The global information technology industry is worth around $5 trillion. To put that in perspective, the global oil and gas market is worth $5.8 trillion. IT is an enormous industry because every business depends on IT infrastructure. That makes infrastructure security a priority for organizations, from sole proprietorships to multinational corporations and governments.

As a business owner or executive, you are responsible for creating and managing a secure infrastructure platform. But how can you build secure IT infrastructure when your business lacks infrastructure security expertise and experience?

Every business is unique, and there is no one-size-fits-all security solution. However, we can explore five strategies that help companies protect their data while complying with security and privacy regulations.

Why IT Infrastructure Security Is Important

We all understand why IT infrastructure security matters. Leaked private data may have catastrophic legal and financial consequences. Ransomware infections force businesses to choose between losing a valuable asset and handing money to criminals. Cybercrime can take down critical systems, disrupting business operations and damaging reputations.

But few are aware of cybercrime’s true scale, prevalence, and cost.

  • The average cost of a data breach in the U.S. is $8.64 million.
  • The global cost of cybercrime is an estimated $6 trillion and is expected to grow to $10 trillion by 2025.
  • There were 304 million ransomware attacks in 2020, double the previous year.
  • The average ransomware payout grew from less than $10,000 in 2018 to more than $233,000 by the end of 2020.
  • In 2020, 300 million people were impacted by data breaches.

Cybercrime is a risk every business faces. Asking whether criminals will attack your IT infrastructure is the wrong question. Your infrastructure will be attacked; it’s just a matter of time. The real question is what you can do to make sure that the attackers fail.

5 Steps to Outstanding IT Infrastructure Security

The specifics of IT infrastructure security depend on your business’s infrastructure needs and regulatory environment. An SME storing customer relationship management records in the cloud has different security and privacy requirements from a healthcare provider storing private healthcare information or a payment processor who must comply with PCI DSS.

However, the following high-level guidelines will help any business to build a more secure IT infrastructure.

Build on Secure Cloud Platforms

Cloud platforms are a more secure option than colocated or managed servers hosted in a data center. The self-managed non-cloud option may be suitable for companies with infrastructure security expertise and resources. But for the average business, cloud platforms offer a superior balance of control, cost,  and security.

Businesses hosting code on infrastructure they own and operate are entirely responsible for securing that infrastructure. That includes the servers, their operating systems and library code, services such as databases and web servers, application code, networks, and more.

In contrast, the cloud vendor takes care of the low-level security details on a cloud platform, including physical security. That doesn’t mean cloud platforms are intrinsically secure. They are not, but they help businesses with limited security resources to achieve better security outcomes than they otherwise could. They provide a solid foundation on which companies can build secure infrastructure.

Building in the cloud doesn’t absolve businesses of security obligations. Cloud security is a shared responsibility. Companies that don’t follow cloud security best practices put their data at risk, which brings us to our next infrastructure security strategy.

Create and Enforce IT Security Policies

IT infrastructure security starts at the top of the org chart. As KirkpatrickPrice Information Security Auditor Shannon Lane points out, “When building a foundation for a culture of compliance, you must start from the top.” The leadership team and senior executives must craft policies and implement organizational structures that support infrastructure security and compliance.

We explored this concept in more detail in How to Design Effective Security Compliance Programs. In essence, businesses who want to improve IT infrastructure security should:

  • Create policies that set minimum security standards for IT infrastructure.
  • Make executives, managers, and team members responsible for implementing those policies.
  • Monitor and audit infrastructure security to ensure that policies are complied with.

The last of these points is particularly important. Without a feedback structure, an organization’s leadership is likely unaware of how security policies are implemented or if they are implemented at all.

Employ Cloud Security Experts to Verify Your Cloud Configurations

As we mentioned in this article’s introduction, cloud platforms like AWS and Microsoft Azure operate a shared responsibility model for security. They provide secure foundations but don’t prevent misconfigurations that may lead to security vulnerabilities.

For example, businesses can store sensitive data securely in AWS S3 buckets if access permissions are correctly configured. However, S3 users often accidentally expose sensitive data with permissive access permissions. We explored several AWS security vulnerabilities caused by human error in Do These 8 Vulnerabilities Affect Your Infrastructure’s AWS Security?

We recommend hiring a third-party cloud expert to verify your cloud configurations. A Remote Cloud Security Assessment reviews AWS, Azure, and Google Cloud configurations to identify potential vulnerabilities and provide actionable guidance to help businesses mitigate cloud infrastructure security risks.

Invest in Security Awareness Training for Employees

A lack of security awareness is often the root cause of cloud security vulnerabilities and data breaches. Managers and employees make mistakes when they are not aware of the risks and how to deploy and configure cloud infrastructure securely.

Security firm Kaspersky Lab recently revealed that most cloud security breaches are a consequence of social engineering, not technology failures. Bad actors use phishing attacks, executive impersonation techniques, and other forms of social engineering to gain access. These attacks target senior executives (whaling) and other employees with access to sensitive data.

Correct cloud security configurations and access controls are of limited help. Bad actors manipulate insiders with legitimate access to bypass security controls. Security awareness training helps employees to understand security risks and comply with security and privacy best practices.

Conduct Regular Cloud Security Audits

A cloud security audit is a comprehensive review of a business’s cloud security controls. Cloud security auditors analyze and report on controls for data, operating systems, networks, and access controls, among other relevant factors. An audit helps businesses to verify that their cloud security policies, configurations, and training are effective.

Audits have two primary benefits:

  • An independent expert verifies cloud infrastructure security and highlights failings that may expose businesses to security and compliance risks.
  • The business can demonstrate to customers and clients that it takes security seriously and complies with recognized industry standards.

Cloud security audits are based on the CIS benchmarks for AWS, Azure, and GCP. Businesses required to comply with other information security frameworks such as PCI DSS, HIPAA, and SOC 2 benefit from audits tailored to those frameworks.

KirkpatrickPrice is a licensed CPA firm that specializes in information security audits for regulatory frameworks and industry standards that include:

To learn more about AWS security, visit our AWS Cybersecurity Services, which offers an extensive library of actionable cloud security guidance.

A Guessing Game

Picture this – Halloween in the ’80s. A classroom full of students at their desks, staring at a large object hidden under a blanket. The guessing game had only just begun. Gasps filled the room as our teacher revealed a gigantic pumpkin. “If you guess how much it weighs, it’s yours!” Our teacher was encouraging a creative lesson on estimation.

The only thing keeping that pumpkin from being carved and glowing on my front porch was my correct estimation of its weight. Some of my peers jotted down their answers without a second thought, and others stared at the ceiling in boredom, but those that were crafty compared with objects that were similar in size. So that is just what I did.

Comparing Vulnerabilities from Past Projects

The process of penetration testing is often the same.

Penetration testers are expected to find the unseen cracks in an organization’s security. Just as the pumpkin from the story had an unknown weight, client environments have undiscovered vulnerabilities. When an organization undergoes a penetration test, they expect the hired tester to discover all their neglected vulnerabilities within the limited amount of time in the engagement. Because of this, penetration testers can often compare tests to those they have done in the past. If they have observed one organization make a mistake, they will see a similar vulnerability hidden in another.

For example, when I examine a web application and find an area for file uploads, I immediately reference past projects where I succeeded in compromising a similar vulnerability. In a recent penetration test, I noticed that the web application contained an area in a note for embedding HTML code. Referencing a previous test, I began writing a new note with HTML tags and JavaScript code to test for Cross-Site Scripting. Sure enough, the application was vulnerable to Stored Cross-Site Scripting.

You Need Experienced Penetration Testers

Experience is what makes penetration testers experts that can make educated comparisons and conduct advanced testing. Without past projects to reference, inexperienced penetration testers are just playing a guessing game. At KirkpatrickPrice, our team has an average of fifteen years in the industry. You can count on our penetration testers to make the most of the time restraints and discover your most vulnerable gaps.

As for the pumpkin contest, I did win. The correct guess was 75.5 pounds, and I put down 75. When my teacher asked how I came to that estimation, I merely answered: “The pumpkin looked about the size of my sister.”

Who knew that I would spend the rest of my life playing a similar game of comparison.

Cloud platforms make it easier for businesses to leverage complex technologies. Instead of buying, configuring, and managing a physical server, you deploy an instance of a server in the cloud. Instead of licensing, installing, and updating enterprise software, you deploy software for the time and purpose that you need through your provider. Cloud platforms provide many technical intricacies through a user interface, but sometimes how and what you should configure securely is not obvious. You may not be responsible for physical servers and networks, but you are responsible for the security configuration and privacy of business and customer data in the cloud.

That’s why it’s vital your company chooses the right cloud security provider or managed cloud security service to support you in your objectives. In this article, we will explore what a cloud security provider is and help you choose the right provider for your business. We’ll also take a look at some of the limitations of cloud security providers and what they can’t do. 

What is a Cloud Security Provider?

Cloud security providers offer services that help businesses to use cloud environments securely. Companies in this space range from managed security service providers (MSSPs) who offer outsourced cloud monitoring and management to SaaS and cloud software vendors with products that help businesses to avoid common cloud security issues. Cloud security software typically leverages platform APIs, adding enhanced security functionality that is not available on the platform itself. 

Among the services a cloud security provider may offer are:

  • Security hardening, including configuration analysis to identify and mitigate vulnerable security and privacy configurations. 
  • Log analysis to identify security events and threats.
  • Exploit prevention through patching or firewall configuration. 
  • Network intrusion and threat detection. 
  • Malware scanning and ransomware protection. 

Cloud security providers typically have expertise in a specific cloud platform, although some offer solutions targeting multiple cloud platforms or hybrid clouds with cloud and on-premises infrastructure. 

Does Your Business Need a Cloud Security Service?

Cloud platforms, including Amazon Web Services (AWS), operate a shared responsibility model for security. The vendor takes care of some aspects of security, leaving others to the customer. Where exactly the line is drawn depends on the service: IaaS leaves more to the user than SaaS, but the user always retains some responsibility. 

For example, AWS provides secure data storage, but if the user uploads unencrypted data to an S3 bucket with misconfigured access permissions, the platform will do nothing to stop them. 

That’s where cloud security providers come in. Cloud security providers help cloud users with their share of the cloud security and privacy burden. They offer services that enable businesses to avoid the type of mistake just described. However, the ultimate responsibility for information security and privacy always rests with your company. If private customer data leaks or your business fails to comply with HIPAA or PCI DSS, you will suffer the consequences, not the cloud security provider. 

5 Questions to Ask Cloud Security Service Providers

Businesses should assess cloud security providers before engaging them, but information asymmetry can make this difficult. You may need help precisely because your organization lacks internal cloud security expertise. But without that expertise, how can you adequately assess the services on offer? A vendor compliance assessment can help, and in the initial stages of vendor research, asking the following questions will give you an idea of a prospective vendor’s capabilities. Ultimately, communication and clear expectations are key.

Is Cloud Security Your Core Competency?

Many MSSPs and cloud outsourcing service providers offer security-related services. However, “cloud security” is a broad area. A service provider may advertise their ability to make your cloud environment more secure. But their security efforts may be limited to deploying an off-the-shelf monitoring solution that will bombard your internal team with alerts. Also, the default services may not be as comprehensive as you need. For example, they may monitor Windows systems but not Linux. 

That may be all you’re looking for, but an expert cloud security provider can go much further. They will employ a technical team with expertise in IT and cloud security. Their technicians will have hands-on experience with real-world cloud environments and understand how to mitigate potential security issues. Just as important, they will understand the regulatory environment your company operates in and how to leverage cloud technologies to maintain compliance. 

Before engaging a cloud security vendor, ask about their experience, qualifications, certifications, and tools. 

What Will You Do to Keep Our Data Secure?

This question elicits information about the vendor’s products and processes. As we said earlier, businesses need to know what cloud vendors mean by “cloud security.” You may want to ask the following questions:

  • Will you assess our cloud environment’s configuration for mistakes that may cause security vulnerabilities?
  • Will you monitor our environment for potential intrusions and malware?
  • When you find a problem, will you help mitigate the risk, and what form will that help take?
  • Do your services include asset discovery, threat intelligence, and behavioral monitoring?
  • How do you document actions taken and assigned tasks? 

If possible, you should have a clear idea of your cloud security issues before beginning the vendor selection process. If you know what you are trying to achieve, you can ask focused questions about how the vendor can help you meet those objectives. Businesses lacking internal cloud security expertise should consider hiring an independent third party to assess cloud security risks and develop a mitigation plan. 

Does Your Infrastructure Comply with Information Security Standards?

Consider the following scenario. A company contracts with a cloud security provider to reduce risk and ensure sensitive data storage and processing complies with information security and privacy standards. The company gives the provider access to its cloud environment. Later, the provider’s network is hacked, and bad actors gain access to the data the company hired the vendor to protect. 

This is not an unusual outcome, so it’s essential to verify prospective cloud security vendors follow best practices for their own infrastructure and software. Third-party security audits are helpful here. Ask prospective vendors to demonstrate they are compliant with relevant industry standards, such as SOC 2 and ISO 27001. Also, be sure to inspect their penetration testing results.

Do You Understand the Security and Privacy Concerns of My Industry?

Ensure that cloud security vendors understand your industry’s legal and regulatory requirements. The specifics vary, and a vendor focused on general cloud security concerns may not have the experience or expertise to help you comply with HIPAA, PCI DSS, FISMA, and other standards. 

Do You Offer Security Awareness Training?

Cloud security concerns more than just technology. Many data breaches result from human error and inadequate awareness of security risks. Security awareness training tailored to your company’s security and compliance needs can reduce security risk while improving compliance. 

The Limitations of Cloud Security Providers

A cloud security provider or managed security service provider can reduce security risks, but they can’t objectively verify that your cloud environment is secure or compliant. The optimal approach combines cloud security best practices with cloud security assessments and audits by a qualified independent auditor with cloud and information security expertise. 

KirkpatrickPrice is a licensed CPA firm specializing in information security compliance. Contact a cloud security expert to learn how we can help your business improve cloud security and comply with relevant regulations and industry standards.

Security compliance is a primary concern for data-driven, technology-empowered businesses. On the one hand, they face internal and external security threats ranging from ransomware and phishing attacks to malicious insiders and human error. On the other hand, regulatory frameworks such as HIPAA and the GDPR impose stringent security and privacy standards with legal and financial penalties for non-compliance. 

A security compliance program helps a business to own its compliance risks. However, there are numerous challenges along the path to a security compliance program that supports long-term compliance goals. This article explores security compliance programs and suggests strategies to help businesses manage security compliance risks.

What Is a Security Compliance Management Program?

A security compliance program is the policies, procedures, and processes an organization creates to maintain security standards, typically based on regulatory frameworks such as HIPAA or recognized industry standards such as SOC 2. 

Security compliance programs also encompass the mechanisms by which the organization reviews and assesses information management practices. Without ongoing monitoring and auditing, it’s impossible to verify the organization is complying with its own policies.

Perhaps most important, security compliance programs are people-focused; they aim to create a management framework with resources and incentives that encourage employees to follow security best practices. 

An organization without a security compliance program may follow security best practices in an ad-hoc manner, but then again, they may not. Information security and privacy concerns are often deprioritized relative to other business goals. A security management program supported by an organization’s leadership helps align business practices with security compliance objectives. 

A security compliance management program enables organizations to:

  • Comply with regulations such as Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standards (PCI DSS), among many others. 
  • Protect data assets and reduce the legal, financial, and reputational risk of regulatory compliance failures. 
  • Design policies and implement processes that allow executives to exercise control over the organization’s security posture.
  • Monitor and verify security compliance 

Those interested in building a security compliance program may find it instructive to read the U.S. Department of Justice Criminal Division’s Evaluation of Corporate Compliance Programs. Although broader in scope than information security, it explains the factors that prosecutors look for when evaluating compliance.  These include the presence of risk assessments and risk management processes, well-designed and comprehensive policies, risk-based training, properly scoped investigations by qualified personnel, internal and external audits, and more. 

The Components of Effective Security Compliance Management 

A security compliance management plan is tailored to the business’s needs and the environment in which it operates, but effective security compliance programs are built on the following components. 

Security Compliance Policies

Policies are the key documents in a security compliance management program. Security compliance policies describe the minimum security standards with which the organization intends to comply. Policies should be informed by a variety of factors, including:

  • The organization’s business objectives,
  • The regulatory environment in which the business operates, and
  • The specific risks the organization faces. 

Policies are long-lasting, high-level documents, but they are not permanent. A company must be prepared to evolve policies in response to changes in the organization, its operating environment, and the technology on which it relies. 

Structures to Implement Security Compliance Policies

Policies are only useful insofar as they are implemented, but this is often the biggest challenge. Security compliance impacts almost all aspects of modern business: data is a key asset, and information technology is ubiquitous. 

There are two possible approaches. The first is to “bolt” security compliance onto existing business processes. However, as Gartner’s research makes clear, this is unsustainable and unscalable. It makes security a potential hindrance to normal operations, creating the risk that compliance processes are bypassed as managers and employees prioritize efficiency. 

The second approach is to make security compliance an integral part of business processes. As workflows are designed, compliance is “baked in,” informing organizational structures, processes, relationships with business partners, and technology choices. 

Learn more about building compliant business processes in Auditor Insights: Compliance from the Start.

Whichever approach is chosen, security compliance management requires leadership and clear communication with stakeholders throughout the organization. A typical security compliance management structure includes:

  • A leader with authority to sponsor security compliance projects. This may be an executive or a security compliance steering team with executive support. 
  • Participation from relevant stakeholders within the organization. This might include stakeholders from IT, information security, sales, finance, and other business units. The IT department plays a critical role in security compliance. Still, other stakeholders should also be involved to reduce the risk of security compliance procedures failing to align with broader business objectives. 
  • A compliance manager or managers with information security expertise. The compliance manager is responsible for overseeing compliance projects that integrate security compliance throughout the business. For example, the compliance manager may work with IT to implement encryption policies for sensitive data. The compliance manager also gathers evidence to assess compliance efforts’ effectiveness and inform future policy and process changes. 

Additionally, it is usually necessary to offer information security training. Any employee who has access to potentially sensitive data should receive security awareness training that prepares them to comply with information security policies. 

Security Compliance Evaluation and Auditing

Compliance monitoring and internal audits are essential. Security compliance is a continuous process of implementation and evaluation. Policies evolve as regulatory standards change, and procedures and outcomes must be re-evaluated to ensure they meet security compliance objectives. Internal monitoring and evaluation should be augmented by external audits conducted by experienced auditors with information security expertise

Implementing a Security Compliance Management Program for Your Business

There is no universally applicable template for building a compliance management program. Every company is different, and so are its compliance requirements. However, most businesses benefit from a plan which follows these steps. 

  • Conduct a risk assessment to establish which risks the company faces, including compliance risks. 
  • Develop policies and standards to mitigate those risks. 
  • Appoint a compliance leader to oversee implementation and communication with stakeholders. 
  • Implement processes, procedures, and tools that support compliance policies. 
  • Train and educate employees to understand your compliance objectives and the role they play in achieving them. 
  • Monitor compliance and conduct internal and external audits to measure how effective your compliance efforts are. 
  • Act to correct risks and compliance failings identified by monitoring and audits. 

As we mentioned earlier, security compliance management is an ongoing process. The steps outlined above should be thought of as a cycle rather than a linear process that will be complete at a point in the future. 

To learn more about how audits can help your business achieve its security compliance objectives, visit KirkpatrickPrice’s Compliance Audit Services or contact a security and compliance expert today.

Containers are used to host code without the complexity and resource demands of virtual machines. They allow developers to combine code and dependencies into a standardized package that runs anywhere, making them the ideal foundation for cloud-native applications and microservices.

But containers pose a problem. How do developers and DevOps professionals manage container creation, hosting, networking, and security? A business may deploy dozens of containers to host its apps and services. It’s challenging to manage all of them individually, so, ideally, container management should be automated.

That’s the role of container orchestration software. Container orchestration tools manage the container lifecycle: provisioning, deployment, scaling, networking, and more. Kubernetes—originally developed by Google—is one of the most widely used container orchestration tools.

Amazon Web Services offers a number of container and container orchestration services, including Amazon Fargate, Amazon Elastic Container Service (ECS), and Amazon Elastic Kubernetes Service (EKS). Although all play a role in container hosting and orchestration, they are not identical, and it can be a challenge to understand which is the right orchestration tool for your AWS environment.

This article focuses on the differences between the main AWS container orchestration services: ECS and EKS, and on container security more generally. But to understand those, we have to start with Amazon Fargate.

What is Amazon Fargate?

Amazon Fargate is a serverless infrastructure platform for containers. In this context, “serverless” doesn’t mean containers don’t run on servers. It means the user doesn’t have to concern themselves with managing and paying for servers. Instead, they pay for just the compute resources their containers consume.

It’s useful to contrast Amazon Fargate to EC2, Amazon’s virtual server platform. To host containers on EC2, you have to provision EC2 instances with specific storage, compute, and memory capacities; configure them to run containers securely, and then manage both the containers and the EC2 instances. You pay the full cost of the instances while they’re running.

In contrast, Amazon Fargate allows you to build container images, specify memory and compute resources, and deploy. You don’t have to manage, configure, or scale servers, and you only pay for the compute resources your containers consume.

You’ll note that we’ve not mentioned container orchestration yet. That’s because Amazon Fargate is not a container orchestration service. It’s a serverless container platform on which you can deploy containers managed by a container orchestration service. On AWS, you have two main orchestration options to manage containers running on Fargate: ECS and EKS.

What is Amazon ECS?

Amazon ECS is a managed container orchestration service that runs Docker and Windows containers. It offers a complete orchestration solution with support for Docker image repositories, versatile container deployment and management tools, networking services including service discovery, and container monitoring and logging via Amazon CloudWatch and CloudTrail.

By default, ECS deploys containers to Fargate, although it can manage containers hosted on EC2 or on-premises infrastructure with ECS Anywhere or AWS Outposts. That makes it an excellent choice for businesses that want a fully managed solution and that don’t need Kubernetes compatibility.

It’s important to note that Amazon ECS is based on proprietary Amazon technology. It is not fully portable between cloud platforms.

What is Amazon EKS?

Amazon EKS is a managed Kubernetes service to orchestrate containers hosted in AWS and on-premises. Like ECS, it can orchestrate containers running on AWS Fargate and on EC2 instances. The key benefit of EKS is that it is fully compatible with Kubernetes—it’s based on upstream Kubernetes, so clusters that run on-premises or on other cloud vendor platforms can be moved to EKS with no modification.

Amazon EKS vs Amazon ECS: Choosing A Container Service

The most important distinction between ECS and EKS is that EKS runs Kubernetes. If your business relies on the tooling and architecture provided by Kubernetes, then EKS is probably the best choice. EKS also provides more granular control over how containers are managed, but more control leads to greater complexity.

In contrast, ECS is a simpler container orchestration system. It is intended for businesses that don’t want or need granular control over every aspect of container deployment and management. ECS also integrates tightly with other AWS services, such as CloudWatch and Route 53. That’s a benefit if you want to use those tools, but a drawback if you’d prefer to use different tooling.

AWS Container Security Best Practices

Whichever AWS container orchestration tool you select, your organization is responsible for securing containers and the code and data they contain. As with servers, container misconfiguration is a significant risk vector. Amazon Fargate helps to reduce risk because users don’t manage the underlying server and network infrastructure. However, businesses must nevertheless follow container security best practices.

Use Minimal Images

Containers should run as little code as is practical. Each additional library or service increases the attack surface area. Ideally, containers include only your code and its essential runtime dependencies, excluding development dependencies and other redundant code. If possible, use distroless images or a security-focused lightweight distribution such as Alpine.

Minimal images are also significantly smaller, which means they consume fewer resources and are easier to audit and scan for security purposes.

Use Curated Images from a Secure Container Repository

Image repositories are a potential source of malicious code. It’s estimated that 20% of the most popular images in major public repositories contain vulnerable or malicious code.

Bad actors seeking to infiltrate malware may target insecure public and private repositories in so-called supply-chain attacks. If they can get malicious code into an image hosted in a container repository, that code may find its way inside your networks.

To combat this risk, businesses should create a set of curated images free of known security vulnerabilities. They should store images in a secure repository service, such as Amazon Elastic Container Registry. ECR integrates securely with Amazon ECS and Amazon EKS, and it allows users to create repositories with access permissions managed by AWS Identity and Access Management (IAM).

Don’t Run Containers or Processes Within Containers as Root

Containers should not run as the root user and nor should processes within the container.

  • If a process running as root is compromised, the attacker may use root privileges to modify the container’s contents.
  • If the container itself runs as root, a bad actor may be able to escalate their privileges on the container’s host operating system in the unlikely event of a container breakout.

Unfortunately, containers often run as the root user by default, so Dockerfiles should be modified to use the USER directive to specify a non-root user.

Don’t Hardcode Credentials

Avoid hardcoding credentials such as passwords or API keys in code that will run in a container, including AWS credentials. If systems that store or process the code are compromised, an attacker will gain access to the credentials.

AWS provides several methods for storing secrets and securely injecting them into containers, including the AWS Secrets Manager. Secrets Manager also enables users to easily rotate secrets, which may not be possible when they are included in production code.

To learn more about container security and all aspects of AWS security, visit our extensive library of AWS security resources.