Best Practices for AWS Security
AWS brings new opportunities for businesses to innovate, build, and grow – but what about the data in the cloud? Is it protected? How likely is it to be compromised? The 2019 Cloud Adoption and Risk Report from McAfee reports that the sharing of sensitive data in the cloud is increasing 53% year-over-year. The average enterprise generates over 3 billion events every month in the cloud and uses 1,935 different cloud services, giving malicious attackers ample opportunity to find, steal, and sell the data you are responsible for. This means that organizations must do everything in their power to implement AWS security and safeguard personal information. Where should you begin? Let’s discuss some of the basic security practices for S3 and EC2. These are extremely complicated subjects, but let’s make a starting point for your AWS security strategy with the following best practices.
Protecting S3 Buckets
S3 buckets are a major component of using AWS, but they’re also a major security concern. McAfee reports that 5.5% of all AWS S3 buckets that are in use are misconfigured and publicly readable. Why? S3 buckets are extremely complex, and anything that is complex is harder to secure. Randy Bartels, Vice President of Security Services at KirkpatrickPrice, comments, “AWS has an obligation to make it less complex, and users have an obligation to understand the complexity and make sane choices in setting up policies.” How can you be sure your S3 buckets align with best practices for AWS security?
- Does your organization have IAM policies? This will give you a way to manage permissions for digital identities. IAM best practices include policies that outline strong password requirements, key rotation every 90 days or less, role-based access controls, and MFA.
- Are permissions based on a least privileges principle? Users should only be allowed to access data that is necessary to perform their job duties.
- Does your organization have S3 bucket policies? These will define access or grant access to specific buckets and objects.
- Do any of your S3 policies allow a wildcard identity or action?
- Does your organization use block public access properly?
- Are access control lists made? Make sure that you’re aware if they have the capability to provide any type access to “Everyone” or “Any authenticated AWS user.”
- Does your organization use S3 access logs? Do you analyze user behavior based on logs?
- Is sensitive data in S3 encrypted at rest?
- Is inbound and outbound data traffic encrypted?
- How to you implement SSE? Does your S3 encryption strategy utilize SSE-S3, SSE-KMS, or SSE-C?
- Are the responsible personnel knowledgeable about S3 versioning and S3 lifecycle policies?
- Does your organization monitoring actions taken on buckets and objects? Making your monitoring program a priority will help solve small problems or risks before they become a much larger incident.
Protecting EC2 Instances
AWS outlines 5 key areas for baseline configuration that will secure EC2 instances, which include:
- Least access
- Least privilege
- Configuration management
- Change management
- Audit logs
These aren’t new security concepts by any means, but they are ones that are incredibly important in AWS security. In addition to those baseline areas, you must consider the following questions when protecting EC2 instances:
- Do your encryption strategy address protecting your data in EC2? It should address when, how, where, and what data is encrypted.
- Do you collect IP traffic from VPC flow logs?
- What do you do to manage access keys and key pairs?
- Do IAM policies related to EC2 follow a “need to know” basis?
- Is inbound and outbound traffic controlled through Security Groups?
Who Should Perform Your Cloud Audit?
Just like any type of technology or IT operation, the security of your service needs to be validated by a third party, whether that is through a SOC 2 attestation, penetration testing, consulting, or another form of security testing.
When choosing who should perform an audit of your AWS environment and controls, you need to focus on finding an auditor who is also a cloud expert. Because cloud technology is new and evolving, the industry lacks best practices that are known and understood. AWS does a good job at distributing best practices for security, but you want to hire an auditing firm that does thorough testing and has auditors that understand how AWS works.
If you don’t feel ready for an audit but want to begin your own AWS security practices, AWS has developed many security tools to help you achieve secure environments. AWS security is just as important to AWS as it is to customers. These tools can help you achieve best practices for cloud security, automate security assessments, give alerts for security incidents, and assess data security requirements to verify the security and compliance of cloud solutions. Amazon CloudWatch, Amazon Inspector, and AWS CloudTrail are a few examples.
At KirkpatrickPrice, we hire technologists, then train them to be auditors – and this increases the value and quality of our AWS audits. Any auditor from KirkpatrickPrice who’s performing a cloud audit understands cloud computing and technology and proves it through certifications like CCSK or CCSP. Contact us today to begin security testing for your AWS environment.