Amazon Web Services (AWS) is a leading Infrastructure-as-a-Service (IaaS) provider, with over 32% of cloud workloads running on the platform. In a three-part series, we previously discussed AWS security, and we talked about AWS features such as IAM policies, S3 Bucket policies, and VPC subnetting. (We also have published guides such as how to configure AWS WAF, how to setup AWS Shield, comparisons of AWS security tools to other cloud platforms, and more.)
Of course, AWS is always adding new security capabilities. So in this article, we’ll look at what has changed since our previous coverage; new features to help organizations build secure, high-performing cloud systems with faster innovation and more efficiency.
We will first review several upgraded security features and service updates—including for IAM and VPCs—and then discuss some best practices for securely using AWS.
S3 Security Updates
Since its launch in 2006, Amazon’s Simple Service Storage (S3) continues to be one of the leading cloud storage services available today. Along with its abilities to provision available and scalable data storage, S3 also offers a number of security features out of the box. While we have previously talked about how to securely use cloud storage, with some additional specific discussion of AWS bucket security and S3 bucket policies, some recent additions include those covered below.
GuardDuty Coverage
AWS has added newer capabilities that enable AWS GuardDuty to continuously monitor S3 configurations and data access events. GuardDuty utilizes a combination of threat intelligence and anomaly detection techniques to identify suspicious behavior. Plus, it’s now better at detecting threats over time by leveraging ML to understand the continuously changing threat landscape.
Default Encryption
It is now possible for teams to set default encryption of S3 buckets so that they don’t include any information about the objects that are stored in the bucket. When this is enabled, uploaded objects are secured with server-side encryption by using Key Management System (AWS KMS) or secured S3 managed keys.
Cross-Region Replication ACL Overwrite
Replication enables teams to automatically copy objects across S3 buckets and regions asynchronously. With this new update, teams can specify if an object can get a new Access Control Listing (ACL) that gives full access to the destination account. This allows teams to separate resources and ownership for original objects and their replicas.
Detailed Inventory Report
The updated AWS S3 report displays each object’s encryption status. Additionally, teams can set up managed S3 keys or AWS-KMS encryption for the report to prevent the accidental exposure of sensitive configuration data to the public.
Permission Checks
You can now monitor every publicly available S3 bucket via an indicator on the AWS Console. With this feature, teams can efficiently visualize the impact of changes made to Access Control Lists and S3 buckets as soon as the changes are committed.
Other Updated AWS Security Features
Aside from S3 security, there are other new features that enterprises can leverage to strengthen security for AWS data, workloads, and applications.
Adopting the AWS Security Reference Architecture
The AWS Security Reference Architecture is a framework containing a holistic set of guidelines that can help teams deploy the complete stack of AWS security services in production. Teams use the framework to configure and manage AWS security services to align with AWS security best practices.
AWS Organizations
The Organizations platform provides a simple interface for the management of an AWS environment as firms scale their cloud resources. The platform lets teams use Service Control Policies to manage permissions for accounts or account groups as a single unit. The Organizations dashboard automates account set-up and provisioning, helps in the application of controls, and allows for complete observability.
AWS Patch Manager
AWS is always releasing fixes for vulnerabilities through patches. AWS Patch Manager is a feature of Systems Manager that scans managed Windows and Linux instances for missing patches. Patch Manager then automatically scans for and installs the missing patches, helping teams to perform version upgrades on their instances with minimal human effort.
Filters for AWS DataSync
DataSync automates the movement of data between different storage systems, helping to simplify online data transfer. Filters enable teams to specify the objects, files, and folders that DataSync can copy from the source location. Administrators can use these filters to specify which objects get transferred when executing a DataSync task, while teams can use them to create blacklists and whitelists for traffic flow control.
PCI DSS Compliance for Amazon Fraud Detector
Amazon Fraud Detector uses machine learning models to identify any potential fraudulent activities online. Organizations can now use this to scan workloads and applications that are PCI-DSS compliant. The detector enforces payment and cardholder industry privacy standards by enabling such features as default encryption at rest and in transit, access control via IAM, audit logging, and private connectivity.
AWS Secrets Manager
Protecting secrets in cloud architectures can be challenging. Teams can use the AWS Secrets Manager to protect sensitive data needed to access applications and cloud resources. With this service, firms can efficiently rotate, manage, and access API keys, database credentials, and other crucial information.
Amazon Macie
This service relies on pattern matching and machine learning to help firms protect secret information on AWS Cloud. The platform contains an inventory of an organization’s S3 buckets, then applies intelligent techniques to detect exposed sensitive data, such as Personally Identifiable Information. Teams can use Macie to gain observability of their security posture and the ability to discover sensitive data at scale.
AWS IAM
Cloud IAM (Identity and Access Management) is a crucial part of any IaaS platform. AWS IAM is the backbone of the first line of defense for AWS services. This means AWS is constantly updating its IAM platform to include new security mechanisms and allow for easier management of access and authentication. Some recent updates to AWS IAM include the following.
Changes to Access Denied Errors
AWS introduced additional context to Access Denied Error messages, including additional information about the IAM policy type that enforces denial of access. This allows security teams to more easily troubleshoot permission errors by letting them focus on the policy type identified, which in turn helps them identify the root cause faster.
IAM Access Analyzer
Launched in April 2021, the IAM Access Analyzer enables teams to identify resources shared with an external entity. This simplifies the process of detecting security risks associated with unintended access and evaluating access policies that affect cross-account and public access to resources.
IAM for Amazon Elastic File System (EFS)
The Amazon Elastic File System (EFS) makes it easy for teams to leverage a scalable Network File System (NFS) for applications that share data across multiple nodes, clusters, regions, or accounts. This newly introduced feature allows security teams to leverage the EFS system to create customized IAM rules and apply them to a specific content type, files, folders, or directory.
Virtual Private Clouds (VPCs)
A VPC is a logically separated cloud that is protected by AWS global network security procedures. AWS publishes frequent updates to harden security for the VPC environment, including the following.
Prefix List Resizing
AWS makes it simple for teams to manage their security posture by resizing VPC Prefix Lists so they can easily configure routing tables and security groups. These lists can be utilized together with the Resource Access Manager (RAM) to control routing and access policies.
Security Groups for VPCs
AWS implements VPC security groups, which act as virtual firewalls to control traffic, enabling teams to add rules that specify one or more subnets associated with an instance. Once an instance is launched, it filters traffic on the basis of port numbers and protocols.
AWS Network Firewall
The Network Firewall simplifies the deployment of a VPC’s network protections through a managed service. Security teams can use the Network Firewall’s rule engine to define rules for fine-grained control over incoming and outgoing traffic. It also includes a web filtering functionality that allows outbound traffic for only qualified domain names.
Best Practices for Securing Your AWS Environment
AWS offers a large, dynamic ecosystem with numerous services and applications running together. This can result in a large and distributed attack surface. Here are some best practices and features for creating effective security controls for AWS ecosystems.
Billing Alerts to Help Detect DDoS Attacks
AWS CloudWatch’s billing alerts help to monitor estimated AWS Cloud charges. When these are enabled, billing metric data is calculated and sent to CloudWatch several times daily. As a recommended best practice, operations teams can set thresholds to trigger these alerts and detect attempts to perform DDoS attacks in real time and provide AWS DDoS protection.
Utilize IAM for Secure Database Access
As database systems are common targets of malicious attackers, database administrators must provision focused security policies that help maintain robust authentication mechanisms to access the database. Such IAM policies should specify user groups and services that are authorized to access, use, and modify database resources.
Adopting the AWS Well-Architected Framework
The AWS Well-Architected Framework outlines a collection of sample resources and best practices to help organizations secure their cloud workloads. Based on its five pillars, the framework enables high-performing, resilient, secure, and efficient deployment environments for modern cloud-native workloads.
Define AWS Asset Categories and Their Security Classifications
As a recommended best practice, you must identify and categorize all assets based on the level of control and vulnerability before devising a security strategy. This helps organizations establish a baseline for monitoring and evaluating the effectiveness of their security controls. In the event of security incidents, the baseline acts as the desired stable version while summarizing action items, a response plan, and a resolution strategy.
Use Threat Intelligence Feeds
Amazon GuardDuty leverages machine learning and threat modelling techniques to continuously monitor AWS workloads, accounts, and data for malicious activity. As a best practice, security teams should enable GuardDuty’s threat modelling capabilities to detect anomalies and report on potential threats.
Establish Procedures and Policies for Incident Response
Organizations must ensure that every stakeholder of their distributed team structure has a deep understanding of how to respond to issues, while all end users should at least be familiar with incident response procedures. While auditing security controls are an efficient mechanism to ensure expected standards, security teams are also encouraged to practice attack simulations to refine and improve these procedures.
Summary
With a consistent growth of workloads shifting to the cloud, attackers often focus on penetrating and exploiting cloud platforms. As a result, organizations leveraging the cloud have to deal with a rapidly changing threat landscape. Executives are aware of this; for example, a recent survey projected that 59% of IT firms consider security the biggest threat in their strategy to leverage containers in the cloud.
The good news is that AWS is constantly upgrading its inherent security tools. When combined with a platform such as Reblaze—a web security solution fully integrated with AWS, which adds many additional features to it (including full traffic visibility and reporting, mobile app protection, API security, advanced bot management, and much more—you can create an effective and robust security posture. For more information, contact us here.
