Enhancing Cloud Security with AWS Security Services

Cloud computing has become an operational pillar for businesses today. Major cloud service providers like Amazon AWS provide a wide range of cloud computing services which enable businesses to get into the bandwagon of digital transformation. AWS offers several benefits which include flexibility, scalability, cost effectiveness but it also poses a unique preposition to address security concerns of today’s enterprises. 

In today’s topic we will learn about how using AWS security services we can enhance cloud security, learn its best practices on cloud security, how AWS is aligned to global security compliance and what tools and services are offered.  

AWS Cloud Security: Best Practices

AWS cloud compliance enables us to put robust controls in place to maintain data security in the cloud. 

1. Limiting access – it is important to limit access to users and systems in AWS and this is achieved using AWS Identity Access management (IAM).
   1. Users – are people or systems which need to interact with AWS 
   2. Credentials – include console passwords, access and SSH keys and server certificates 
   3. Groups – is a collection of users. Using group, we can manage permissions for all users belonging to a group 
   4. Roles – are like users but do not have long term credentials such as passwords or access keys. Role can be assumed by a user or service using temporary credentials for a session. 
   5. Policies – are JSON docs which give permissions to perform an action in AWS services. 
2. Root user restrictions – root user in AWS is the user that is associated with the email address used to create an AWS account. The root user has full admin rights hence it needs to be protected with complex password and MFA and its usage should be restricted. 
3. User managed via federated SSO – is used to centrally manage individual access to AWS using SSO solutions such as Azure federation, Okta etc. 
4. Do not attach policies to individual users – Apply policies to groups and roles 
5. Configure IAM to use strong password along with MFA and enable MFA for all users
6. Delete unused credentials that are not being used in last 90 days
7. Rotation of access keys every 90 days 
8. Vulnerabilities can be detected in EC2 instances using AWS inspector and use patch manager in AWS system manager to patch them 
9. Log all activity that is occurring in the AWS environment and monitor them using CloudTrail. 
10. Create trail for all regions – create trail in CloudTrail to send all logs to S3 buckets. 
11. Ensure that S3 bucket is not available publicly and access is restricted only to users who need it and configure MFA in order to delete log buckets 
12. Enable additional layer of protection by enabling server-side encryption with AWS KMS 

AWS and Global Security Compliance

AWS compliance standards enable enterprises of its public cloud to maintain security and protection of its data. Professionally qualified security auditors monitor and audit AWS platform and its services and AWS customers were informed on audit findings. AWS portfolio includes 100+ services comprising computing, database services, infrastructure management, application development, and security. AWS compliance ensures they align to global compliance frameworks and regulations such as Health Insurance Portability and Accountability Act (HIPAA) and General Data Protection Regulation (GDPR). 

AWS services are regularly audited and receive third party certifications with active monitoring of industry compliance standards. The IT infrastructure provided by AWS is designed in alignment with best security practices and IT security standards such as SOC1/SOC2/SOC3, FISMA, DIACP, FedRAMP, PCI DSS, ISO9001, ISO27001, ISO27017, ISO27018. AWS provides its customers a wide range of information on its IT control environment in the form of reports, whitepapers, certifications and accreditations. 

Security Management: AWS Security Services & Tools 

Let’s review important tools and services pertaining to AWS security. 

• AWS CloudTrail – is used to log all API calls made to AWS account. It can help in identifying who made changes to resources and when which could provide valuable insight during security investigations and forensics. 
• Amazon GuardDuty – performs continuous monitoring of AWS accounts and workloads for suspicious activities and unauthorized attempts. It analyses VPC flow logs, CloudTrail events and DNS logs to identify potential security issues. 
• AWS Config – provides detailed inventory of AWS resources and tracks changes to those resources configurations over time. It helps to identify potential security issues and raises alerts when changes made impact the security posture. 
• Amazon Inspector – is an automated security assessment service to identify potential security issues and vulnerabilities in applications and infrastructure and supplies detailed reports which can be integrated into DevOps workflows for changes. 
• Amazon Detective – is used to analyze and investigate security incidents across AWS resources. It collects data from AWS services automatically and uses ML algorithms for quick identification of root cause of security issues or misconfigurations.
• AWS Security hub – is a central place to manage all security compliance across AWS. It provides a complete view of security posture and automates compliance checks.
• AWS Identity and Access management is used to manage and control access to AWS resources. 
• AWS Key Management Service – allows to manage encryption keys used in AWS. 
• AWS WAF – is a web application firewall which is used to secure websites and it can be integrated with other AWS services for comprehensive protection.