It wasn’t all that long ago that the question of ‘security’ was considered a major impediment to the adoption of cloud computing services. Happily, the ‘theoretical’ security problems which arise from having your data on someone else’s computer, haven’t been borne out in any practical sense. That’s why cloud computing, including platform-as-a-service from Amazon Web Services and many other providers, has become the defacto way of resourcing companies from the smallest to the biggest.
But that doesn’t mean you should take security for granted. Far from it: the risks of cyber attack or data compromises are very real and there are very definite measures you (and your trusted IT service provider) must take.
Check out these six Security Best Practices which should be an absolute minimum to keep your data and services safe.
1. Learn and understand the AWS Security Basics
‘Back to basics’ is always good advice when it comes to security (it is widely recognised that many security breaches happen because the fundamentals were ignored or overlooked). No matter what your proficiency in information security, it’s an excellent idea to start with the basics as they apply to AWS. And of course, AWS makes it easy for you to do so. Check out the Security Best Practices white paper. It provides a thorough overview of the concepts, structures and methods you’ll need to know to establish a sound security posture for your AWS instances.
Some of the advice will sound familiar; for example, changing all vendor-supplied defaults, like hardware passwords, simple network management protocol (SNMP) community strings, and updating the basic security configuration. Other recommendations include:
- Disabling all unnecessary or redundant user accounts.
- Implementing a “single primary function” model for each Amazon Elastic Cloud Compute instance (such as keeping web servers, databases and DNS separate to ensure maximum security).
- Disabling all unnecessary functions such as scripts, drivers, features and subsystems.
Note that the AWS Security Best Practices white paper is dated August 2016; don’t let that out you off, principles are not bound by time.
2. Target the Roots
Root account permissions are both powerful and dangerous and for the same reason: they allow unfettered access to all resources in your AWS account. The advice here is as simple as it is effective: avoid the use of root account permissions wherever possible.
When the “principle of least privilege” is put in place, and the total number of permissions reduced, this simple measure delivers a substantial boost to overall security. Couple that with real-time monitoring of API calls using CloudTrail logs, establish metric filters and alarms for any root login attempts, and your AWS implementation has most of the heavy lifting sorted.
Configuring these options can be mildly complex or challenging, so be sure to discuss it with one of our Amazon Certified Solution Architects to get it done right (and in such a manner that it doesn’t inhibit the performance or convenience of your AWS instances).
3. Multi-Factor is a must
The easy days of ‘username and password’ were also easy for cyber attackers. This is additional simple advice (and it is also the sort of advice which routinely falls on deaf ears): Always use multi-factor authentication (MFA).
Amazon recommends enabling MFA for any account with a console password. With MFA, users need the username and password, along with a time-sensitive MFA key (delivered by email or TXT message).
Again, putting MFA into place isn’t particularly difficult, time consuming or complicated, but doing it right does depend on some knowledge of the intricacies involved. As your AWS partner, we’re always happy to assist if you need some help.
4. Secure the Virtual Private Cloud
With your root access permissions sorted and rock-solid MFA authentication in place, your AWS services are pretty well taken care of. But there’s a few more steps to go and the next important one is to establish protected virtual infrastructure. Doing this requires securing all virtual private clouds (VPCs) – and again, this isn’t as complicated as it sounds.
It requires modifying the default VPC available from AWS by splitting each availability zone into a public and private subnet; then using NAT gateways to route both public and private subnets to the internet. You can manage your own NAT configuration, or AWS can automatically generate one VPC NAT gateway per subnet, perform automatic updates to routing tables, and assign elastic IPs to each gateway.
And if all that sounds a little on the ‘techie’ side, you know what to do.
5. Encrypt and comply
Encryption of data at rest or in transit is considered essential in this day and age and of course that applies to your AWS instances, too. Be sure that your Amazon relational database services (RDS) is encrypted at the storage level.
Taking this step doesn’t only protect your data, a handy benefit in the first instance. It also means taking care of compliance for those companies that need it (including, for example, with the payment card standard PCI DSS, or the GDPR regulations of the EU).
Security is never static and nor should your approach to it ever come to a standstill. Identity and Access Management keys, like passwords, shouldn’t be ‘carved in stone’. They should rotate regularly, especially those used to access high-level services.
6. Create a separate account for auditing and logging
There’s one last Security Best Practice for AWS, and that’s a separation of your ‘day to day’ business accounts and logins from those used for overview and review. This allows for unimpeded operations, while also providing the necessary access for oversight; keeping the accounts separate means there is never any ‘muddying of the waters’ and it maintains the separation of duties one expects from auditors and those doing the work.