Identity and Access Management (IAM)

Identity and access management services along with other services from AWS helps companies implement AAA controls i.e. Authentication, Authorization and Accounting to various resources hosted on AWS. AWS IAM provides in built MFA capability with no extra charge thus making the authentication secure as per industry best practices and various international standards such as PCA, HIPPA, ISO 27001. Using IAM one can also configure password length complexity, access keys to allow programmatic access and granular access policies for Role based access control popularly known as RBAC in security circles. Further companies can integrate their AWS account with on-prem AD or 3rd party identity brokers such as Facebook or Gmail to provide secure single-sign-on capabilities.

AWS community and customers love CloudTrail and rightly so. As this simple service enable auditing of all API calls made to AWS. As when you access AWS console or any AWS service you effectively make an API call to services on AWS to perform an action for you in the background. Enabling auditing of API calls thus effectively enables organization to enable auditing of all actions and task being performed on AWS by any user either using their credentials or via a script/program making use of access keys.

This is an another very useful auditing and compliance tool from AWS that helps customers take configurations snapshots of their entire AWS at regular intervals. The configurations which it captures spans across IAM, Security group rules, NACL rules, EC2 instances configurations and much more. Further Amazon config can evaluate the configurations at any point in time to set of configured desired configurations and if any configurations is not compliant, Amazon config conformance packs can take necessary actions to make those configurations compliant. Many companies use AWS Config as part of Standard Operating procedures for change management, configuration management and Incident Response in AWS.

One of the key services (pun intended) is Key Management service by AWS which helps encrypting data at rest either in EBS volumes or S3 buckets or secrets stored in parameter store of AWS. KMS also has features in built to enable automatic rotation of keys at pre-defined intervals thus adding and additional layer of security in case a key does get compromised. For companies looking to comply with strict industry standards for data at rest they can use AWS KMS which is FIPS 140-2 Level 2 compliant. Further companies can use AWS cloud hardware security Module (HSM) which is FIPS 140-2 Level 3 compliant.

Just like a guard on patrolling helps detect and alert any suspicious activity in his environment, Amazon GuardDuty continuously monitors AWS environment for any suspicious activity in AWS. Amazon GuardDuty is a signature-based service which can help you detect a number of well-known attacks such as but not limited to Brute-force, DDoS, Privilege escalation and others attacks across your EC2 instances, S3 buckets and IAM configurations. Though a mature SIEM deployment has its own use case and value, one-click deployment of GuardDuty helps customers enable fully functional logs monitoring, logs correlation and real time alerting within few minutes as compared to setting up a SIEM solution on cloud or on-prem which could take several weeks if not months to be operational.

This is a lesser known service yet very useful and powerful service that can help you enable automated security assessment for servers whether Unix based, or windows based for Common Vulnerabilities and Exposures (CVE), CIS benchmarks compliance including missing patches and deviation from security best practices. This service requires an agent to be deployed on the servers to perform comprehensive scans on the EC2 instances. In conjunction companies can use other AWS services like Systems Manager Run Command to apply patches, mitigate vulnerabilities across all EC2 instances centrally from AWS console itself.