6 AWS Services You Must Use to Secure Your Workloads on The Cloud
Today more and more companies are moving their applications and workloads from traditional on-premise datacenter to cloud based infrastructure. All the key cloud vendors be it leading vendor Amazon AWS or Microsoft Azure or upcoming Google Cloud Platform, all these provides some common benefits as compared to traditional on-prem datacenter such as pay as you go model, ease of deployment, lightning fast turn around time, high availability and built-in DR capabilities at fraction of a cost. All these features and more have made it very lucrative for companies across industries to deliver their services either fully or partially (for the more cautious ones) from cloud. In recent months even the Government sector across MEA which was traditionally considered impenetrable for cloud services is moving towards cloud more and more though cautiously. The COVID-19 situation pushing all the workforce to connect, and work remotely has greatly pushed the adoption of cloud-based services.
As more and more companies make this journey there are few very useful services offered by AWS which are pertinent to ensure the CIA triad i.e. Confidentiality, Integrity and Availability of the workloads and services hosted in AWS.
Identity and Access Management (IAM)
Identity and access management services along with other services from AWS helps companies implement AAA controls i.e. Authentication, Authorization and Accounting to various resources hosted on AWS. AWS IAM provides in built MFA capability with no extra charge thus making the authentication secure as per industry best practices and various international standards such as PCA, HIPPA, ISO 27001. Using IAM one can also configure password length complexity, access keys to allow programmatic access and granular access policies for Role based access control popularly known as RBAC in security circles. Further companies can integrate their AWS account with on-prem AD or 3rd party identity brokers such as Facebook or Gmail to provide secure single-sign-on capabilities.
AWS CloudTrail
AWS community and customers love CloudTrail and rightly so. As this simple service enable auditing of all API calls made to AWS. As when you access AWS console or any AWS service you effectively make an API call to services on AWS to perform an action for you in the background. Enabling auditing of API calls thus effectively enables organization to enable auditing of all actions and task being performed on AWS by any user either using their credentials or via a script/program making use of access keys.
Amazon Config
This is an another very useful auditing and compliance tool from AWS that helps customers take configurations snapshots of their entire AWS at regular intervals. The configurations which it captures spans across IAM, Security group rules, NACL rules, EC2 instances configurations and much more. Further Amazon config can evaluate the configurations at any point in time to set of configured desired configurations and if any configurations is not compliant, Amazon config conformance packs can take necessary actions to make those configurations compliant. Many companies use AWS Config as part of Standard Operating procedures for change management, configuration management and Incident Response in AWS.
Key Management Service (KMS)
One of the key services (pun intended) is Key Management service by AWS which helps encrypting data at rest either in EBS volumes or S3 buckets or secrets stored in parameter store of AWS. KMS also has features in built to enable automatic rotation of keys at pre-defined intervals thus adding and additional layer of security in case a key does get compromised. For companies looking to comply with strict industry standards for data at rest they can use AWS KMS which is FIPS 140-2 Level 2 compliant. Further companies can use AWS cloud hardware security Module (HSM) which is FIPS 140-2 Level 3 compliant.
Amazon Guard Duty
Just like a guard on patrolling helps detect and alert any suspicious activity in his environment, Amazon GuardDuty continuously monitors AWS environment for any suspicious activity in AWS. Amazon GuardDuty is a signature-based service which can help you detect a number of well-known attacks such as but not limited to Brute-force, DDoS, Privilege escalation and others attacks across your EC2 instances, S3 buckets and IAM configurations. Though a mature SIEM deployment has its own use case and value, one-click deployment of GuardDuty helps customers enable fully functional logs monitoring, logs correlation and real time alerting within few minutes as compared to setting up a SIEM solution on cloud or on-prem which could take several weeks if not months to be operational.
Amazon Inspector
This is a lesser known service yet very useful and powerful service that can help you enable automated security assessment for servers whether Unix based, or windows based for Common Vulnerabilities and Exposures (CVE), CIS benchmarks compliance including missing patches and deviation from security best practices. This service requires an agent to be deployed on the servers to perform comprehensive scans on the EC2 instances. In conjunction companies can use other AWS services like Systems Manager Run Command to apply patches, mitigate vulnerabilities across all EC2 instances centrally from AWS console itself.