One of the main benefits of the AWS cloud is that it lets your business innovate at scale in a secure environment. This means when migrating your apps and data to the AWS cloud, security is a key consideration. AWS run a shared responsibility model; this means they own security of the cloud. You then take ownership of security for everything you run in the cloud. Meaning your focus needs to be around applications, data and network access protection. Not much different to the existing processes and solutions used on-premise today.
For AWS this means security of global infrastructure, foundational services, OS and networks. Whilst you are responsible for your data, applications and network configuration.
AWS believe security is everybody’s responsibility and run a least privilege model. This means you should only allow access to those that need it to your AWS platform. But outside of this there are many other best practices you should consider.
At a basic architectural level there are some key design principles that have to be adopted. Security needs to be at all layers of infrastructure. Practices should follow those outlined by the AWS Well Architected Framework. You also need to enable traceability of events using services such as CloudTrail. This will show who is making what API calls and requests on your services. Automation also makes sure your environment can respond in real-time to security attacks.
To define this in more detail there are 4 key areas that need clear management.
- Data Protection. Organise data in to segments such as public, internal only or limited to certain teams. Put in place a least privilege access policy so people only access what they need to. Encrypt everything at rest and in transit and set up regular key rotation. Use the right AWS storage services to provide resiliency. Use versioning to protect from overwrites.
- Privilege Management. Ensure only authorised users can access your resources in the manner intended. Set correct Access Control Lists, Role Bases Access Controls and Password Management.
- Infrastructure Protection. For AWS this means from the Virtual Private Cloud (VPC) inwards. Make sure you have high availability (HA) and fault tolerant (FT) architectures in place.
- Detective controls. Use the tools provided by AWS to achieve this such as CloudTrail, CloudWatch and AWS Config.
Along with these 4 areas here are the key questions you must also ask yourself.
- How are you encrypting your data at rest and in transit?
- How are you protecting access to and use of AWS root credentials?
- How do you define roles and responsibilities to control human access to the AWS Console?
- How are you limiting automated access of apps, scripts or 3rd party tools to you AWS resources?
- How are you enforcing network and boundary protection?
- How are you protecting the integrity of the operating systems running?
- How do you capture and analyse usage logs?
- Do you have a Chief Information Security Officer (CISO) and team in place to manage your strategy?
If you’re migrating or already in the AWS cloud, then have you asked these questions? Security is the responsibility of everyone in your organisation, whatever the role. So, what does your security policy look like? If you’re not sure or want to check your own best practice, speak with Duolc to for a security assessment.