AWS Security and Compliance
The responsibility of AWS Security is to protect the global infrastructure that runs all the services offered in the AWS cloud along with the cloud itself. This infrastructure includes the hardware, software, networks, and facilities operating AWS services. AWS has a number one priority in protecting this network.
One in four organizations (28%) confirmed they experienced a cloud security incident in the past 12 months
Source, Cloud Security Report 2019
Benefits of AWS Security
- Keep Data Safe: The AWS infrastructure incorporates strong safeguards to help protect privacy. All data is processed in highly protected data centres in AWS.
- Meet Compliance Requirements: AWS manages dozens of compliance programs in its infrastructure. Organizations meet compliance once they start using AWS
- Save operational cost: Operational cost reduces, as organizations don’t have to maintain on-premise facilities.
- Scale Quickly: Security scales with the organization’s usage of AWS Cloud. The AWS architecture is built to keep data secure, no matter the size of the enterprise.
AWS Cloud Compliance enables you to understand the robust controls in place at AWS to maintain security and data protection in the cloud. AWS Compliance enablers are built on traditional programs by combining governance-focused, audit-friendly features with applicable compliance or audit standards. This helps clients to establish and operate in an environment of AWS security control.
The IT infrastructure that AWS provides to an organization is designed and managed in alignment with best security practices & a variety of IT security standards. A partial list of assurance programs AWS complies with is as follows:
- SOC 1/ISAE 3402, SOC 2, SOC 3
- PCI DSS Level 1
- FISMA, DIACAP, and FedRAMP
- ISO 9001, ISO 27001, ISO 27017, ISO 27018
AWS Shared Security Responsibility Model
It is essential to consider how security in the cloud is subtly different from security in the on-premise data centres before discussing the specifics of how AWS security works. Security obligations are exchanged with the organization and their cloud service provider as organizations transfer their operating systems and data to the cloud. In this case, AWS is responsible for securing the underlying infrastructure that supports the cloud, and the organization is responsible for anything that you put into the cloud or connect to the cloud. This shared security responsibility model can reduce your operational burden in many ways, and in some cases, may even improve default security posture without additional action on your part.
The amount of security configuration work that you need to do depends on which services you choose and how sensitive your data is.
Inspired by The Shared Responsibility Model – Amazon Web Services (AWS)
AWS Service-Specific Security
Amazon Web Services offers a range of cloud-based computing tools, providing a broad array of compute instances that can scale up and down dynamically to meet program or company needs.
Amazon Elastic Compute Cloud (Amazon EC2) Security
It is a critical component in Amazon’s Infrastructure-as-a-Service (IaaS), providing resizable computing capacity using server instances in AWS’s data centres.
Auto Scaling Security
Auto Scaling allows you to automatically scale your Amazon EC2 capacity up or down according to conditions you define so that the number of Amazon EC2 instances an organization is using changes automatically to reduce costs and still maintain the performance
Elastic Load Balancing
It is used to manage traffic on the Amazon EC2 fleet, to distribute traffic to instances across all available zones within a region
Amazon Virtual Private Cloud (Amazon VPC) Security
Amazon VPC enables organizations to create an isolated portion of the AWS cloud and launch Amazon EC2 instances that have private (RFC 1918) addresses.
Amazon Web Services provides low-cost data storage with high reliability and availability. AWS provides backup, archiving, and disaster recovery management services, as well as block and object storage.
Amazon Simple Storage Service (Amazon S3) Security
Amazon Simple Storage Service (Amazon S3) allows organizations To upload and retrieve data from anywhere on the web, at any time. Amazon S3 stores the data inside buckets as objects. An object may be a file of any kind: text file, image, video etc.
Amazon S3 Glacier Security Like Amazon S3
The Amazon S3 Glacier provides low-cost, secure, and durable storage services. But where Amazon S3 is built for fast retrieval, Amazon S3 Glacier is intended to be used as an archival service for data that is not regularly accessed and for which multiple hours of retrieval time is acceptable.
AWS Storage Gateway Security
The AWS Storage Gateway service connects your on-site software device to cloud-based storage to ensure seamless and secure integration between your IT environment and the storage infrastructure for AWS.
AWS Snowball Security AWS Snowball
It a simple, secure method for physically transferring large amounts of data to Amazon S3, EBS, or Amazon S3 Glacier storage. AWS Snowball service is typically used by organizations which have over 100 GB of data and slow connection speeds that results in prolonged transfer rates over the Internet.
Amazon Web Services provides developers and companies with a range of storage options – from managed relational and NoSQL database services to in-memory caching as a service and petabyte-scale data-warehouse infrastructure.
Amazon DynamoDB Security
Amazon DynamoDB is a managed NoSQL database infrastructure with smooth scalability, delivering fast and reliable performance. Amazon DynamoDB helps you to unload the administrative workload of operating and scaling distributed databases to AWS.
Amazon Relational Database Service (Amazon RDS) Security
Amazon RDS allows you to create a relational database (DB) instance quickly and flexibly scale the associated compute resources and storage capacity to meet application demand. Amazon RDS manages the database instance on the organization’s behalf by performing backups, handling failover, and maintaining the database software. Amazon RDS is available for MySQL, Oracle, Microsoft SQL Server, and PostgreSQL database engines
Amazon Redshift Security
Amazon Redshift Security is a SQL data warehouse service of petabyte-scale that runs on highly optimized and managed AWS computing and storage resources. The service was architectured not only to scale up or down rapidly but also to improve query speeds for enormous datasets significantly.
Deployment and Management Services
Amazon Web Services offers a variety of tools to help with application deployment and management.
AWS Identity and Access Management (IAM)
IAM allows to create many users and manage the permissions for each of these users within the AWS Account. A user is an identity (within an AWS Account) with unique security credentials that are used to access AWS Services.
Amazon CloudWatch Security
Amazon Cloudwatch is a web application, with Amazon EC2, which offers to monitor AWS cloud services. It provides visibility to customers regarding resource utilization, operational performance and pattern of overall demand.
Next-gen cybersecurity encircles a holistic approach—right from detection to protection, prevention, and remediation, it has become a necessity.
Explore our Cyber Security Services Offering
AWS Security Checklist
- Permit CloudTrail logging across all Amazon Web Services.
- Set on CloudTrail log file validation.
- Permit CloudTrail multi-region logging.
- Combine CloudTrail with CloudWatch.
- Permit access logging for CloudTrail S3 buckets.
- Permit access logging for Elastic Load Balancer (ELB).
- Permit Redshift audit logging.
- Permit Virtual Private Cloud (VPC) flow logging.
- Multifactor authentication (MFA) is required to delete CloudTrail buckets.
- Set on multifactor authentication for the “root” account.
- Set on multifactor authentication for IAM users.
- Permit IAM users for multi-mode access.
- Link IAM policies to groups or roles.
- Regularly rotate IAM access keys, and standardize on the selected number of days.
- strict password policy must be set up
- Set the password termination session to 90 days
- Expired SSL/TLS certificates should not be used
- User HTTPS for CloudFront distributions.
- Limit access to CloudTrail bucket.
- Encrypt the CloudTrail log files at rest.
- Elastic Block Store (EBS) database must be encrypted
- Provision access to resources using IAM roles.
- Using root user accounts should be avoided
- SSL secure cyphers must be applied while connecting between the client and ELB.
- SSL secure versions must be used while connecting between ELB and Client.
- Use a standard naming (tagging) convention for EC2.
- Encrypt Amazon’s Relational Database Service (RDS).
- Access keys should not be used with root accounts.
- Use secure CloudFront SSL versions.
- Permit the require_ssl parameter in all Redshift clusters.
- Periodically rotate SSH keys
- Number of discrete security groups should be minimized
- Reduce the number of IAM groups.
- Terminate available access keys.
- Disable access for unused or inactive IAM users.
- Remove unused IAM access keys.
- Delete unused SSH Public Keys.
- Limit access to Amazon Machine Images (AMIs).
- Limit access to EC2 security groups.
- Limit access to RDS instances.
- Limit access to Redshift clusters.
- Limit access to outbound access.
- Disallow unrestricted ingress access on different ports.
- Limit access to well-known ports such as CIFS, FTP, ICMP, SMTP, SSH, Remote desktop.
- Involve IT security throughout the development process.
- Limited privileges should be granted as possible for application users.
- Encrypt highly sensitive data such as personally identifiable information (PII) or protected health information (PHI)
You may also like to read