As an AWS user, you share responsibility for AWS security with Amazon. Amazon provides infrastructure and services, but businesses must ensure they use those tools in line with AWS security best practices. Businesses that fail to do so make it easier for bad actors to infiltrate their networks and exfiltrate their data.

AWS security is a complex subject, but there are many straightforward security enhancements with minimal cost to the user. This article explores ten high-impact security improvements that every AWS user should implement.

Disable Unused Credentials

AWS Identity and Access Management (IAM) allows users to manage access to AWS resources. It’s an essential tool that provides fine-grained controls and insight into who has access to your cloud infrastructure and services.

As your company builds on AWS, you will create a variety of IAM users and groups to permit or restrict access as required. 

However,  usage patterns evolve, employees leave the business, and authentication requirements change. It’s common for companies to fail to update their IAM users and permissions. The result is often a mixture of new and old accounts, groups, and permissions that are no longer relevant. 

These create a security risk. Consider what could happen if a disgruntled ex-employee used an old account to shut down your cloud servers. AWS users should regularly assess IAM users, groups, and permissions, removing stale accounts to maintain access security.

Turn on Multi-Factor Authentication for IAM Users

AWS allows users to authenticate with a username and password. Together these are assumed to be information only the user knows. But there are many circumstances in which that assumption doesn’t hold. Users may share their passwords, they may choose easily guessed passwords, and passwords can be stolen.

Multi-factor authentication adds another layer of protection. In addition to a username and password, the user must enter a one-time code sent to a mobile device or prove that they possess a dedicated hardware key such as a Yubikey. This second authentication factor prevents bad actors from gaining access even if they possess a correct username and password.

Enable Amazon CloudTrail

Amazon CloudTrail allows users to log and monitor events that occur across their cloud infrastructure. A comprehensive log enhances users’ ability to discover and remediate security threats. CloudTrail logs can also be used by Amazon CloudWatch to alert employees and trigger pre-configured actions when insecure events are logged.

We recommend that Cloud Trail is activated for all regions and that CloudTrail is configured to store logs in an S3 bucket that is not publically accessible.

Do Not Use or Share the Root Account

The AWS root account has complete access to every aspect of your AWS infrastructure. The root user is created when you first set up your AWS account, and it’s helpful when initially configuring IAM users and permissions. However, if a bad actor gets hold of the root user’s credentials, they have unlimited access to your infrastructure.

To be safe, do not use the root user for day-to-day operations. Create new IAM users with only the necessary permissions. Keep the root user’s credentials safe and private. Do not share them with other employees unless strictly necessary. It is also advisable to activate MFA for the root account to protect it even if the password leaks.

Check and Restrict S3 Bucket Permissions

Insecure S3 buckets are a common cause of data leaks. S3 offers granular access controls, but they are often incorrectly configured. In recent years, many large data leaks were attributed to S3 buckets configured for public access, allowing anyone on the internet to access and steal the data. S3 bucket permissions should be regularly checked to ensure only authorized accounts and IP addresses have access.

Ensure Sensitive Resources Are Only Accessible From Internal IPs

Most AWS resources should not be accessible to connections from IP addresses outside of your private network. As we’ve already mentioned, this includes S3 buckets, but also EC2 instances, databases, and any other asset where external access is not required. Amazon provides firewall services that allow users to control traffic to sensitive resources, including AWS Security Groups and Network Access Control Lists.

Restrict Traffic for the Default Security Group

A security group is a virtual firewall that controls traffic to and from EC2 instances. Every EC2 instance has a security group. Users can create custom security groups, but AWS provides a default that is applied to new EC2 instances when a custom group isn’t selected.

It is likely that the default security group will be used with many EC2 instances throughout the life of your AWS environment, either deliberately or because the person deploying the instance neglects to select a different group. It is, therefore, essential that the default firewall rules are secure within the context of your environment.

Ensure Security Groups Rules Block External Access to Vulnerable Ports

To expand on the previous tip, the default security group—and all other security groups—should block access to ports used by potentially vulnerable services such as FTP (21) and Telnet (23), as well as default ports for services that should not be accessible from external IPs, such as MySQL (3306), PostgreSQL (5432), and MongoDB (27017),

Remove Hardcoded API Keys and Database Passwords

It’s often convenient to hardcode API keys, passwords, and other secrets in the code that you run on AWS. For example, if you need to make an API call, it’s natural to put the authentication key in the code. However, this can create a significant security vulnerability if the code becomes accessible to bad actors, which can happen on your servers or in version control.

Avoiding hardcoded keys is particularly urgent when your code accesses services using AWS credentials. Instead, use environmental variables or the AWS credentials files, as described in the Best practices for managing AWS access keys.

Enable Amazon GuardDuty for Automated Threat Detection

Amazon GuardDuty is a threat detection service that monitors accounts, resources, and data for suspicious activity, alerting users when it finds a potential issue. It uses machine learning algorithms and other techniques to analyze log data from AWS CloudTrail for patterns that match known threats. GuardDuty is a valuable tool for discovering malicious activity that might otherwise go unnoticed.

Bonus Tip: Automate Security Checks With KirkpatrickPrice

Throughout this article, you may have been thinking that complying with cloud security best practices is time-consuming and complex. That’s why we created our AWS Security Scanner, which scans and reports over 50 common AWS security vulnerabilities, including many we looked at in this article.

Visit KirkpatrickPrice’s AWS Cybersecurity Services to learn more about our AWS Security Scanner and to access an extensive library of AWS security educational content.

It’s almost a cliché to point out that data is an asset and should be managed accordingly. We all know data has value and that, when correctly leveraged, it helps businesses to optimize operations ranging from human resources to manufacturing to marketing. Recent advances in data science and machine learning have made data even more valuable. But the phrase “data is an asset” misses a vital detail. Data is an asset only if it’s accurate, securely stored in compliance with relevant regulations, and available to those who can use it. 

Data systems that fail to fulfill these criteria may be a potential asset, but at best, they are less valuable than they might be, and at worst, they are a liability. 

Data governance aims to put data on the same footing as other business assets, including financial assets. Any effective business creates, documents, and enforces policies and procedures for managing financial assets. Policies originate at the top of the organization, are implemented by managers and employees, and influence many business operations. 

Data governance follows a similar pattern, but here the goal is to ensure that data assets are managed in such a way as to support data-powered business capabilities while ensuring that it doesn’t become a technological or legal liability. 

This article explores data governance, its key components, and the relationship between data governance and compliance.  

What is Data Governance?

Data governance is the policies, practices, and procedures that allow a business to realize the full benefits of data. Data governance aims to formalize control of data assets. In doing so, it empowers organizations and their leadership to exercise authority and guide decisions about data and its collection, storage, and processing.

Businesses without a data governance strategy manage data to some degree, but usually in an ad-hoc, informal manner, with managers and departments responsible for the data that falls within their area of responsibility. The organization as a whole has little insight into or formal control over its data assets.

Fundamentally, data governance is about empowering businesses to make the most of their data. In more concrete terms, the benefits of implementing a data governance strategy include:

• The ability to meet regulatory requirements around data security and privacy.
• The ability to leverage data to increase revenue and profits. 
• Comprehensive, coherent, and standardized data collection, processing, and access workflows.
•  A cross-organizational framework that limits rework, eliminates siloes, and ensures data can be leveraged across the business. 
• Employees and managers who are empowered to use data in the service of business objectives. 
• Data management systems with accountability and transparency. 

Data Management vs. Data Governance

Data management and data governance are closely related, but they are not identical. Data management focuses on logistics, whereas data governance focuses on policy and strategy. 

Data management is primarily concerned with the logistics of implementing procedures and technologies that allow an organization to use data effectively: how data is stored, how it’s prepared for use, how it’s accessed, how it’s secured, and how the flow of data through an organization is managed.  

In contrast, data governance focuses on the strategic level. It aims to create a documented formal structure. Data governance addresses issues related to data quality, the rules governing data collection and use, compliance with relevant regulations, and accountability.  You can think of data governance as one component of data management, just as financial governance is one component of an enterprise financial management system.

What Are the Key Components of Data Governance?

Data governance is a cross-organizational effort that may involve employees at all levels.  However, a data governance strategy is usually framed by executives with guidance from subject matter experts and stakeholders from within the company. There are many approaches to designing a data governance strategy, but most include the following components. 

• The data governance leadership—often a committee—are responsible for devising data governance policies that align with the business’s objectives. Larger companies may also have a separate team to measure and verify the effectiveness of data governance policies.

• Policies outline the purpose, scope, rules, and responsibilities related to a specific data governance concern. Policies should be guided by both the needs of the business and relevant regulatory standards around accuracy, access, privacy, and information security.

• Data owners or stewards are the individuals within an organization responsible for overseeing the implementation of policies. They are accountable for ensuring that data governance policies are implemented and maintaining the quality of data assets. Ownership may start at the top with a Chief Data Officer and move down through the organization into individual teams and departments. 

• Documented processes describe specific implementations of policies. Policies rarely mandate the tooling and day-to-day operations involved in achieving a data governance objective. Instead, stakeholders with relevant expertise create, implement, and document processes and procedures which support those policies. 

• Tooling is the equipment and software that supports data governance processes. 

• Internal and external audits enable an organization to verify how effective its data governance strategy is. 

It’s essential to recognize that data governance strategies impact regulatory compliance in several ways. Data governance policies affect operations relevant to SOC 2, HIPAA, PCI DSS, and other regulatory standards and legal obligations. When shaping a data governance policy, businesses should take their regulatory environment into account. 

A Data Governance Framework for Building Your Strategy

An organizations’ particular requirements shape its data governance strategy, and there is no one-size-fits-all solution. Business leaders should recognize the challenge of implementing data governance best practices throughout their organization. That’s why change management is a key aspect of data governance implementation. Data governance often leads to changes in job roles, creates new roles, changes employee responsibilities and accountability, introduces new tools and software, and more.

Nevertheless, it is possible to outline a general framework to guide your data governance strategy. At a high level, implementing data governance is a four-step process.

1. Survey your data. Before developing policies to oversee data systems, it’s helpful to understand how well they align with business objectives for quality, security, privacy, and availability. Data classification can also help reduce data risk; many frameworks and legal regulations have specific requirements for data classification, including SOC 2, HIPAA, GDPR, and PCI DSS. 
2. Create a granular set of policies that take into account business objectives, regulatory compliance needs, and data governance best practices. 
3. Enforce data governance policies and create data accountability through the implementation of relevant procedures and processes.
4. Create and measure key metrics to track the success of data governance efforts. Be prepared to modify policies and their implementations to improve data governance outcomes. 

As a business works to implement data governance, it’s often useful to track progress with a framework. One commonly used data framework was developed by John Ladley, author of Data Governance: How to Design, Deploy, and Sustain an Effective Data Governance Policy. Ladley proposes a 5-stage framework:

• Engagement — establish a clear vision of why data governance matters to your organization, ensuring that key stakeholders support and are engaged with data governance efforts. 
• Strategy — deliver a plan and a set of requirements that supports the organization’s data governance objectives.  
• Architecture and design — design organizational capabilities and operational frameworks that support data governance initiatives. 
• Implementation — roll out data governance processes and capabilities throughout the organization, including monitoring systems to track the implementation effectiveness. 
• Operate and sustain — continue to enforce data governance policies, extend capabilities, and monitor effectiveness as the business and data landscape evolves. 

Regulatory compliance and auditing are part of an effective data governance strategy. For innovative data security guidance and a comprehensive range of information security auditing services, contact KirkpatrickPrice today.  To learn more about AWS data governance and security, visit our AWS Cybersecurity Services to access our extensive resource library and AWS Scanner.