Read on:
AWS for Beginners: Understanding AWS Terminologies: Part 1
AWS for Beginners: What is AWS EC2: Part 2
AWS for Beginners: AWS Compute Services: Part 3
Introduction
Amazon Web Services (AWS) provides various security features to protect the accounts and the various services deployed within the account. Cybersecurity threats are increasing day by day and organizations are required to place strict security policies in place to protect the infrastructure, applications, and customer data in the cloud. There are a variety of methods through which hackers try to compromise the security of cloud IT infrastructure. It could be done through phishing attacks, installing malware, DDoS attacks, brute force attacks, exposure of access keys, etc. In AWS cloud, security is a shared responsibility. Amazon takes responsibility for the AWS cloud infrastructure like the hardware, software, networking, and data-center security, etc. Customers should take responsibility for the security of the services deployed in their AWS accounts. To secure the cloud resources, one needs to take excessive care while assigning permissions and providing privileges for any user, and allowing network access.
This article will walk you through the various security services offered by AWS and how they could be used to secure the AWS cloud environment.
Identity and Access Management
Identity and access management (IAM) is a critical component of any enterprise security architecture. Identity services allow for the management of identities, permissions, and resources in a secure way. IAM makes it possible to allow people or any other entity to authenticate and access authorized cloud resources. For example, an AWS S3 bucket can be accessed by a user or also by an EC2 instance. IAM also allows monitoring of the activities of those entities throughout their lifecycle. An entity doesn’t mean only the people but also any other digital/cloud resource. Due to digital transformation, numerous digital objects are created on a daily basis. All these digital objects need to be assigned with IAM identities to effectively manage the security. Digital entities can be IoT devices, APIs, microservices, etc.,
Identity and access management in AWS can be managed through the following services.
AWS IAM
AWS IAM is a service that allows setting the right permissions to the right entities to access the cloud resources. IAM can be used to manage compute, storage, database, and application resources. IAM manages the authorization and authentication through resources like Users, Groups, Roles, and Policies.
AWS Cognito
AWS Cognito is used to authenticate, authorize and manage users for mobile and web applications. Cognito provides a built-in and customizable UI to enable sign-up and sign-in services to the applications and maintains a fully scalable and secure user directory. Users can sign in through social accounts like Facebook, and Gmail, and also through enterprise identity providers to the applications. Cognito also provides advanced security features like Multi-Factor Authentication (MFA) and encryption of data in transit and at-rest.
AWS Resource Access Manager
Amazon RAM (Resource Access Manager) is a service that allows sharing of AWS cloud resources in an easy and safe manner across different AWS accounts within an AWS organization. In most of the companies, normally many AWS accounts are created to isolate the workloads to have a minimal impact due to errors. With AWS RAM, there is no need to create the same type of resources in different accounts. Instead, a resource sharing pool can be created and different AWS resources can be added to the resource share. AWS RAM can then share the resources to different accounts thus reducing the duplicate resources and minimizing the operational overhead of the resources. RAM also reduces the burden of auditors to examine lesser accounts as duplicate resources are eliminated. AWS RAM is available at no additional cost.
Threat detection and control
Cloud infrastructure is constantly exposed to threats from hackers. Hackers try to gain access to the infrastructure with various methods like DDoS attacks, brute force attacks, and network spoofing, etc. A strong threat detection system helps to identify these types of incidents and remediate those threats. In AWS, Guardduty service can be used to detect potential threats and security incidents.
AWS GUARDDUTY
AWS Guardduty provides a threat detection service by constantly monitoring the malicious activity in the AWS accounts and on the workloads. Guardduty continuously analyses the CloudTrail flow logs, VPC flow logs, and DNS logs to identify any threats to the infrastructure. Guardduty uses machine learning, anomaly detection, and malware scanning to detect threats. The findings can be ingested to AWS Security Hub and automated remediation can be done using AWS Lambda.
Guardduty detects threats and incidents like compromised accounts, compromised instances/containers, network reconnaissance activities, etc., The logs are monitored in real-time by guardduty to detect the findings and are discarded later.
Guardduty has the following components.
Application protection
Web applications hosted on the cloud need to be protected from common web exploits and from other automated programs that affect the availability and security of the application. Amazon provides two different services to protect web applications.
AWS SHIELD
AWS Shield is a service that protects web applications from Distributed Denial of Service (DDoS) attacks. There are two types of offerings for AWS shield.
- Standard protection
- Advanced protection
Standard protection is a free service and it is available to all AWS customers at no extra cost. Standard protection service works against the most commonly occurring network layer attacks on your website or applications
Advanced protection is a paid service that provides additional features, protection, and benefits. In addition to the protection services offered in the Standard tier, the advanced tier protects the applications that are running on Amazon EC2 instances, Amazon Elastic Load Balancer, Amazon Cloudfront, and Amazon Route 53. Also, advanced protection provides near real-time visibility of the attacks and integration with the Amazon Web application firewall.
AWS Web Application Firewall
Web Application Firewall (WAF) is a service that protects web applications from web attacks from hackers. WAF allows configuring rules that can allow or block the requests that reach the web application and also can monitor the web requests based on the defined conditions.
AWS WAF saves time with a preconfigured set of rules by AWS that can be applied quickly, provides real-time metrics about the web requests, and improves web traffic visibility.
Rules in WAF define the criteria for inspecting web requests and specify the action to be taken if the requests do not meet the criteria. The criteria can be anything like
- IP Address of originating request
- Strings that appear on the web request
- Country of origin of the request
- Presence of any malicious code in the request
Data security with Key Management Service
Data security in Cloud infrastructure is key to protecting the customer data from any unauthorized access. Customer data needs to be encrypted to protect any sensitive information. Data protection can be done by encryption using cryptographic keys. Only by using the authorized keys, data can be decrypted. Even if any unauthorized person gains access to the infrastructure, the person will not be able to read the data without proper keys.
AWS provides the following services for data security.
AWS Key Management Service
AWS KMS (Key Management Service) is a managed encryption service that allows users to encrypt customer data. It provides highly available key storage, easy management of keys, and a solution to audit key usage. By using the KMS service data can be encrypted across various AWS services.
KMS service can be used by developers to encrypt data in their applications, by IT administrators to reduce licensing costs and operational burdens, and for regulatory and compliance purposes to verify data encryption across the application.
AWS Hardware Security Model
AWS also provides another service called Cloud HSM (Hardware Security Model). By using HSM, the entire cryptographic key lifecycle from provisioning, managing, and archiving of keys occurs in HSM. HSM can be used to support database encryption, Public Key Infrastructure, document signing, and transaction processing.
Conclusion :
AWS offers various security services to protect cloud infrastructure, applications, and customer data. You need to choose the right service based on your requirement and protect your infrastructure. You can also refer to the AWS reference architecture documents to know how the security services can be integrated with the infrastructure/application services.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.