The AWS safe global infrastructure and services are controlled and managed by AWS and provide a reliable foundation for business systems and individual applications. AWS develops high standards for information security with the cloud as its platform, and has an extensive and holistic set of control objectives, extending from physical security via software acquisition and development to user lifecycle management and security compliance. The AWS safe global infrastructure and services are depended upon to regular third-party compliance audits.
To develop and manage a working security infrastructure in AWS or any public cloud, you must embed security early and fast in the development process – not retroactively. To start with AWS, you need to follow its best practices.
Protect your data in transit
If you want to exchange confidential information between a web server and a browser, you need to configure SSL on the server instance. You will require a certificate from the certified authority like VeriSign1 or Entrust2. The public key presented in the certificate validates your server to the browser and is used as the basis for developing the shared session key to encrypt the data in all directions.
Make a few command line calls (using Amazon VPC) and create a Virtual Private Cloud. This will allow you to use your isolated resources within the AWS cloud and then integrate those resources directly to your datacenter through industry-standard encrypted IPSec VPN connections.
Protect your all AWS credentials
AWS has two types of security credentials:
The first is AWS access keys and second is X.509 certificates. There are two parts of AWS access key: your access key ID and your secret access key. You need to use your secret access key to measure a signature to include in your request for validation when using the REST or Query API. To stop in-flight tampering, all your requests would be sent over HTTPS.
When your Amazon Machine Image (AMI) runs processes that have to communicate with other AWS web services (for polling the Amazon SQS queue or for reading objects from Amazon S3, for instance), a common design mistake is integrating the AWS credentials in the AMI. Rather than integrating the credentials, they should be moved in as arguments at the time of launch and encrypted prior to sending over the wire.
You should obtain a new secret access key by rotating11 to a new access key ID, if your secret access key becomes compromised. A good practice is to include a key rotation mechanism into an application architecture so that you can use it regularly or on an occasional basis (when an employee leaves the company) to make sure that compromised keys cannot stay forever.
As an alternative, you can use X.509 certificates for validation to certain AWS services. The certificate file includes your public key in a base64-encoded DER certificate body. A separate file consists of the corresponding base64-encoded PKCS#8 private key.
AWS has multi-factor authentication12 as an extra protector for working with your account information on AWS Management Console and aws.amazon.com.
Start Implemening API Activity Auditing
When you grow in the cloud and users do more things against your AWS account, you require higher visibility into API calls to monitor who did what. Try to implement this from the get-go so that you can establish a baseline of activity (so you can easily and fastly track abnormal activity) and embed auditing as an important security function early on.
Scott and Chris recommend beginning by developing an ideal example of an operating system and then using this as the “golden image,” or baseline, of an OS. Then, as additional compute resources are developed, they can be copied to appear like the golden one.
Of course, baselines will move over time as your environment grows and the company matures. Threat Stack easily maps this baseline to changes and fluctuations in activity over time, consistently learning what is “normal” for your system at any point in time. You will only be alerted this way when new threats arise like you found the vulnerability in a package, not a routine operation.
AWS CloudTrail provides you many various basic building blocks of API call auditing; many customers accept to add on Threat Stack’s CloudTrail integration for more profound insights to get answers and deal with security threat faster.
Leverage AMIs to Standardize Policies and Eliminate Risk
Amazon Machine Images (AMIs) are virtual appliances with the information needed to instantiate a given server. AMIs are configured to develop instances for the workload of any kind (web, mobile, DBs, dev/test/prod environments, etc.), and are easy to provision with the individual, custom security measures.
You can choose solid, public AMIs from the AWS Management Console – which address various security requirements – or, you can develop your custom AMIs, integrating your security controls into them as the code. You can start automating policy enforcement within your infrastructure by doing this.
You can even utilize native tracking tools, such as CloudWatch, and a third-party tool like Datadog – which offers fast alerting and auditing of your cloud computing environment – and their findings, to check what controls require improvement in your framework and standardizing policies continuously.
As you improve your policies and controls in AWS, you can either integrate them into your private AMIs or look for public AMIs that adapt with your policies and instantiate them into your area, eliminating risk and minimizing the need for maintenance or manual provisioning. The more you solidify the security controls of your AMIs, the less human intervention will be to maintain a secure environment and you can make the most of cloud backup security.
Move Toward Adopting Security by Design
As you make use of native AWS security tools to control access, standardize protocols and controls, and start integrating them into your AMIs, this will be your first critical step toward Security by Design.
Security by Design (SbD), or you can say Security Automation, is a cloud security approach that’s predicted to automate security controls and policies as it formalizes infrastructure design.
This is not a completely new approach, but the public cloud has made it faster to implement exponentially. Since your whole cloud environment is software that you can design, or can write your security infrastructure as code, with no need to provision or configure individual stacks or servers retroactively.
To gain SbD, you should standardize your build and upgrade processes. Using AWS CloudFormation, you can organize your infrastructure in order to automate provisioning through coding OS configurations into templates with the help of configuration management tools like Ansible, or Chef. Then, you can put these templates and configure manifests into a source code management tool, such as Bitbucket to permit for version control.
To understand more about AWS, you need to cover the fundamentals of building an IT infrastructure on AWS and AWS training helps you achieve this.