Security Best Practices

Know the AWS Shared Responsibility Model

  1. Understanding the AWS Secure Global Infrastructure
    1. Using IAM service – IAM Best practices
      1. Lock away AWS account root account access key. Do not use your AWS account (root) access key for programmatic access. Create an IAM user account and use its key
      2. Create individual IAM user account for anyone who needs access to AWS
      3. To assign permissions use AWS defined policies. They are defined , managed and updated by AWS
      4. Use groups to assign permissions. Create groups that relate to job function, assign relevant permissions and add IAM users to the groups
      5. Grant least privilege
      6. Configure strong password policy
      7. Enable MFA for privileged users who access sensitive resources or APIs
      8. Use IAM roles. Applications that run on EC2 instances need credentials to access other AWS services. Assigning IAM roles is a secure way
      9. Delegate access by roles for cross account access.
      10. Rotate credentials regularly
      11. Remove unnecessary credentials
      12. For extra security define conditions under which IAM policies allow access. E.g. allow access only from ip range.
      13. Monitor activity in your AWS account. Use logging features available in AWS services like S3, CloudTrail , CloudFront , AWSConfig
    2. Regions, Availability Zones and Endpoints
      1. AWS provides information about country and state where each region resides .It is your responsibility to select the region to manage network latency and regulatory compliance.
      2. Data stored in a region is not replicated outside it by AWS.
      3. Customer is responsible for selecting the availability zones in which systems will reside
  2. Sharing security responsibility for AWS services
    1. Infrastructure Services (EC2 , EBS and VPC)

    2. EC2 Container Services

    3. Abstracted services (S3, Glacier,DynamoDB,SQS,SES)

  3. Using the trusted advisory tool
    1. One view snapshot of your service and help identify security misconfigurations and suggestions for improving system performance and underutilized resources
    2. Define and categorize Assets on AWS.
      1. Essential Elements – such as business , process and activities
      2. Components – that support essential elements such as hardware, software, personnel, site etc.
    3. Design your Information Security Management System (ISMS) to protect your assets on AWS
  4. Manage AWS accounts, IAM users, Groups and Roles
    1. Strategies for managing multiple AWS accounts
      1. Centralized security management – single AWS account
      2. Separation of Prod,Dev and Test environments – three AWS accounts
      3. Multiple autonomous departments – multiple AWS accounts
      4. Centralized security management with multiple autonomous independent projects – multiple AWS accounts

      Note: you can configure consolidated billing relationship across multiple accounts

    2. Managing IAM users : Create distinct IAM user for each individual
    3. Managing IAM groups: Grant permissions to resources via IAM groups.
    4. Managing AWS credentials
      1. Sign-in credentials
        1. Username/Password – Strong password policy
        2. Multifactor authentication MFA – activate MFA for AWS accounts and IAM users
      2. Programmatic access to APIs
        1. Access keys – Users should rotate their access keys on a regular basis
        2. MFA for API calls –Enforce MFA on API
    5. Understanding delegation using IAM roles and temporary credentials
      1. IAM roles for EC2 – If application running on EC2 instance requires access to AWS resources create IAM role and attach to the instance.
      2. Cross account access – Create an IAM policy to access resources in the trusting account to grant access to the trusted account.
      3. Identity federation – Create an identity broker to manage authentication and authorization
  5. Managing OS level access to EC2 instances
    1. EC2 Key pairs –EC2 key pair controls access to specific instance, these are not related to AWS account or IAM user credentials. You can choose to generate key pair or use EC2 generated key pair.
  6. Secure your own Data
    1. Resource access authorization
      1. Resource policies – Policy describes what users can do with the resource is directly attached to the resource.
      2. Capability policies – Capabilities policy define what actions are allowed/denied to perform and attached to IAM user (directly or indirectly via user group).
      3. Users’ effective permissions are cumulative of Resource policies and Capability policies.
      4. IAM policies can be used to restrict access to a specific source IP address range, or during specific days and times of the day, as well as based on other conditions
    2. Storing and Managing Encryption keys in the cloud : You can use your existing process to manage keys or use AWS CloudHSM
    3. Protecting data at rest
      1. Concerns and Strategies:
        1. Accidental Information disclosure – Permissions
        2. Data integrity compromise – Permissions, Data integrity checks, Backup , Versioning
        3. Accidental deletion – Permissions , Backup, Versioning , MFA Delete
        4. Availability – Backup replication
      2. S3
        1. Permissions : Bucket level permissions, Object level permissions & IAM policies
        2. Versioning : S3 supports versioning
        3. Replication – S3 replicates objects across all zones in region
        4. Backup – Data replication and versioning
        5. Encryption – S3 supports server side encryption. You can encrypt the data at client send and upload to S3
      3. EBS
        1. Replication – EBS volume is stored a file and AWS creates two copies of the EBS volume but both copies reside in same availability zone. Replicate data at application level and/or create backups
        2. Backup – Snapshot
        3. Encryption –
          1. Windows : EFS , Bit locker
          2. Linux : dmcrypt
          3. EBS volume – Third party tools like Truecrypt,Safenet ProtectV
      4. RDS
      5. Glacier : All data stored in Glacier is protected using server side encryption
      6. DynamoDB
      7. EMR
    4. Decommission data and Media Securely
      1. When data is deleted in AWS , it uses secure mechanisms to reassign blocks elsewhere
      2. When AWS determines to decommission media it follows techniques as per guidelines of DoD or NIST
    5. Protect Data in Transit
  7. Secure your OS and Applications
    1. Create your own custom AMI. Before publishing your AMI harden it.
    2. When instance is launched update security controls using bootstrapping applications
    3. Do patch management for AMIs and live instances
    4. Before sharing AMIs publicly secure them.
    5. Protect your system from Malware
    6. Mitigating compromise and Abuse. AWS works with you to detect and address malicious activities. When you receive an abusive warning from AWS act immediately
    7. Using additional application security practices
  8. Secure your infrastructure

Route 53
No tags for this post.

Leave a Comment