Cloud Security Migration

Four Basic Steps To Secure AWS Environments

Businesses looking to secure AWS environments need only take four basic steps. First, understand what cloud security the business is responsible for. Second, control access to the AWS environment. Third, take advantage of AWS’ security tools; and finally, automate the environment to prevent security issues occurring.

If you are under the impression secure AWS environments are ideological concepts that don’t really exist, you are probably not alone. In July 2019, ComputerWeekly.com reported the results of a survey among members of the Cybersecurity Insiders community, which found that 93 percent of respondents were moderately to highly concerned about public cloud security.

To put that statistic into context, it doesn’t imply 93 percent of respondents have concerns about the security of public clouds. Most public cloud providers make significant investments into ensuring their cloud security is bulletproof. The respondents’ concerns were related to security in public clouds due to the way in which businesses are using them—i.e. not very securely.

Why do businesses find it hard to secure AWS environments?

Secure AWS environments do exist, but many businesses find them hard to achieve due to a lack of understanding about the AWS shared responsibility model. In the 2019 Oracle/KPMG Cloud Threat Report it was revealed only 10 percent of CISOs fully understand shared responsibility, and confusion over the model was directly responsible for unauthorized data access and the introduction of malware. 

Once businesses understand the AWS shared responsibility model, and how the levels of abstraction determine their security responsibilities, they have taken the first step to secure AWS environments. The remaining three steps to secure AWS environments are far less complicated, but it is important to give them your full attention in order to avoid gaps being left in cloud security defenses.

If hackers can’t get in, they can’t take data out

In February 2019, BusinessNewsDaily.com reported on a survey of IT professionals working for businesses that had experienced a serious data breach. In 74 percent of cases, the breach was attributable to poor access controls such as using shared passwords, users being given higher levels of privilege than necessary, and a failure to implement multi-factor authentication (MFA) on root accounts.

AWS dedicates a page of its website to access control best practices—pointing out that not all the recommended courses of action are active by default, and that businesses looking to secure AWS environments should take responsibility for such actions as rotating user passwords, setting up user accounts with the least privileges necessary, and implementing MFA on root accounts.

AWS couldn’t make it any easier to secure AWS environments

AWS provides numerous tools to secure AWS environments—some say too many tools—and it is important businesses learn what tools are available and which ones are most appropriate for defending against both internal and external threats. It’s not enough to rely on the security recommendations of AWS’ Trusted Advisor because this tool only covers six specific areas of cloud security.

Amazon has recently made AWS Security Hub generally available, which combines the security tools of AWS GuardDuty, AWS Inspector, and AWS Macie. The Security Hub will be ideal for some businesses looking to secure AWS environments as it can run continuous account level configuration and compliance checks, alert users to vulnerabilities and threats, and be configured to take certain actions (via Lambda functions) when specific vulnerabilities and threats are identified.

Why you should use automation to secure AWS environments

Tools such as AWS Security Hub are good for identifying vulnerabilities and threats, they work retrospectively as they identify issues that already exist, rather than prevent them. It only takes a few seconds for a hacker to exploit an open port in order to deploy malware, which could cause untold damage before users have had a chance to respond to a security alert.

Policy-driven automation can be used to prevent vulnerabilities and threats occurring by only allowing resources to be deployed using sanctioned templates or AMIs. Policies can also be created to check access controls are properly implemented, that access keys/passwords are rotated, and that AWS CloudTrail is enabled for all accounts in all regions and integrated with the AWS CloudWatch service.

The four basic steps must be used together to fully secure AWS environments

Our four steps to secure AWS environments are admittedly basic, and it is likely the case some businesses will have to tweak the steps to suit their particular cloud security requirements. Nonetheless it is important that all four steps are used together. There is no point in implementing access controls if there is no monitoring of the controls, nor implementing an automation solution before understanding the AWS shared responsibility model. Additionally, using a cloud security provider, such as VMware Secure State, could also help automate and secure your AWS environments.