Introduction to AWS Security Features
I’m often asked questions like:
- How secure is AWS?
- What settings should we use to make sure our environment secure?
- Is using AWS more or less secure than my on-prem datacenter?
There are many answers to the questions above but often my go-to response is to just talk about some of the quick and easy security gains you have access to with minimal effort. Here are some of my favorites:
Encryption with a checkbox
In each AWS service, AWS has taken great care to include encryption options which are as quick and as easy as clicking a checkbox. You’re given the option of selecting whether you want AWS to manage the encryption key or if you’d like to manage the encryption key.
Audit Trail
Anything and everything which happens in AWS can and is logged by utilizing CloudTrail. This provides very detailed and verbose logs of both automated and user-initiated changes to anything within AWS. The forensics augmentation of enabling this service can allow your team to uncover potential security concerns, compromised accounts, or bad internal actors.
These logs include things such as:
- Administrative changes
- SMS running scans or patches
- Users logging in
- Access requests
Easy Access to Network Traffic
In a traditional datacenter, capturing network traffic laterally across your network typically requires a beefy switch and a SPAN port set to mirror traffic from your key egress points, such as a firewall, to a network capture appliance. In AWS, it’s as quick and easy as a few clicks of the mouse. One area that is exceptionally helpful is the ability to capture all network traffic in your account. This can be accomplished with VPC flow logs or VPC mirroring which can send all of this traffic to another tool or service for analysis. Not only is this useful for troubleshooting problems, but it’s also extremely useful to send this information to security tools. Tools such as GuardDuty or Securonix’s next-gen SIEM and UEBA.
Least Privileged Access
One of the most important practices to secure any environment is to operate with least privileged access. This means that only the necessary permissions are given to a given user, application, or server to accomplish the necessary task and no further. IAM can be taken to a whole new level in AWS. Permissions can be assigned directly to services or servers utilizing role-based access. This eliminates the need to rotate credentials or hard code any of those credentials within applications, services, or servers.
For example, you can assign a role to a specific server that could give that server, and only that server, access to upload files to an S3 bucket.
Compliance
AWS Config is a very powerful tool that allows you the ability to set compliance rules on your AWS account. These rules can be anything and everything but are usually set to be either security-related rules or resource efficiency rules. Examples include:
- Requiring all volumes to be encrypted
- Requiring all S3 buckets to be encrypted
- Requiring a strong password policy
- Requiring rotation of access keys
Setting up these rules within AWS Config allows a quick and easy audit of all your AWS resources and whether or not they are compliant with your rules.
Closing Remarks
AWS provides a boost to security capabilities just by migrating to the platform. There are a plethora of tools and features at your finger steps and many of them come inherent with the various systems or services. The increased visibility into your environment can allow insights and audits which used to cost a lot of time and money to implement.
