With cloud technology gaining popularity, organizations are aggressively embracing cloud computing technologies to meet their business needs. As of Q2-2018, the total cloud infrastructure market revenues reached $20 billion. Among all the cloud providers, AWS stands tall with 31% of market share for Q2-2018 as reported by Canalys. This value shows a growth of 47%. It is followed by Microsoft Azure with 18% and Google Cloud with 8% respectively. AWS numbers are more than the next three competitors’ numbers combined. These numbers show that AWS is going to stay at the top for many more years.
As more and more businesses embrace AWS, it can also turn into a popular target for hackers. As such, Cloud Security becomes a critical requirement for businesses that move their operations to AWS cloud. Here are the top 5 AWS cloud security best practices that ensure the highest level security for your cloud resources.
Understand the AWS Shared Security Model
Before using Amazon AWS, it is essential to understand its shared responsibility model. AWS uses a shared responsibility model wherein AWS handles the security aspect of the physical infrastructure, virtualization layer, and the host operating system. On the other hand, customers should manage their AWS instances, configurations, guest operating system and applications.
Secure your User Access Controls
Securing user access controls is a key requirement for cloud security. It is always recommended not to share your root AWS account credentials. As a best practice, you should use the AWS Identity and Access Management feature offered by AWS to create and manage unique user credentials and group access controls. By creating key pairs for EC2 instances you can secure your EC2 instances. In addition, you should minimize the availability of open ports by using security groups. With role-based access, users can access only specific areas of your AWS account for enhanced security. Enabling multi-factor authentication for accounts and changing keys frequently is recommended.
Log everything for Compliance and Post-incident Investigations
Documenting every authorized and unauthorized session is important for audit and compliance purposes. Auditing can be done at a host level or at a proxy level. A host-level audit is preferred as users can bypass proxies at times. AWS offers CloudTrail that handles the logging activity of all AWS API calls. It logs all API calls and allows you to store the log files in an AWS S3 bucket. This is why CloudTrail can become the first target for hackers. So, it is recommended to turn on the S3 log validation so that you can check if the log information has been tampered with.
Secure your AWS Applications
Securing your AWS applications is another critical requirement for your cloud security. The best thing is to create an inventory of all applications along with the data and permissions associated with them so that the administrators can have a clear insight into the extent and performance of each application. It is good to involve the security team development and production so that they can run their testing systems while pushing code to production for a faster time to market. It is also important to provide the least possible user-permissions for accessing applications and AWS resources. Using a single disaster recovery policy across all applications would ensure a consistent and increased operational efficiency.
Secure your Data storage and Databases
AWS offers a wide range of database services such as Amazon RDS, Redshift, DynamoDB to name a few. Also, there are storage services such as AWS S3 services and Elastic Block Store. Misconfiguring S3 buckets can result in data leaks to the outside world exposing sensitive data. It is vital to enable audit logging for databases and use data encryption using AWS KMS (Key Management Service). It is best practice to encrypt Amazon RDS databases to minimize data being compromised. Also, make sure S3 buckets are not readable or writable and only provide access using S3 bucket policies.
While cloud migration takes you into an entirely new world, your traditional security policies and compliance requirements still apply. By extending these policies to the cloud, you can optimize your operational costs and resources. In addition, take time to explore AWS security features and tools in detail. For instance, AWS Trusted Adviser is an excellent tool that helps you in identifying misconfigurations, potential security threats and cost savings. Though it requires your time and efforts, it will significantly reward you in the long run.