Cloud is the buzz word everywhere these days and almost every company whether small or big are aiming to become cloud-enabled or cloud drive. Amazon Web Services (AWS) is the leading cloud service provider in the market and many companies are hosting entire or part of their IT infrastructure on AWS.
Hosting the infrastructure on the cloud also requires you to implement certain security measures in order to keep it safe and secured from cyber threats and attacks. This article lists out some of the best practices which can be considered in order to improve and implement secure AWS infrastructure.
This article assumes you have the basic understanding of AWS and the services offered by AWS. If you are new to AWS, please see this link.
Some of the key best practices which can be used are:
Secure your AWS root account: The root account is the account who is the owner of your AWS subscription and that account is used by AWS for any communication related to your account. The access to root account will allow doing any changes to your account, communication, billing, support settings, changes to different environments setup inside AWS as well as service configurations etc. To ensure you are securing the AWS root account and its access keys.
Create individual IAM users: Do not use or share root account details for accessing AWS portal. Instead, create an individual user account in IAM for accessing AWS infrastructure. Creating separate IAM user will provide separate credentials for each user and provide you facility to assign different permissions to each user as per your requirement.
Use policies to assign permissions: Create or use the policies, which can be AWS-defined or custom written as per the requirement to provide access to single service or multiple services. The policies will help you to provide an only certain level of access to certain service(s).
Use groups to assign permissions to IAM users: Assign permissions to IAM users using groups instead of assigning it to each user. Using group will help you to manage permissions ineffective and better manner and simplify administration.
Grant least privilege: Create the policies with the standard security principle of least privilege. Grant only the rights required to perform the required tasks and not more than that. You can start with the smallest permission and go on adding additional privileges as required.
Configure a strong password policy for your users: Implement strong password policy for all IAM users which includes minimum required length, format (alphanumeric, special character, symbol etc.), and password reuse setting and also configure the password rotation policy to change them on the frequent basis. You can configure it by going to Account Settings link in IAM.
Enable MFA for privileged users: The privilege users are nothing but the users who manage your infrastructure, have access to modify configuration settings for your environment like your AWS administrators, network administrators etc. For such privilege users, enable multi-factor authentication (MFA). With MFA, it requires the user to have a device which is used by him/her to enter a one-time password (OTP) along with regular password as an additional layer of security. The device can be a hardware device or virtual device like a smartphone.
Remove unnecessary credentials: Remove unnecessary users and their access keys. The users who do not need access anymore should be removed in order to reduce risks. The credentials report option provided in IAM helps you to get the details around IAM users, their passwords, access keys and last used details. You can plan to reconcile the users on regular basis or defined frequency.
Monitoring account activity: AWS allows monitoring your account using different services like CloudFront, CloudTrail, CloudWatch, Config, and Simple Storage Service (S3) which will record or log the events at different levels and different details. You can choose any one or all, as per your requirement in order to have better control over your infrastructure. E.g. CloudTrail enables you to log events made by AWS API calls.
Separate VPCs for different environments: It’s always better to create a distinct Amazon VPC for different types of environments or requirements to reduce the impact of any unwanted incident(s) on the entire setup.
Security Group Rules: Configure EC2 security groups to allow only required inbound and outbound traffic to/from specific ports and IP addresses. You can also place the instances in different security groups if you want to separate and control the communication between instances. Security groups act similar to firewalls in your traditional on-premise infrastructure.
VPN Connectivity with on-premise: If you want to setup connectivity with your on-premise infrastructure, you can configure a virtual private connection with your on-premise virtual private gateway so that the communication between your AWS resources and on-premise resources will be secured.
System Updates: On a regular basis, update your EC2 instances operating systems and hosted applications with security patches, hotfixes released by respective OEM vendors. This will help to fix the identified vulnerabilities and avoid issues with your systems/applications.
Hardening and protection of EC2 instances: Harden EC2 instances by disabling unnecessary services, applications and install only required tools and software on EC2 instances. Also deploying antivirus software on your AWS network will help you to protect your environment from viruses, Trojans etc.
This is not the exhaustive list but it includes some of the most used best practices, which you can surely opt for securing your AWS infrastructure. In addition, as every organization’s requirements are different, not all listed practices will be applied to each organization and you will have to evaluate and select the appropriate ones to suit your requirement.
Authored By - Mahendra Joshi
TCS Cyber Security Practice