AWS Security best practices is one of the main concerns for all those who manage or think about taking the trip into the cloud computing world. These concerns are completely legit since more and more threats are being launched into the internet every day, threats that can compromise the sensitive data of a business or even bring down the whole infrastructure over which websites and web apps are found. That’s why it is so important to implement the best practices for adding security into your cloud infrastructure.
In this blog, we will focus on providing an overview of AWS security best practices that can be implemented on your AWS cloud infrastructure so that you can ensure its integrity and full availability, at the same time that you comply with HIPAA and PCI international standards.
Best Practice 1: Identify, define and categorize your information assets.
The first step when opting to implement AWS security best practices is to identify all the information assets that you need to protect (application data, users data, code, applications) and then define an efficient and cost effective approach for securing them from internal and external threats.
After that, it is recommended to categorize all the information assets into:
- Essential information assets, such as business related information, internal specific processes and other data from strategic activities.
- Components/elements that support the essential information assets, such as hardware infrastructure, software packages, personnel roster and partnerships.
Once information assets have been identified and categorized, we can move into designing our Information Security Management System (ISMS).
Best Practice 2: Design an effective Information Security Management System (ISMS) to protect your assets.
An ISMS is a security assurance entity defined on ISO 27001 standard, which establishes the set of processes that should be followed to:
- Define information security objectives, rules, policies and data control techniques.
- Identify the main internal and external risks to your information assets. These risks can come from business personnel, infrastructure, customers, etc.
- Select the best risk management strategy/plan which allows to be prepared in case of any emergency/contingency. It is recommended to count with two strategies: one for mitigating the possibility of incurring on risks, and another for taking immediate action in case the risk is presented.
- Analyze and evaluate the impact on business in case of risk occurrence.
Best Practice 3: Implement a secure and efficient strategy for AWS accounts, IAM users, groups and roles management.
When dealing on granting user permissions and privileges, the most important thing to consider is to ensure that every user has only the proper access to needed resources. You can use AWS Identity and Access Management (IAM) to help perform this function.
What security strategies can I follow when managing my AWS accounts?
- If you manage production, development and testing environments by separate, then is highly recommended to create an AWS account for production services, one for development, and one for testing. Since users on these environments perform different activities, they shouldn’t manage the same level of permissions.
- If your organization lies in multiple autonomous department structures, then it is recommended to create separate AWS accounts for each independent department of your organization. You can assign permissions and policies under each account.
- If you wish to keep a centralized security management function with multiple independent projects, then you can create a single AWS account for common project resources (such as DNS services, Active Directory, CMS, etc.).Then create separate AWS accounts per project. You can assign permissions and policies under each project account and grant access to resources across accounts.
And, what about my IAM users and groups?
When we want to implement a secure IAM user management, we need to:
- Create new users per each new team member added into AWS accounts.
- Avoid different team members from sharing the same credentials.
When we want to implement AWS security best practices on IAM groups, we need to:
- Separate each group according to the shared specific functions or roles of its members (Project Managers, Developers, DevOps, etc.), taking into account that they perform similar activities and need a certain type of permissions and privileges.
- Assign IAM policies to each group according to its access level and general activities.
- Keep a constant monitoring of those users that no longer require access to the groups and remove them when necessary to avoid any uncertainty or risk for your infrastructure.
Best Practice 4: Secure your EC2 instances.
EC2 instances could be considered as the most critical component of your AWS infrastructure since they provide the resources for your apps and sites to keep them up with good performance. This is why it is so important for them to have the proper level of security implemented.
Here are some good principles that can be applied on EC2 instances for adding security:
- Least access/Least privilege principle: This consists of restricting the access and privileges on EC2 instances based on the specific resources each IAM group or user needs and no more.
- Implement an effective Configuration Management strategy for your EC2 instances: For this, you need to define a baseline configuration (resources, accesses, AWS services connected, external connections, etc.) for all your EC2 instances. Keep a constant tracking on them to ensure that they accomplish with the configurations established on the initial baseline through time. If an EC2 instance presents a deviation from baseline, you must address and communicate it.
- Establish a permanent log auditing capacity: This consists on determining one day per week/month to review access, process, security and change logs on each one of your EC2 instances to ensure that everything is going fine and no threats are presented.
Now, regarding the network security for EC2 instances, the next practices are recommended:
- Configure your security groups to allow the minimum required network traffic for the EC2 instance.
- Make Security Groups your primary mechanism for controlling network access to EC2 instances.
- Define VPC subnet route tables with the minimally required network routes.
Other recommended practices:
- Implement IAM roles for granting permissions to applications, because this eliminates the need to distribute and rotate long-term credentials on EC2 instances.
- Encrypt sensitive data that is transmitted or stored, it should be done periodically.
- Configure AWS CloudTrail, AWS Config, and AWS Config Rules as they provide audit and change tracking features for auditing AWS resource changes. Configure instances to send important local log files to a centralized log management system for analysis. To effectively analyze the logs of a significant number of distributed servers, aggregate them into a common repository that includes features for searching and reporting.
Best Practice 5: Secure your data at rest.
It is recommended that you secure your data at rest on your AWS infrastructure to protect it against filtering or lost. In order to protect your data in rest, the next best practices are recommended:
- Add permissions to your S3 buckets.
- Implement versioning for all objects.
- Backup all your data at rest.
- Use server-side encryption for your data.
Best practice 6: Secure your Infrastructure.
1. Use Amazon Virtual Private Cloud (VPC)
On short terms, a private cloud consists of several private networks which use different private IP’s that are not routable on the internet. This kind of infrastructure only allows access and traffic to a determined set of users, granting protection to the data and other resources.
2. Use Security Zoning and Network Segmentation
It is a security best practice to segment infrastructure into zones that impose similar security controls.
Some recommendations when opting to build network segments are:
- Use Amazon VPC.
- Use security groups to manage access to instances that have similar functions and security requirements.
- Use Network Access Control Lists.
- Use host-based firewalls to control access to each instance.
3. Strengthen Network Security
Best practices for network security in the AWS cloud include the following:
- Always use security groups.
- Enhance security groups with Network Access Control Lists.
- Use IPSec or AWS Direct Connect for establishing trusted connections to other sites.
- Protect data in transit to ensure the confidentiality and integrity of data.
- Implement VPC Flow Logs in order to keep a full vision about everything is going in your private environment.
AWS security best practices for HIPAA and PCI compliance
1. It is recommended to encrypt and protect your data in transit and storage through:
- Integrating AWS Key Management Service (KMS) SDK’s with your applications to simplify the process of key management and storage.
- Using file-level or full disk encryption for your data at rest for third party software.
- Using transport encryption mechanisms like SSL or VPN’s.
- Implementing AWS Virtual Private Cloud features such as Access Control Lists and VPC Flow Logs.
- Using server-side and client-side encryption for data at rest on S3, Glacier and DynamoDB.
- Implementing encrypted transport (HTTPS) on all connections to your S3, Glacier and DynamoDB data.
- Implementing encrypted protocols such as SSL/TLÑS or HTTPS for Load Balancers connections.
- Encrypt front-end and back-end listeners for sessions.
2. It is very important to run audits, configure backups and implement Disaster Recovery strategies so:
- Continuously audit server accesses, IP address entries, data access, etc. Track, log and store all this information so that it can be accessed whenever it is required.
- Use backup EC2 instances for failover recovery, and assign an Elastic IP to each one of them.
- Launch your EC2 instances in multiple Availability Zones to create fault tolerant systems.
Now you have learned about some of the AWS Security best practices for adding and ensuring security on your AWS infrastructure, as well as ensuring compliance with HIPAA and PCI standards. If you still have some doubts or you’re thinking of applying some of these practices, we can help you.
Here on ClickIT Smart Technologies, we are compromised on offering our customers the best security solutions that protect their AWS assets, which will guarantee that their websites and applications will have high availability and performance, we worked with Curacao, had a portal with poor security and we improve it. So, feel free to contact us, and we will design the best security approach for your AWS infrastructure that will help you to accomplish your business expectations and goals.