Proper data security is always a concern, whether your data is on-premise or on the cloud. Here are some of the best practices for securing your data on Amazon Web Services (AWS). While this list is not comprehensive, this would be a good starting point for implementing basic security on the AWS platform.
Security is a shared responsibility between Amazon Web Services (AWS) and its customers operating a digital commerce business. AWS is responsible for the security OF the cloud, and the customer is responsible for the security IN the cloud. This model clearly defines who is responsible for securing the resources when using AWS.
1. Protect your Root Account
- Enable root account with Multi-Factor Authentication (MFA).
- Use root account to create IAM admin users, and AVOID using the root user account for actions that do not need the root account access.
2. Console Users
- User AWS Single Sign-On or use your corporate identity solution to avoid creating multiple IAM user accounts.
- Implement Password policies to enforce users to have strong passwords by defining minimum requirements for the password.
- Enable MFA for all console users.
- Rotate keys older than 90 days for all IAM users.
3. Enable AWS Config
The first step to securing your environment is to create an asset inventory. Config enables you to assess, audit, and evaluate configurations of the AWS services deployed in the account. Config continuously monitors and records your AWS configurations.
4. Enable AWS CloudTrail for all regions
CloudTrail enables governance, compliance, operational auditing of your AWS account and provides the event history of your AWS account activity for actions taken through the AWS console, AWS CLI, SDK.
- Enable Multi-region CloudTrail
- Send CloudTrail logs and alerts to an S3 bucket in a dedicated security account.
5. Enable Security Hub for CIS Controls and AWS Controls
- Security Hub provides a central view of all security alerts. Security Hub consolidates findings from GuardDuty, Inspector, and Macie and displays them in a single dashboard.
- Aggregates, organizes, and prioritizes security findings from AWS services. The tool provides remediation techniques.
- You can consolidate findings across multiple accounts. You can forward findings from multiple accounts to a designated security account.
- You can perform automated security checks against CIS, PCI/DSS benchmarks.
6. Enable GuardDuty and configure Alerts with CloudWatch Events
GuardDuty is a threat detection service that continuously monitors malicious or unauthorized behavior to protect AWS resources. GuardDuty analyzes and processes data from Cloudtrail event logs, VPC Flow Logs, and DNS logs to detect anomalies.
7. Defense in depth.
Use a defense-in-depth approach when protecting AWS resources.
- A Network Access Control List (ACL) protects the resources at the subnet level. Network ACL’are stateless, which means you have to define both inbound and outbound rules.
- A Security Group protects the resources at the instance level. By default, Security groups allow all outbound traffic while blocking all inbound traffic. Security groups are stateful, so you do not have to define return rules.
- Keep your Instance Operating System (OS) up to date by patching frequently. Install minimal features to reduce the attack surface. Update your application and its dependencies.
- Web Application Firewall (WAF) helps to protect applications hosted on AWS against common threats. You can attach a WAF to an application load balancer or CloudFront.
8. Backups
- Store copies of your critical data in other AWS regions or a different AWS account.
- Use AWS Backup centralized console to manage and automate backups. AWS Backup can backup data from various sources such as EC2, EBS Volumes, EFS, DynamoDB, and RDS Instances
9. Data Protection Using KMS
- Use AWS Key Management Service (KMS) to protect data at rest across a wide range of AWS services. Enable default encryption for Amazon EBS volumes and Amazon S3 buckets to protect your data at rest.
- Enable encryption for all the data in transit.
10. S3 Buckets
- Ensure S3 buckets are not publicly accessible.
- Use bucket policies to verify that all access granted is restricted and specific.
- Enable MFA to prevent accidental deletion of buckets.
Using these best practices, you can build protection mechanisms for your applications and data on Amazon Web Services