Automating AWS Security: A Beginner’s Guide
By Rachel Dines
Keeping up with ongoing changes in a rapidly evolving cloud environment is nearly impossible to manage. However, failure to do so can result a domino effect that impacts your entire cloud ecosystem, including your security posture.
Automated security policies are the best way to ensure proper setup and configuration of new cloud infrastructure. In addition, these policies can provide users with the appropriate set of authorizations, flag issues, and address issues before they become catastrophic.
Here are our top five security policies for proactively managing security operations in the cloud:
Access Control and Security Incident Management
The first step to securing your cloud is addressing user and access controls. Without proper identity and access management (IAM), users on your network can create or exacerbate serious security flaws––intentionally or unintentionally. To combat this possibility, you should establish policies to (1) validate secure access configurations and (2) monitor for red flags such as users with too many authorizations.
In a perfect world, a proactive approach to cloud security would stop any malicious activity in its tracks. Realistically, however, you must also monitor for suspicious activity such as abnormal usage patterns or changes to users or security groups to quickly identify breaches.
Establishing a fortified perimeter that only allows legitimate traffic onto your network is critical, but differentiating between legitimate and illegitimate traffic can be a challenge in the cloud. In AWS environments, Security Groups determine which users can access a particular asset. Setting a policy that alerts you when a Security Group becomes excessively complex--i.e., with too many rules-- is a best practice, as is alerting for an instance that is associated to too many Security Groups. You may also want to consider a policy that will alert you when a security group has a stale reference (i.e., points to a VPC that no longer exists), that can prevent your assets from falling into the wrong hands.
Application and Data Security
Encryption is a vital component to any effective strategy for protecting application and data in AWS. Best practices for encryption include storing your keys safely, rotating keys regularly, and revoking keys no longer in use. A few examples of how policies can help you maintain these best practices include, alerts to notify you when key rotation is not enabled, key management is not in use, an IAM Server Certificate is about to expire, or personally identifiable information is unencrypted.
It can be a challenge to identify security incidents, fraudulent activity, policy violations, and other operational issues without proper logs and audit trails in place. Log management can be a godsend when it comes to root cause analysis and troubleshooting. CloudTrail is the go-to source for logs in AWS, though other services such as EBS and S3 create their own log as well. Use audit trail policies to ensure the secure collection, storage, and accessibility of logs. Audit trail policy best practices include setting alerts to notify you if logging is not enabled in all regions, logs are stored publicly, or if a service that supports logging is not properly enabled.
Confidence in your ability to restore operations and recover data is key to having a world-class security processes in place. Business continuity best practices include backing up critical systems in other regions and isolating sensitive data from high redundancy infrastructure. Consider policies to ensure critical data is stored with the proper redundancy or that production is snapshotted hourly and those snapshots are replicated to another region.
This is just the tip of the iceberg when it comes to security policies for AWS. Learn more about how CloudHealth can help you continuously monitor and optimize your security posture with our AWS Security Best Practice Policies.