Top 10 Things To Do To Enhance Your AWS Security
1. Knowing AWS Shared Responsibility Model:
AWS has clearly defined its scope for securing it’s datacentre and hardware procured in the datacentre. They have also published a white paper for it to clear all the confusions regarding this point. It is very important to know AWS Shared Security Model to secure your Infrastructure and applications running in it. AWS Shared Security Model says that all the security measures related to hardware running under hypervisors will be taken care by AWS. For example: Hardening and Patching of Bare Metal Servers, VAPT of complete datacentre, maintaining firewalls and hypervisors will be done by AWS however every resources launched by clients using AWS Console will be managed by end clients themselves. For more information please visit https://d1.awsstatic.com/Marketplace/scenarios/security/SEC_02_TSB_Final.pdf.
2. Configuring Security Groups:
AWS Security Groups can be compared with On-Premises Firewalls for understanding it functionality in an easy manner. Security groups are responsible to allow or deny traffic trying to reach AWS servers. It is very important to configure security groups in correct manner to make sure only authorized access is there. By default, everything is in deny state and we need to specify the traffic that will be allowed to access the servers.
3. AWS Security Services:
AWS has come up with a lot of security services in order to enhance the security of infrastructure. AWS WAF is one of the services which is most commonly used to secure the infrastructure. AWS WAF helps to prevent websites and web applications from malicious attacks by common web attack patterns. It is used to identify how Cloudfront Distributions and Application Load balancers respond to web requests. AWS WAF filters both HTTP and HTTPS requests distinguishing between legitimate and harmful inbound requests. AWS Guard duty is also one of the services that helps security professionals quickly find the threats in their environment by analysing logs and events coming from systems, applications and AWS services like VPC flow logs, DNS logs. Organizations can always implement AWS Services and enhance security on their current infrastructure.
4. Following Security Best Practices:
It is highly advised to follow AWS security best practices. AWS has published a white paper about it and keeps on updating it from time to time. You might be ready to spin up servers and configure your website on AWS or migrated to AWS due to any reason however, it is important to go through some best practices to keep your website and infrastructure secure. AWS Security Best Practices talks about things that can be as simple as creating a strong password for your AWS console or enabling Multi Factor Authentication. For more detailed version please go through the whitepaper: https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
Monitoring is the key for any organization to secure their infrastructure and applications. It is very important for organizations to follow drill-down approach for monitoring. The most harmful impact on IT environments usually occur when small issues transform into major service-impacting outages. A strategic method of avoiding this possibility is monitoring via a drill-down approach and troubleshooting network/application errors on an individual basis so there are no weak links within the greater infrastructure. With a flexible and scalable monitoring solution in place, your cloud services can be adjusted in real-time and will remain secure from any outside threats.
6. Well Architected Review:
The AWS Well-Architected Framework provides architectural best practices across the five pillars for designing and operating reliable, secure, efficient, and cost-effective systems in the cloud. The framework provides a set of questions that allows you to review an existing or proposed architecture. It also provides a set of AWS best practices for each pillar. Incorporating these pillars into your architecture helps produce stable and efficient systems. This allows you to focus on the other aspects of design, such as functional requirements.
The AWS Well-Architected Framework helps customer build the most secure, high-performing, resilient, and efficient infrastructure possible for their applications. This framework provides a consistent approach for customers to evaluate architectures, and provides guidance to implement designs that scale with your application needs over time.
7. Centralized logging:
It’s important to capture and extricate meaningful information from raw log files, and thereby it’s important to implement cost-efficient and scalable centralized logging solution of AWS across multiple accounts and regions, with Kibana and Kinesis Firehose to provide log management, near real-time visualizing and alerting. This solution ingests different log types including AWS CloudTrail and VPC flow logs to get store and monitor into Amazon CloudWatch which is then streamed towards Amazon Elasticsearch Service of the primary account. Kinesis Firehose service of Amazon is utilized to stream near real-time data from the web servers/user faced applications to Elasticsearch services. Synergies with Kibana, provides interactive visualization and real-time analysis of your data in a format of your preference.
8. Backup and DR strategy:
Structured approach to DR planning of mission critical workloads is indispensable in this day and age. There are various strategies deployed around the backup and disaster recovery. The following diagram depicts at a high level what those are.
The right solution provides full coverage of the DR life cycle, covering replication, monitoring, workflow automation, testing and reporting with periodic drills conducted to meet the business requirements around application/product availability in case part or full infrastructure is down.
9. Using a Cloud Management Tool:
Cloud management tools provide means to manage the infrastructure deployed on various cloud platforms like AWS, Azure, GCP and many more. CMT gives you the ability to manage various operations and deployment of applications and associated datasets across multiple cloud service providers.
Rapyder’s Cloud Management tool-Cloudzatic provides an efﬁcient platform to manage your AWS Cloud infrastructure across Cost, Compliance and best practices. It gives insights to your environment along with Cost-savings recommendation to reduce your Cloud bill. It helps you to stay compliant across your Infrastructure footprint by tagging and snapshots. Cloudzatic gives you best practices of your infrastructure as per the AWS Well-Architected Framework.
There are few essential features that a cloud management tool should have in order to help organizations to have visibility and take necessary actions.
- Insights: A good cloud management tool should give you insights to help you visualize your Usage, Utilization, and Cost of current infrastructure and track your cost consumption across all cloud resources. Insights will help you eliminate waste and reduce your overall costs.
- Logs Monitoring: What makes a cloud management tool unique is its ability to unify monitoring processes by providing logs from all the major resources.
- Compliance: A cloud management tool should bring in regulatory compliance and should have default or user defined policies and continuously monitor your Cloud for managing the compliance rules.
- Savings: A cloud management tool should be able to provide cost savings by giving you the capability to hibernate your unused resources and provides insights of each service with estimated savings. This is beneficial as it can lead to a lower Total Cost of Ownership(TCO) while it ensures that your infrastructure is healthy.
- Best Practices: It includes strategies to help you compare your workload against best practices across Security, Cost, Reliability, Operations and Performance.
- Billing: Save your dollars by tracking the spent by exploring where the maximum spent is happening. Also, take care of your invoices by blended and unblended to streamline your cost across your organization