One of the major benefits of cloud services, like AWS, is access to enterprise-level security. This does not mean, however, that you can simply move your database to the cloud and rest easy that it is 100% secure. While Amazon can provide significant security expertise and robust solutions, data security is still largely your responsibility as a customer.
Measures are needed to protect your information from theft, meet regulatory standards, and maintain the data privacy that modern customers demand. In this article, we’ll look at who’s responsible for security in AWS, and cover some tips for making sure that your data is protected.
Shared Security Responsibility
AWS works on a shared security responsibility model, which specifies the aspects AWS is liable for and which fall to you. Amazon’s portion is infrastructure. Yours is access and authentication, operating systems, external networks, third-party integrations, applications, and data.
AWS does provide security measures for these areas, but it is your responsibility to configure and monitor them appropriately. Many of these measures are configured with default settings, depending on the service. Others have best practice guides available throughout Amazon’s documentation.
To effectively secure your data, you must determine how your data is vulnerable, how it might be breached, and what can be done to protect it.
- Use backups
Although it may not seem like a security practice, taking frequent backups of your data is one of the key ways to protect yourself from regional outages, data corruption, human error, and malicious attacks. With reliable backups, you can quickly recreate instances and databases on secondary resources or in secondary regions, confidently restore lost data, and eliminate the damaging potential of ransomware.
You can rely on your data availability, provided you follow the 3-2-1 rule: three copies, two separate locations, one of which is offsite. In the case of cloud services, it is a good idea to store one set of backups in isolation from your primary services. This way, if your AWS administrative accounts are compromised, you retain access.
You can use AWS Backup for creating and managing these backups. AWS backup is a fully managed service that allows you to automate and monitor backups through customizable policies. It covers a range of services, including EFS, DynamoDB, RDS, EBS, and Storage Gateway, and provides management through a centralized dashboard.
If AWS Backup doesn’t cover your system completely, or if you just want to manage data duplication more explicitly, you can also manage your backups through CLI and API. This example of automating EBS snapshots can help you understand the process.
- Use encryption
Encrypting your data, at-rest and in-transit, can help ensure your sensitive data is not exposed if your system is breached. To support this, AWS offers built-in encryption features that use AES-256 bit encryption, which is currently one of the most secure protocols. Unless you have a better encryption service available to you, you should use these features. Although configuration and specifics for each AWS service vary, the overall system is roughly the same.
For encryption, you can either use personally managed keys, service managed keys, or AWS’ Key Management Service (KMS), at an added cost. It’s important to note that service managed keys only allow server-side encryption but are included in your service costs.
Most AWS services integrate with KMS, which allows centralized control over your encryption keys and can be used with either an AWS defined Customer Master Key (CMK) or one created by your independent encryption infrastructure. If you use an AWS generated key they will automatically rotate your master keys once a year and the process can be done without needing to re-encrypt. KMS can be used both server and client-side, both of which should be configured for maximum effectiveness.
- Ensure regulatory compliance
Making sure to keep your data secured in a way that is compliant with regulatory restrictions can be a challenge. The easiest way to accomplish this is to sanitize your data. Whenever possible, remove personally identifiable or sensitive information before adding it to your databases.
If you do store personal and financial information, make sure that your storage and security methods meet the regulations that apply to you. You must also take into account any regulations that may vary by region if you are using a globally distributed system.
Many AWS services meet common standards for compliance, including HIPAA, PCI, and SOC, and you may be able to secure those that don’t come with custom Service Level Agreements (SLAs). To verify which of your services include built-in compliance and learn about regional differences, check out AWS’ compliance whitepaper and their Compliance Center.
- Enforce strict access controls
When configuring access rights and permissions, you should focus on the principle of least privilege. That means giving only rights that are needed. Doing so limits the chance of accidental access, and the amount of damage that compromised credentials can create. In AWS, you can use Identity and Access Management (IAM) policies and Access Control Lists (ACLs) in combination to accomplish this.
Using IAM policies, assigned to groups or roles, you can separate database administration and management flow from application flow. This can limit opportunities for cross access. While you can use resource-based policies, they are not recommended. This is because they are more difficult to manage and do not work with all AWS services. It is also recommended that you routinely delete inactive or expired users and avoid the use root users when possible. Leaving these privileges and credentials active can allow criminals to more easily access your system.
Using ACLs, you can restrict open ports by instance and control network traffic and access rights according to resource. Consider extending these restrictions to isolate your services, also as micro-segmentation, and prevent services from accessing data they do not need. Doing so will help reduce the number of entry points to your system and restrict potential attackers’ lateral movements.
Although AWS provides a good amount of support when it comes to data security in the cloud, enabling the offered features, correctly configuring settings, and maintaining your security is up to you.
Implement the tips covered here, in combination with diligent monitoring, and you should be able to rest easier knowing that your data is as protected as possible. For added confidence, consider staying up to date with current security concerns by following organizations like OWASP or NIST, both of which track issues of cloud security.