Security AWS Infrastructure: 10 Must-Follow Best Practices
By Sekhar Sarukkai, Co-founder and Chief Scientist at Skyhigh Networks
Amazon Web Services provides a vital service that many modern businesses rely on. However, following the recent Deep Root Analytics leak, which exposed sensitive voter information on 198 million Americans, many organizations are concerned about the security risks that Infrastructure-as-a-Service (IaaS) systems like AWS could present.
Almost three quarters of enterprises have business critical applications running in AWS. If these applications went down, the business' ability to operate would be seriously compromised, leading to a significant loss of revenue and reputation. There are many threats that could affect AWS's ability to offer a continuous, reliable, and secure service to its enterprise customers including DoS attacks, insider threats, compromised accounts, and breaches of compliance regulations.
Amazon invested in upgrading its AWS security capabilities to counter these risks, but there is only so much a cloud provider can do to safeguard consumer data. According to Gartner, 95% of security failures by 2020 will be the customer's fault.
To encourage customers to adopt effective security practices for their data, AWS operates under a shared responsibility model. This places an obligation on customers to ensure they configure and operate their AWS environments securely. In combination with the work Amazon does to protect the platform against attacks, this should shelter sensitive information from being stolen or leaked.
AWS Security Best Practices
- Enable CloudTrail: CloudTrail is a powerful security and audit tool. Customers should enable global CloudTrail logging to monitor all their access to and activity within all AWS services.
- Enable CloudTrail Log File Validation: A determined attacker can cover their tracks by changing the CloudTrail log files. Turning on log file validation flags these changes, making it much more difficult for a security breach to go unnoticed.
- Integrate CloudTrail With CloudWatch: CloudWatch facilitates management, storage, and access to CloudTrail log files. Customers can use this powerful tool to alert them to suspicious user account activity.
- Use Multi-Factor Authentication: Relying on a single password to secure an AWS account creates a weak link in a business' security system. For root and IAM user accounts, it is safer to use multi-factor authentication. To log on, users must provide both their password and an access code sent to their email account or phone, which makes these accounts much harder to break into.
- Set Strict Password Policies: Strong passwords are at least 14 characters long and contain both upper and lower case letters, numbers, and symbols. These passwords are much harder to crack using a brute force approach. To protect their AWS user accounts, businesses should force users to choose an original strong password every 90 days.
- Avoid Using the Root User Account: When a customer creates an AWS account for the first time, the system automatically creates a root user who has access to all services and resources. The only thing this root account should be used for is to create the first IAM user. Avoid using the root user account to administer any aspect of AWS services, as the consequences of this privileged account being hacked are too high to risk.
- Use HTTPS for CloudFront Distributions: Encrypting traffic reduces the risk of a man-in-the-middle attacks. Enable SSL/TLS to encrypt all traffic to and from CloudFront.
- Restrict Access to CloudTrail Bucket: Giving users or admins unrestricted access to CloudTrail logs increases the risk of accounts being compromised. Users with unrestricted access could maliciously steal account data from these logs, or unintentionally reveal data during a phishing attack. Eliminate these risks by restricting unnecessary user access to logs.
- Remove Unused Groups, Accounts, and Keys: Inactive entities are an often-overlooked security threat. Lower the number of potential security flaws by removing unused access keys, IAM groups, and SSH public keys, and disable access to IAM accounts that users haven't logged into for more than 90 days.
- Restrict Access to EC2 Security Groups: Cyber criminals can exploit unrestricted access to EC2 security groups to launch brute-force, DoS, and man-in-the-middle attacks. Restrict access wherever possible to reduce the risks of one of these attacks occurring.
The above best practices provide a stable foundation for protecting customers' AWS infrastructure from cyber attacks and data leaks. Those organizations who build and deploy custom applications in AWS should follow best practices around protecting those applications from security breaches and vulnerabilities, which usually starts with inviting IT security to the table, alongside Dev Ops.
By taking steps to secure their AWS infrastructure and custom applications deployed in AWS, enterprises can reduce their risk of becoming the latest organization to be hit by a data security scandal. Amazon does a huge amount of work to keeps its AWS platform as secure as possible, but business customers must also play their part to keep their accounts and data secure.