Skip to main content

AWS Security Best Practices

Security Best Practices

Security is the key concern on the cloud. While most of the cloud providers do offer industry standard security features, it comes under the ownership of the customer (or in the hands of cloud devops engineers). So security breach is on you.....!

Today, we are going to see how to leverage the security features provided by Amazon Web Services Cloud in terms of Infrastructure (the cloud itself) , EC2, VPC, RDS and Identity in general.

Infrastructure

IAM Usage

  • Root account credentials and its Access and Secret Keys are like Credit Card numbers and can be used for any root level activities once compromised. Instead create and use IAM account with required privileges assigned.
  • For multi-level privileged users with access to sensitive resources and programming interfaces, it is recommended to enable MFA
  • It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.
  • Configure a strong password policy for your users
  • Use IAM roles within AWS resources. That is access one resource from another resource. For example from EC2 to S3
Trusted Advisor
  • Using Trusted Advisor offers a one-view snapshot of your service and helps identify common security mis-configurations, suggestions for improving system performance, and underutilized resources.

EC2


Key Pair

  • First and the foremost, do not share your private key and store it in a place where you alone can retrieve.

Ports

  • The basic mechanism for controlling network access to your EC2 instance is the Security Group, which acts like a built-in software firewall for your instance. You can use it to limit inbound traffic to specific ports and protocols and specify which IP addresses can have access. In order to prevent criminals from gaining privileged access to your virtual server and planting malware or stealing data, you need to make sure that important ports/protocols are only accessible by trusted IP addresses and networks.

Patch

  • Though AWS updates the Amazon-provided Windows- and Linux-based AMIs on a regular basis with patches, Both Windows and Linux are operating systems supported by large and active communities, and there are always new versions, security patches, and upgrades to many components of each platform. Many of these upgrades are in response to security vulnerabilities, so it's important and recommended to always stay current with the latest patches.

Governance

  • Audit any proprietary applications you may be running on your EC2 instance, Review configuration settings on your packages and harden their configuration from attackers, Have a procedure to revoke access when it is no longer needed, Remove or disable unnecessary user accounts.

Isolated Functions

  • Implement a single primary function per Amazon EC2 instance to keep functions that require different security levels from co-existing on the same server. For example, implement web servers, database servers, and DNS on separate servers.

Anti-Virus

  • Use anti-virus and malicious code protection mechanisms at every potential instances to detect and eradicate infections transferred through various means.

Remove Unnecessary

  • Disable or remove all unnecessary functionality, such as scripts, drivers, features, subsystems, EBS volumes, and unnecessary web servers.

VPC



Security Groups

  • Always use security groups. Security groups act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level.

NACL

  • Use network access control lists (ACLs) wherever required as it acts as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level.

Security Layer

  • Use this best practices recommendation as layers of security in your environment to achieve high level security. VPC > Route Table > Network ACL > Subnet > Security Group > Instance

Isolate Deployment

  • Isolate the deployment according to the environment tier. For example, keep your webservers in a public subnet and your application and database on a private subnets each. In critical cases, jump box is also used to access the servers in private subnet where web tier will be under an ELB.

Isolate Environments

  • By isolating the production and development/test environments, customers can separate all duties and processes across separate VPC environments.

VPC Flow Logs

  • VPC Flow logs can not only be used for troubleshooting but also for auditing in the event of malicious attacks to the resources inside an AWS VPC. VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. It could be enabled to an entire VPC or to a subnet or to an interface. This will help you diagnose overly restrictive security group rules. You can also use flow logs as a security tool to monitor the traffic that is reaching your instance.

Cloud Trail

  • AWS Cloud Trail is a web service that provides audit in the VPC environments and network policies. It records AWS API calls for your account and delivers log files. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. With CloudTrail, you can get a history of AWS API calls for your account, including API calls made via the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. You can add an additional layer of security for the CloudTrail log files stored in your S3 bucket by encrypting them with your AWS Key Management Service (KMS) key. CloudTrail will encrypt the log files using the KMS key you specify.

S3



Control Access to Data

  • Use four mechanisms for controlling access to Amazon S3 resources: Identity and Access Management (IAM) policies, bucket policies, Access Control Lists (ACLs) and query string authentication. With IAM policies, you can grant IAM users fine-grained control to their Amazon S3 bucket or objects while also retaining full control over everything the users do. With bucket policies, you can define rules which apply broadly across all requests to their Amazon S3 resources, such as granting write privileges to a subset of Amazon S3 resources.With ACLs, you can grant specific permissions (i.e. READ, WRITE, FULL_CONTROL) to specific users for an individual bucket or object. With query string authentication, you can create a URL to an Amazon S3 object which is only valid for a limited time.

Audit Access

  • Configure Amazon S3 buckets to create access log records for all requests made against it. These access log records can be used for audit purposes and contain details about the request, such as the request type, the resources specified in the request, and the time and date the request was processed.

Use Endpoints

  • For enterprise looking to store large amount of DB and other sensitive profiles to S3, use VPC endpoint as it enables you to create a private connection between your VPC and S3 where it is accessed over public in a conventional environment.

Route 53

  • For static web page deployments, it is recommended to use Route 53 as your DNS to point to S3 endpoints to avoid potential load attacks to the direct link.

Security & Identity



IAM

  • AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users. You use IAM to control who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization).

Certificate Manager

  • AWS Certificate Manager (ACM) handles the complexity of provisioning, deploying, and managing certificates provided by ACM (ACM Certificates) for your AWS-based websites and applications. You use ACM to request and manage the certificate and then use other AWS services to provision the ACM Certificate for your website or application.

AWS Directory Service

  • If you host an on-premise Microsoft Active Directory to manage AAA of resources, it is highly recommended to use AD connector provided by AWS Directory Service.

Amazon Inspector

  • Amazon Inspector enables you to analyze the behavior of your AWS resources and helps you to identify potential security issues. Using Amazon Inspector, you can define a collection of AWS resources that you want to include in an assessment target.You can then create an assessment template and launch a security assessment run of this target. During the assessment run, the network, file system, and process activity within the specified target are monitored, and a wide set of activity and configuration data is collected. This data includes details of communication with AWS services, use of secure channels, details of the running processes, network traffic among the running processes, and more. The collected data is correlated, analyzed, and compared to a set of security rules specified in the assessment template. A completed assessment run produces a list of findings - potential security problems of various severity.

AWS KMS

  • Use AWS Key Management Service (AWS KMS) to create and control the encryption keys used to encrypt your data. AWS KMS is integrated with other AWS services including Amazon Elastic Block Store (Amazon EBS), Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon Elastic Transcoder, Amazon WorkMail, Amazon Relational Database Service (Amazon RDS), and others to make it simple to encrypt your data with encryption keys that you manage. AWS KMS is also integrated with AWS CloudTrail to provide you with key usage logs to help meet your auditing, regulatory and compliance needs.

AWS WAF

  • AWS Web Application filter is recommended in most of the e-commerce and financial web applications to protect from attacks by filtering traffic based on rules that you create. For example, you can filter web requests based on IP addresses, HTTP headers, HTTP body, or URI strings, which allows you to block common attack patterns, such as JQuery injection, SQL injection or cross-site scripting.

RDS



Manage Access

  • It is highly recommended to host an RDS instance inside a VPC to leverage its security protocols. You can have valid credentials to authenticate your requests, but unless you have permissions you cannot create or access Amazon RDS resources. Using Identity-Based Policies (IAM Policies) for Amazon RDS by leveraging custom policies or pre-defined policies will specify the IAM role on what the user is allowed to at a maximum.

Encrypt RDS Resources

  • You can encrypt your Amazon RDS instances and snapshots at rest by enabling the encryption option for your Amazon RDS DB instance. Amazon RDS encrypted instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS instance. Once your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You don't need to modify your database client applications to use encryption.

Encrypt Connection using SSL

  • You can use SSL from your application to encrypt a connection to a DB instance running MySQL, MariaDB, Amazon Aurora, SQL Server, Oracle, or PostgreSQL. Each DB engine has its own process for implementing SSL. Setting up SSL to AWS RDS connection is available in all region.

Security Groups

  • Security groups control the access that traffic has in and out of a DB instance. Three types of security groups are used with Amazon RDS: DB security groups, VPC security groups, and EC2 security groups. In simple terms, a DB security group controls access to a DB instance that is not in a VPC, a VPC security group controls access to a DB instance (or other AWS instances) inside a VPC, and an EC2 security group controls access to an EC2 instance.

Comments

  1. The best casino sites and apps for mobile and desktop
    Top 10 Best Casino 구리 출장샵 Apps 진주 출장마사지 Our favorite app for mobile and desktop is Casino Vegas. This mobile app gives 천안 출장안마 you all 진주 출장안마 the fun of an authentic Vegas experience. 구리 출장샵

    ReplyDelete

Post a Comment

Popular posts from this blog

CloudWatch Agent Installation on Ubuntu Bionic

Installing and Configuring AWS CloudWatch agent on Ubuntu 18.04 LTS Using CloudWatch for EC2 instances get you a lot of insight before trying to use third party monitoring solutions. Since it is an integrated service, setting up and make it available is a breeze. Lets see how to do that step by step.

Welcome Message on Linux Systems

 Bored of the default advertisement banners? Let us see how to change the welcome message on most linux systems. There are two ways the message is displayed 1. Before the password prompt 2. After the user is logged in Before, $ sudo nano /etc/issue.net After, $ sudo nano /etc/motd Simple Message for banner This system is for authorized use only. All activities are logged and checked at frequent intervals. Unauthorized individuals attempting to connect to, port-scan, deface, hack, or otherwise interfere with any services on this system will be reported. Now, This will change the banner and the new users would see it. But will disappear when you reboot the system on AWS, Azure and other cloud as the update script will reset it to default. To make the banner permanent, disable the script at /usr/sbin/update-motd by, $ sudo update-motd --disable Or, Open ssh config and enable banners $ sudo nano /etc/ssh/sshd_config Look for "Banner" and update as below #Banner /etc/issue.net Sa...