AWS provides in-line security tools to kickstart the process of securing your environments. But these pre-built security tools alone are not enough to protect you from current (and future) threat landscapes. You need to implement and optimize the right components and configurations to mitigate vulnerabilities.
Consider the following best practices for maintaining security in AWS.
Two Approaches to Manage AWS Vulnerabilities
There are two different ways you can secure a cloud environment like AWS. The first is the more traditional method of scanning for common vulnerabilities and exposures (CVE) on the infrastructure level. The second works from a cloud-first angle by auditing and protecting access to the administration of the cloud environment itself.
AWS Vulnerability Assessments and Scanning
The most popular (and commonly considered) method to protect your cloud environment from internal and external threats is to run an asset scan and identify any CVEs.
AWS Marketplace offers thousands of third-party security software vendors (e.g. Checkpoint, Palo Alto, Symantec, etc.) that run on AWS and assess potential security breaches by analyzing target configuration, software installation, and behavior against predefined rules.
The scanning tool built by Amazon, Amazon Inspector, also has its benefits. This is an AWS-only tool that integrates beautifully with other AWS features you’re already using, enabling seamless automation with SES, Chime, CloudWatch, etc.
AWS Inspector is an API-driven service that can be deployed, managed, and automated programmatically or from the command line, enabling it to fit into your DevOps setup without complications. We’ve found that Inspector is superior to traditional on-premise scanning tools if, for instance, you want to run an automated scan at a certain day and time every week. You can use tagging to specify what targets you want to scan, without any stress about hostnames or IP addresses. Even if you have an environment with hundreds or thousands of hosts, Inspector analyses the behavior of all of your EC2 instances to help you gain a deeper understanding.
Account and Environmental Security Audit
Vulnerability scans deliver a vital defense against cyberattacks, but how you initially set up cloud-native security software addresses the crucial issue of access protection.
When you first spun up your cloud environment:
- Did you select the default settings for security groups and policy management?
- Did you leave your S3 buckets open so they could be easily accessible from the internet?
- Did you select a private or public setting for AWS PaaS and RDS environments?
- Is your SQS, SNS, or SES publicly accessible?
- Have you set up password policies requiring complex passwords for all accounts?
- Did you require multi-factor authentication (MFA) for all accounts?
- Did you assign a complex password to your root account?
- Did you assign MFA for your root account?
- Is your root account hardware MFA token kept in a safe location with the password in a password vault?
- Did you establish a single source of truth for Identity in your environment?
- Did you utilize continuous compliance monitoring solutions to detect security and compliance drift to ensure you are notified of any deviation?
- Did you create a 3-tier architecture (web, app, and data) when setting up your VPC, and did you use private IP address space?
Here’s why assessing your initial environment security settings matters: There are many online tools available that allow other users to browse your publicly accessible buckets and applications. When you don’t build your cloud architecture with a strong foundation that keeps these access factors in mind, you could be giving outside access to your cloud environment.
Knowing what you have open to the public is crucial to your cloud security. Thankfully, AWS has native tools that perform automated checks around your apps and buckets to audit the risks and ensure that all of your settings are properly and securely configured. You can also partner with an IT solutions provider for managed cloud, giving you peace of mind.
Security can be expensive, so get the most out the tools you have been given through your AWS platform. Adapture cloud experts can help you audit your current environments and determine the best security configurations for your vulnerabilities and concerns.
Starting with a Well-Architected Cloud
At Adapture, we believe a well-architect framework should come from an established industry standard like the Five Pillars of Cloud as established by AWS. This well-architected framework enables your cloud architects to build the most secure, high-performing, resilient, and efficient infrastructure possible.
The Adapture Cloud Solutions Architects provide you with the metrics and data you need to address security, reliability, performance efficiency, and cost optimization.
It’s time to stop building without a benchmark. Adapture partners with your IT team to audit, diagnose, and reconfigure your cloud to provide the greatest output for the lowest cost. We have the experience, technology, and the workforce to ensure your cloud is built firmly according to industry standards.
