AWS is the biggest player in the public IaaS (Infrastructure as a Service) market and a critical component of the hybrid-cloud infrastructure in many enterprises. Understanding how to secure AWS resources and minimize the impact of any breaches that do occur has become more important than ever. For this reason, after closing 2018 with Infection Monkey & GuardiCore Centra’s integration into AWS Security Hub, we decided to open 2019 with a crash course on AWS security best practices.
In this piece, we’ll dive into some of the basics of AWS security, provide some tips to help you get started, and supply you with information on where you can learn more.
#1 AWS security best practice: Get familiar with the AWS shared responsibility model
Understanding the AWS security paradigm at a high level is an important part of getting started securing your AWS infrastructure. AWS uses the shared responsibility model to define who is responsible for securing what in the world of AWS. To help conceptualize the model, the public cloud infrastructure giant has come up with succinct verbiage to describe what they are responsible for and what you (the customer) are responsible for. In short:
AWS is responsible for “security of the cloud”- This means select software, hardware, and global infrastructure (think racks in physical data centers, hypervisors, switches, routers, storage, etc.) are AWS’s responsibility to secure.
Customers are responsible “for security in the cloud”- This means customers are responsible for ensuring things like customer data, applications, operating systems, firewalls, authentication, access management, etc.
Worded differently, AWS gives you the public cloud infrastructure to build upon, but it’s up to you to do so responsibly. It is expected that not everything you need will be baked into any given AWS solution. Third-party security tools like Centra can help fill those gaps. Understanding the shared responsibility model and what tools can help will allow you to ensure you’re doing your part to secure your infrastructure.
#2 AWS security best practice: Use IAM wisely
AWS Identity and Access Management (IAM) is a means of managing access to AWS resources and services, and is built-into AWS accounts. In a nutshell, IAM enables you to configure granular permissions and access rights for users, groups, and roles. Here are a few useful high-level recommendations to help you get started with IAM:
- Grant least privilege – The principle of least privilege is a popular concept in the world of InfoSec and it is even more important to adhere to in the cloud. Only grant users and services the privileges necessary for the given set of tasks they should be legitimately responsible for, and nothing more.
- Use IAM groups – Using groups to assign permissions to users significantly simplifies and streamlines access management.
- Regularly rotate credentials – Enforcing expiration dates on credentials helps ensure that if a given set of credentials is compromised, there is a limited window for an attacker to access your infrastructure.
- Limit use of root – Avoid using the Linux “root” user. Being conservative with your use of root access helps keep your infrastructure secure.
- Use MFA – Multi-factor authentication (MFA) should be considered a must for users with high-level privileges.
#3 AWS security best practice: Disable SSH password authentication
If you’re familiar with Linux server administration in general, you’re likely familiar with the benefits of SSH keys over passwords. If you’re not, the short version is:
- SSH keys are less susceptible to brute force attacks than passwords.
- To compromise SSH public-key authentication used with a passphrase, an attacker would need to obtain the SSH private-key AND determine (or guess) the passphrase.
- While SSH keys may require a little more work when it comes to key management, the pros far outweigh the cons from a security perspective.
#4 AWS security best practice: Use security groups
First, to clear up a common misconception: AWS security groups are NOT user groups or IAM groups. An AWS security group is effectively a virtual firewall. If you’re comfortable understanding the benefits of a firewall within a traditional network infrastructure, conceptualizing the benefits of AWS security groups will be intuitive.
AWS security group best practices
Now that we’ve clarified what a security group is, we’ll dive into a few AWS security group best practices to help you get started using them.
- Minimize open ports – Unless there is a highly compelling argument to do so, only allow access to required ports on any given instance. For example, if you’re running a cluster of instances for a web-server, access to TCP ports 80 and 443 makes sense (and maybe 22 for SSH), but opening other ports is an unnecessary risk.
- Don’t expose database ports to the Internet – In most cases, there is no need to expose the database to the Internet – doing so puts your infrastructure at risk. Use security group policies to restrict database port (e.g. TCP 3306 for MySQL) access to other specific AWS security groups.
- Regularly audit your security group policies – Requirements change, rules that were once needed become liabilities, and people make mistakes. Regularly auditing your security rules for relevance and proper configuration help you minimize the likelihood that an outdated or misconfigured security group creates a network breach.
This is just the tip of the iceberg when it comes to AWS security group best practices. For more information, check out the AWS Security Groups User Guide and our Strategies for Protecting Cloud Workloads with Shared Security Models whitepaper.
#5 AWS security best practice: Leverage micro-segmentation
One of the most important components of securing public-cloud infrastructure, particularly in hybrid-cloud environments, is micro-segmentation. Micro-segmentation helps limit both north-south and east-west movement of breaches when they occur, which helps mitigate the spread of threats from one node to another. Further, Guardicore’s intelligent micro-segmentation solution can limit one of the biggest drivers of breach impact: dwell time. If you’re interested in learning more, check out this blog post for a crash course on micro-segmentation best practices.
How micro-segmentation complements AWS security groups
Security groups are an important part of AWS security, and micro-segmentation is excellent way to complement them and round out a hybrid-cloud security plan. A micro-segmentation solution like Guardicore Centra helps ensure you are able to implement micro-segmentation seamlessly both on-premises and in the cloud. Specific benefits of using Centra to complement AWS security groups include:
- Enhanced visibility – Centra is able to automatically discover applications and flows, use its AWS API integration to pull labels and asset information, and provide granular visibility and baselining for your entire infrastructure.
- Application aware policies- Next Generation Firewalls (NGFWs) are a big part of on-premises security, and Centra helps bring the same features to your AWS cloud. You wouldn’t compromise on application-aware security in a physical datacenter, and with Centra you don’t have to in the cloud either.
- Protection across multiple cloud platforms & on-prem- It is common for the modern enterprise to have workloads scattered across multiple cloud service providers as well as physical servers on-premises. Centra is able to provide micro-segmentation for workloads running in AWS, other IaaS providers, and on physical servers in corporate offices and data centers. This helps enterprises ensure that their security is robust across the entirety of their infrastructure.
If you’re interested in learning more about the benefits of Centra for AWS, check out this solution brief (PDF).
Putting it all together: a holistic approach to AWS security
As we have seen, there is no single magic bullet when it comes to securing your AWS infrastructure. Understanding the AWS shared responsibility model enables you to know where to focus your attention, and leveraging built-in AWS features like security groups and IAM are a great start. However, there are still gaps left unaccounted for by AWS tools, and 3rd party solutions are needed to address them. Guardicore Centra provides users with micro-segmentation, breach detection & response, and application-level visibility that help round out a holistic approach to AWS security.
Want to learn more?
Interested in cloud security for hybrid environments? Get our white paper about protecting cloud workloads with shared security models.