What is AWS Security? Risks, Best Practices, and More

Learn about Amazon Web Services (AWS) security in Data Protection 101, our series on the fundamentals of information security.

INTRODUCTION TO AMAZON WEB SERVICES

Amazon Web Services (AWS) is the leading provider of on-demand cloud services with more than a million customers.

When the cloud was still new, the perceived lack of security hindered people from adopting it. While cloud security has come a long way, there are still many risks associated with it. Following recommended best practices can help mitigate those risks as you build your infrastructure and store and transmit your data with AWS.

AWS SECURITY RISKS

AWS security is not fail-safe and operates on a Shared Security Responsibility model. This means that Amazon secures its infrastructure while you have your own security controls in place for the data and applications you deploy and store in the cloud.

Unlike your on-site systems, which have a hierarchical structure and a peripheral network that scrubs and analyzes data being transmitted, AWS makes it possible for every instance to communicate with the Internet. The exposed applications structure requires you to strengthen existing security controls. This includes continuously updating your security configurations with sufficient patching, strong firewall configurations, and proper network security implementations.

Furthermore, you should constantly manage your users, including third party vendors and suppliers, and limit privileges. Be sure to delete unused accounts with old credentials as they can easily be targets for breaches.

BEST PRACTICES FOR AWS SECURITY
In August 2016, Amazon released a 74-page document detailing the best practices for AWS users. Some of the biggest takeaways are:

Think of security at every layer. Instead of using just one firewall to secure all of your virtual networks, be sure to use virtual firewalls on every network that you create.
Make sure that every activity is traceable and that you manage privileges meticulously. You should be able to see which users did what on your systems. Be strict with access controls and have authentication. Only a few trusted people should be able to access the root and modify settings at that level.
Keep track of all actions, modifications, and points of exit and entry in your AWS deployments. Not only should you be able to tell who did what on your cloud platform, but you should also create alerts to warn you of unusual activities.

Have customized image templates of all of your virtual servers. You can use these images when you launch a new server. The Amazon Machine Image service can create these reusable templates every time you spin up an EC2 instance. These images will already include your security settings.

Be sure to encrypt every piece of sensitive data that you store in or transmit over your AWS environment. You can opt to encrypt your data on-site and then send it to your AWS deployment. You can also store the encryption keys behind your own firewall and just use Amazons hardware security module to make sure that they work properly. Data key caching is a recent introduction from AWS which offers benefits such as reduced latency, but there are some security tradeoffs to consider.

Perform regular audits to ensure regulatory compliance. AWS offers a robust suite of Compliance Resources, including an auditing security checklist which helps businesses perform self-audits to ensure that regulatory requirements are met.
GO DEEPER

Cloud Data Protection

AWS SECURITY TOOLS
Amazon has a variety of security tools available to help implement the aforementioned AWS security best practices. Here are the top AWS security tools:

CloudTrail allows you to monitor your systems by recording the API requests used to manage SDK deployments, management consoles, accounts, services, and command lines. With these event logs, you can troubleshoot incidents and simplify compliance auditing.
AWS WAF (Web Application Firewall) allows you to create custom rules to keep your agile developments secure from common attacks such as SQL injections and XSS.
Amazon Inspector gives you security evaluations for your applications and looks for vulnerabilities.

Amazon Cognito is used for identity management. It can detect brute force authentication, as well as fraudulent login attempts. Amazon Cognito works with third party services such as Microsoft Active Directory, Google and Facebook, allowing you to specify additional validation methods.
CloudHSM helps you generate encryption keys using managed hardware security modules, or HSMs, stored on your AWS deployments.

CloudFront is Amazons content delivery network. It protects your applications from DDoS attacks and allows you to transfer data securely at high speeds.

BEST PRACTICES FOR CHOOSING AN AWS SECURITY SOLUTION
With the help of a cloud security solution, businesses can easily manage their responsibilities for securing their sensitive data and applications in the cloud. Here are some best practices to help you choose the right solution:

Easy integration. Choose a security solution that integrates with AWS to make the process painless.
Maintain visibility and control. To be able to effectively audit and control compliance, choose a solution that allows total visibility and control. Ideally, a security solution will provide the visibility necessary for identifying sensitive data in the cloud and then implement automated, immediate responses to keep your organization in compliance.

Context, system, and user awareness. A security solution should be context-, system-, and user-aware to more effectively identify and block suspicious behavior and protect your data without interrupting the flow of operations.
Automatic response to user activity. Choose a cloud security solution that automatically prompts or blocks user activity based on context, logs the event, and audits the activity for forensic analysis.

Detailed logging and reporting. A good cloud security solution offers detailed logging and reporting for analysis, allowing you to identify patterns and trends and adjust data protection programs accordingly.

Unified cloud and on-premise security. Some solutions work in tandem with on-premise data protection solutions, allowing for more comprehensive security and consistent policies. By simplifying policy management, you will cut down on costs and eliminate policy gaps that can lead to vulnerabilities.
While Amazon has helped lower security risks by publishing best practices and developing a suite of tools, you must also enforce the proper controls and protocols and manage your users to secure your data and applications. In addition, implementing a third-party cloud security solution will help ensure compliance and unify your cloud and on-premise policies and initiatives to achieve maximum security for your organization.