Amazon Web Services (AWS) has been an advocate for robust cloud security since it launched in 2006. AWS and its customers employ a shared responsibility model that distributes security roles between the provider and the customer. As a public cloud vendor, it owns the infrastructure, physical network and hypervisor and the enterprise owns the workload OS, apps, virtual network, access to their tenant environment/account and the data.
To maintain a meticulous security posture across their cloud environments and abide by the AWS Shared Responsibility Model, organizations must be disciplined about applying cloud security best practices and accompany their efforts with automated, continuous monitoring.
Here are the 10 AWS Security Best Practices for Developers
Enable AWS CloudTrail
AWS CloudTrail is that tool which allows you to record API logs for security analysis, compliance auditing and change tracking. With it, one can create trails of breadcrumbs which lead back to the source of any changes made to your AWS environment.
Disable root API access and secret keys
AWS grants a tool called Identity and Access Management that can administer access rights, so the root users can be assigned limited access but remain equipped to do the work required of their roles.
With AWS, users must be explicitly granted access to perform functions; no user should be guaranteed automatic access to anything. This allows companies to increase agility without incurring additional risk.
Enable MFA tokens
Businesses need more than the single layer of protection provided by usernames and passwords, which can’t be cracked, stolen or shared. Keep in mind that AWS IAM controls may provide access to not just the infrastructure but the applications installed and the data being used. By implementing MFA – a security measure which requires that a code be provided in addition to the password – you can assign roles, root accounts and IAM users securely.
Reduce the number of IAM users with admin rights
By limiting administrator access and aligning permission grants to the appropriate level of authority, you can minimize the risks of allowing too many users with administrator-level permissions.
By closely auditing access levels and granting a limited number of users, the administrative access, you can optimize your security posture.
Use roles for Amazon EC2
Using advanced technology such as IAM can help an organization eliminate the risks of security compromises.
With roles defined, users with lower levels of access can conduct tasks in Amazon Elastic Compute Cloud, without the need to grant extreme level of access. This approach allows specific access to AWS services and resources, reducing the possible attack surface area available to bad actors.
Rotate keys regularly
With Amazon, systems running processes outside of it require keys to help keep your system secure. Despite roles removing the need to manage keys, API keys should still be employed and rotated regularly. By rotating keys regularly, one can control the time for which a key is considered valid, limiting the negative impact to the business if a compromise occurs.
Ensure access logging is enabled on the CloudTrail S3 bucket
If you use an S3 bucket to store your CloudTrail logs, you should maintain records about all activities that touch or affect the CloudTrail. With log in settings applied to the relevant S3 bucket, you’ll be able to track access requests as well as maintain a record for those who have access and the frequency with which they are using it.
Apply IAM roles with STS
Using roles for Amazon EC2 instances makes it easy for the resources to communicate securely. Also helps you reduce management burden by leveraging AWS Security Token Service, or STS.
Use Auto Scaling to dampen DDoS effects
Amazon Auto Scaling helps to ensure that you have the correct number of EC2 instances available to handle the load of your application. You can create a collection of EC2 instances, called Auto Scaling groups. You can also specify the minimum number of instances in each group, and Amazon Auto Scaling ensures that your group never goes below that size.
Watch world-readable and listable Amazon S3 bucket policies
Although IAM policies are built to provide security, organizations should take careful measures so that the stability of their platforms remain intact in the long run.
As companies grow, they sometimes add access control measures to their networks to keep up with the increasing demands placed on them. As their network expands, they often lay newer platforms on top of older systems, which makes it difficult to keep track of who is allowed access to their network. A good example of this can be found in “I AM Policies and Bucket Policies and ACLs! Oh, My! (Controlling Access to Amazon S3 Resources).”
To avoid incidents that result from multiple products being used simultaneously, it’s recommended to follow the stick with one product. When an organization takes some time to select and then carefully maintain a system, security will surely act as it is expected to.