Given its ongoing position as a market leader, it’s no wonder that Amazon Web Services (AWS) is working twice as hard as its competitors to make sure that AWS users can fully secure their entire ecosystems. As with many other cloud platforms, AWS security is the shared responsibility of both Amazon and its users, so seeing the company putting out a lot of resources into this arena is not surprising.
The guideline for AWS security best practices is incredibly comprehensive. AWS cloud security is increasingly crucial in today’s cybersecurity-conscious environment for its users, but not everyone is meticulous enough to go through the 79-page guideline for good security best practices.
That’s what we are going to change in this article. The AWS cloud security standards can be broken down into five major components. We are going to review those to help you understand the essentials that you need to focus on when using AWS. Let’s get started!
AWS Shared Responsibility Model
First to examine is the AWS Shared Responsibility Model to get a perspective on the model that users are working on. This is how Amazon breaks down its security layers and explains which of the elements are yours to secure.
Amazon takes care of the underlying hardware supporting your cloud environment, so it is responsible for the AWS Global Infrastructure, clusters in different regions, availability zones, and edge locations in its CDN. It is also responsible for hardware and foundation services that power the AWS ecosystem, including storage, database servers, and networking.
As the user, you, on the other hand, are responsible for all layers above these AWS endpoints. This means it is up to you to secure the operating system and front-facing network, the applications you run in the environment, and customer data stored in AWS. The cloud security certification AWS offers is meant to put forward standards in securing these elements.
Amazon actually sums up this shared responsibility model nicely and in very simple terms: Amazon is responsible for the security of the cloud, while you are responsible for security in the cloud.
Identity and Access Management
Identity and Access Management (IAM) is a big part of AWS cloud security assessment, and there is a good reason for that. The majority of breaches and security failures today are still caused by mismanagement of user identity, user access, and roles. The IAM system within AWS is — when used correctly — designed to make managing access easy.
You have one root AWS account for interacting with Amazon, but it’s best practice not to use that same root account for day-to-day operations. Instead, you create credentials for specific users and purposes, including for system use and applications.
AWS Trusted Advisor
The next element covered by AWS cloud security best practices is monitoring. AWS cloud security monitoring helps prevent attacks and breaches from happening by keeping a close watch of the environment.
This is where AWS Trusted Advisor becomes crucial. AWS Trusted Advisor offers a series of best practices on every level of your cloud use, all while taking into account your actual cloud environment and the applications running in it.
Trusted Advisor can scan your infrastructure and compare it with Amazon’s own best practices. Many of the features and categories offered by Trusted Advisor are premium, but you get some checks for free:
Service Limits Check
IAM Use Check
Security Groups — Specific Ports Unrestricted Check
MFA on Root Account Check
These checks are available from the AWS Management Console and they are a must-use.
Amazon EC2 Security Group Firewall is a capable tool, but that doesn’t mean you should take the security of your applications lightly. It is still necessary to use the EC2 firewall properly in order to fully secure microservices and apps running in the cloud environment.
For example, the web server part of your cloud environment can have ports 80 and 443 open, but opening the same ports on the app server is certainly an unnecessary risk. Instead, you want to open port 22 or assign other ports for SSH and other functions.
The same can be said for your database server. Only the app server needs to have access to database frameworks — rather than any node outside of the cloud environment — so no front-facing port needs to be kept open.
On top of that, Amazon also allows the configuration of access layers for better security. You can configure the database server to be accessible only by the app server and not the web server. For those who want to complete the AWS Cloud Security Certification, access layers are very important.
Of course, you also have factors such as data encryption and privacy protection being part of the AWS cloud security assessment checklist. This is where you need to go deep into the guideline for best practices.
Backup and Recovery
The last piece of the puzzle is recovery. Even with the best security measures in place, it is still important to have backup routines in place, mainly for when a quick recovery is needed. Fortunately, there are also services within AWS that make automating backup and recovery easy. But more on this in an upcoming another article.
Cover these five key elements and you’ll have a better understanding of how the AWS cloud security best practices are designed. Complying with the detailed security standards will just be a matter of adding in the final touches.
This post was originally published here.