How much of the cloud is protected by Amazon cloud security? The most commonly-used definition of AWS’ shared security responsibility model is that Amazon cloud security is responsible for the security of the cloud, whereas the customer is responsible for security in the cloud. Often this definition is accompanied by the following diagram illustrating the division of responsibilities for an EC2 instance in which AWS takes responsibility for the security of its global infrastructure and customers take responsibility for everything else.
However, this doesn’t tell the whole story. One of the reasons for there being a lack of understanding about Amazon cloud security is because AWS’ responsibility for security in the cloud varies according to the “level of abstraction”. So, whereas the division of responsibilities may be clear for businesses solely deploying EC2 instances, once you move up a level of abstraction (i.e. containers), or down the level of abstraction (i.e. bare metal), the division of responsibilities changes.
Understanding tools to protect data in the cloud
Not only do IT professionals need to understand the AWS shared security responsibility model, they also need to understand the tools to protect data in the cloud. Unfortunately, there are a lot of tools to understand. The Amazon cloud security page lists sixteen further tools for security, identity, and compliance and it’s hard to expect most IT professionals to have a full understanding of every one.
No individual service or tool offered by AWS provides total visibility into a business’s AWS Cloud environment. A survey conducted at last year’s AWS re:Invent conference found the majority of IT professionals use two or more tools to gain AWS cloud visibility—many respondents claiming that other services also have “functional gaps” that can lead to security issues being overlooked.
We believe that organizations that implement, understand, and effectively use these tools will experience one-third fewer security failures than businesses who don’t.
Automating security in the cloud
Understanding how much of the cloud is protected by Amazon cloud security, and then automating the business’s responsibilities can eliminate issues such as misconfigurations and human error, and mitigate data loss due to malicious insiders and external actors.
Automating security in the cloud involves configuring a cloud management platform such as CloudHealth to monitor the business’s activity in the cloud and to take action when an event occurs that breaches a security policy. For example, CloudHealth can be configured to monitor the business’s EC2 instances and terminate any with unauthorized open ports. Other examples of how CloudHealth’s policy-driven automation capabilities can enhance a business’s security posture include:
- If any S3 bucket with the tag “Function:PII” is unencrypted, encrypt the bucket and send an email to resource owner and system administrator.
- If the CloudTrail service isn’t enabled for any resource, enable CloudTrail and send an email to the resource owner and system administrator.
- If AWS is signed into from an unrecognized IP address, revoke user access and send an email to the system administrator.
- If any IAM users have multi-factor authentication disabled, enable MFA and send an email to the system administrator.
Find out more about automating security in your AWS cloud
If your business operates in the AWS Cloud, it’s in your best interests to understand AWS’ shared security responsibility model and how the services used in your AWS Cloud are protected by Amazon cloud security. In order to fulfil your responsibilities for security in the cloud, we recommend automating security as much as possible to eliminate avoidable issues and mitigate everything else.
If you’d like to know more about automating security in your AWS Cloud, we invite you to get in touch with our team of cloud experts, who will be happy to answer your questions about Amazon cloud security and organize a demonstration of CloudHealth in action. This will give you a better understanding of policy-driven automation and the tools available to protect data in the AWS Cloud.