topic that only AWS should fix, implement or consider. Security is a shared responsibility between AWS and its customers. AWS’s ultimate responsibility is the security of the cloud. AWS must protect the infrastructure and software related to storage, database, computing, or networking. AWS should manage security issues between regions, availability zones, and edge locations synchronously. Secondly, customer responsibility is the security in the cloud. Customers’ security responsibilities will vary depending on the AWS resources that they use. For example, if customers use s3 buckets as a storage area, they should consider all access management, encryption, and storage security standards and rules for AWS S3. As a responsibility, AWS offers many security-related services for its customers. Usage of these AWS security services, evaluating security results, and taking remediation steps for configuration are customers’ responsibilities. To provide an AWS security perspective for customers, let's overview these AWS security services together:
AWS IAM provides management of all IAM users and resource access. All IAM users, roles, and policies should be managed with at least privilege principle. If there is a misconfiguration related to users, roles, and policies, there could be unauthorized access to your resources which is too critical. To audit your IAM environment, you could use IAM Access Analyzer and open-source tools such as Cloudsplaining.
AWS Single Sign-on is a very popular phrase nowadays. It means with one login, users can access all accounts, applications. In AWS, SSO is a cloud-based solution to manage access to all of the accounts configured in your AWS Organization. It can also integrate with other third-party applications. It is a very useful solution, especially for enterprise customers.
Amazon Cognito is an authentication and authorization server for your clients. It has two concepts:
a. User Pools: User pools provide user management, Oauth2.0 Authorization for tokens, identity provider (Google, Facebook, etc.) support, advanced security options such as MFA, compromised credentials detection, ease of use, lots of SDK and API support.
b. Identity Pools: Identity Pools provides temporary AWS Security credentials (access key, secret key) to access other AWS services for the client side.
AWS Directory Service allows you to connect your AWS resources with an existing on-premises Active Directory or set up a new stand-alone directory in the AWS cloud. All of your users can access AWS resources and applications with AWS Directory Service easily from on-premises directory.
AWS Resource Manager (RAM) allows you to securely share AWS resources between a single AWS account or within an AWS organization. RAM audits usage details for shared resources using CloudWatch and CloudTrail. It also provides centralized security controls with AWS Organizations.
AWS Organizations is designed for making central account management simple. You can create groups of accounts and then apply policies to those groups that centrally control the use of AWS services down to the API level across multiple accounts. Additionally, AWS Organizations offers you billing management with a consolidated billing option.
AWS Security Hub provides a centralized structure for security alerts related services such as AWS GuardDuty, AWS Macie, AWS Inspector, or other 3rd party security tools. Security Hub monitors all CIS Benchmarks automatically and send notification for alerts. It’s useful for companies that have lots of AWS accounts and want to monitor detection results. You could review all your results and findings related to your AWS accounts on Security Hub.
AWS GuardDuty performs intelligent threat detection and can alert us when things go wrong. It uses machine learning algorithms and threat intelligence to analyze groups of events. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs. AWS GuardDuty finds lots of threat patterns such as compromised EC2 instances, stolen credentials, mining operations on EC2 instances, and prioritizes them with 'HIGH', 'LOW', 'MEDIUM' tags.
AWS Inspector tests the network accessibility of your Amazon EC2 instances and the security states of your applications. It performs an assessment on the target EC2 instances and checks for any vulnerabilities and potential security threats related to CVEs and CIS benchmarks. It integrates your security testing as a part of your development. Additionally, it recommends corrective actions for your vulnerabilities. It could be used with AWS CloudWatch and CloudTrail for monitoring and alerting.
AWS Config ensures AWS accounts have security configuration standards. AWS Config uses rules to define security standards and finds non-compliant resources and configuration changes. It also automatically remediates problems. With AWS Config, you achieve “Compliance as Code” and continuous compliance.
AWS CloudTrail monitors all activities in your accounts. It records all API events such as login into an AWS account, deleting an S3 bucket, launching an EC2 instance, and store historical logs related to all of them. It could be integrated with other AWS services such as CloudWatch, GuardDuty, etc. CloudTrail helps us answer these questions: “Who made the change?” “When did these changes happen?” All AWS CloudTrail usage is recommended for all AWS CIS benchmarks, it should be enabled for all regions in your account.
AWS IoT Device Defender is an audit service that could be useful for the IoT world. It audits IoT configurations such as IoT policy and client certificate misconfigurations to make sure that they aren’t deviating from security best practices. It also monitors security metrics from IoT devices and compares results with expected device behaviors.
AWS Firewall Manager configures and manages firewall rules across an AWS organization. With AWS Firewall Manager, you can easily manage your WAF Rules, AWS Shield Advanced Protections, VPC security, DNS Firewall rules.
AWS Shield protects your environment against DDoS attacks. It has two different types:
Standard: The standard type is enabled by default and no additional cost is charged. It protects against SYN/UDP floods, reflection attacks, etc. AWS Shield Standard stopped DDoS attacks to AWS environments in February 2020.
Advanced: AWS Shield Advanced costs $3000 per month per organization. It provides enhanced protection for EC2, CloudFront, Global Accelerator, Route53, etc. Also, it has business and enterprise support.
AWS WAF is a web application firewall that helps protect your web applications or APIs against common attacks such as XSS, SQL injection, etc. It also limits the number of calls, limits request size for your APIs. WAF detects and prevents malicious traffic that could affect your AWS resources. To do these, WAF uses access control lists (ACLs) that consist of rules and action sets. API Gateway, CloudFront, or Load Balancers could be integrated with WAF. Nowadays, when web applications are becoming a target, therefore the use of WAF can be life-saving.
AWS Network Firewall is a managed firewall service that works for your AWS VPC. Network Firewall is one of the powerful services introduced in AWS 2020 re:Invent event. It provides intrusion prevention and detection, and web filtering to protect your virtual networks on AWS.
AWS Macie is an intelligent threat detection service for AWS S3. As we all know, S3 security is one of the main points of the AWS environment. Macie gives us an overview of the S3 bucket security posture, monitors API calls related to S3, and raises alarms for potential threats. It could find your API keys uploaded to S3 buckets by mistake on the development process, it could detect personally identifiable info (credit card number, addresses, etc.) and it can detect your data being stolen.
AWS KMS is a service that enables you to easily create and manage the keys used for cryptographic operations. It supports symmetric and asymmetric encryption. KMS has FIPS 140-2 Level 3 compliance. Lots of AWS services (EC2, RDS, S3, etc.) could be integrated with KMS. It provides data integrity and confidentiality in the AWS environment with CloudHSM components.
AWS CloudHSM is a cloud-based dedicated hardware module for your encryption key management. Companies that have regulatory compliance requirements should use CloudHSM. CloudHSM meets FIPS 140-2 Level 3 security requirement standards. It is more expensive than other AWS security services, so you need to determine your needs for your environments.
AWS ACM is a manager for your SSL/TLS certificates in the AWS environment. It manages to validate and configure SSL/TLS certificates. Server certificates (EC2, ECS, CloudFront), client certificates (API GW client certificates), IoT device certificates (for mutual authentication) are managed by the AWS certificate manager.
AWS Secrets Manager provides a secure area for storing secrets such as passwords, user credentials, third-party keys, or any sensitive information. In this secure area, all secrets could be stored, managed, and rotated regularly. The most common scenario for the AWS Secrets Manager usage is creating a secret and using this for the RDS connections.
CloudEndure Disaster Recovery provides customers to shift their disaster recovery strategy to AWS from existing physical or virtual data centers, private clouds, or other public clouds. It also supports cross-region / cross-AZ disaster recovery in AWS.
At AWS re:invent 2019 event, AWS announced a preview of Amazon Detective. When there is a security finding that you want to find the root cause and take action, AWS Detective comes to mind. AWS Detective uses machine learning, statistical analysis, threat intelligence tools to make sense of potential security issues.
In the next weeks, we will talk about these AWS security services deeply one by one. We will do some basic PoC designs on different user scenarios. Until then, please stay safe in the cloud!
If you would like to learn about our Cloud Security services, please click here.