Securing Your AWS Cloud

The CIS Benchmark for Amazon Web Services (AWS) includes a set of best practices and recommendations for securing AWS cloud services. These controls are industry-wide accepted best practices that touch beyond the high level of security measures of the cloud environment. CIS Benchmarks are provided by the Center for Internet Security (CIS), a nonprofit organization that works to "identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace." Moreover, in 2022 the Center for Internet Security (CIS) released version 8 of their 18 CIS Security Controls, which global organizations commonly follow to harden their systems.

 

The CIS Benchmark for AWS covers foundational security areas, such as identity and access management, logging, monitoring and encryption. It provides practical and actionable guidance for areas such as network security, system hardening and security incident response. Best practices include securing leaky bucket policies or insecure IAM policies, in addition to enabling robust authentications management controls to the AWS assets and cloud environments, which can uplift the overall cloud security posture.

 

These no-cost benchmarks are accessible through the CIS website. Optiv automates these checks using commercial tools such as Nessus and manual verification. These benchmark standards are updated regularly to reflect the latest best practices and technologies. Organizations are encouraged to use these benchmarks to evaluate their own environment's security posture and take steps to reduce risk.

 

Amazon Web Services provides a comprehensive set of security controls, such as AWS GuardDuty, as well as services to help customers protect their cloud data. These services include identity and access management, encryption, logging and monitoring, and security best practices.

 

The following section lists out a few of the cloud security controls that organizations should focus on when aiming to strengthen the security posture of the environment.

 

 

Data Security

One of the biggest security challenges with AWS is the potential for data breaches. To mitigate this risk, organizations should use encryption for data at rest and in transit, as well as implement access control measures such as multifactor authentication and identity and access management.

 

 

Network Security

Network security is another major challenge with AWS. Organizations should use security groups and network access control lists to limit access to resources, as well as use virtual private clouds to create isolated networks. Below is an overview of network security controls to prioritize for AWS cloud environments.

 

  • Security Groups: Security groups are a core network security feature that allow customers to define which traffic is allowed or denied between different AWS resources. With security groups, customers can set up firewall rules to control inbound and outbound traffic for their Amazon EC2 instances, Amazon VPCs and other AWS resources. Security groups also allow for fine-grained access control to resources.

  • Network Access Control Lists (NACLs): NACLs provide customers with an additional layer of security for their AWS resources. Customers can use them to control inbound and outbound traffic across different AWS resources. NACLs complement security groups to provide defense in depth and improve the overall security of AWS.

  • Identity and Access Management (IAM): IAM provides customers with a way to control access to their AWS resources, including S3 buckets and EC2 instances. With IAM, customers can create policies specifying who can access which resources, as well as what type of access they have. IAM is one of the foundational building blocks of AWS and allows for proper access control.

  • Virtual Private Clouds (VPCs): VPCs provide customers with a secure and isolated environment to launch their AWS resources. Customers can control the IP addresses, subnets and network access of their VPC resources, as well as create additional security features such as security groups and NACLs.

  • AWS Network Firewall: This firewall enables the protection of AWS resources from malicious or unauthorized traffic. It provides customers with a managed service for setting up, configuring and maintaining firewall rules across all of their Amazon Web Service resources.

  • Amazon CloudFront: This global content delivery network (CDN) helps customers to securely deliver web and application content to their users. CloudFront provides a secure and reliable way to deliver their content to their customers around the world. CloudFront facilitates faster access to resources by placing content closer to the user’s destination. This also allows for redundancy and high availability in the event of region goes down, so that content can be accessed from other locations.

  • AWS Shield: This paid managed distributed denial-of-service (DDoS) protection service helps customers protect their web applications and websites against malicious traffic. Shield provides a range of tools to help protect applications and websites, such as rate limiting and request throttling.

 

 

Resource Security

Organizations should use Amazon’s IAM service to control access to resources, as well as use security groups to limit access to specific resources. To monitor and audit user activity, Amazon’s CloudTrail service is a recommended resource. Regular audits must be done on access controls to ensure that organizations know how resources are being accessed.

 

AWS provides users with several security layers to ensure that its customers’ data and resources are secure.

 

  • Layer 1 - Access Control: Amazon Web Service provides ways for fine-grained permission to access assets and scale the assets with attributed-based access control using Identity and Access Management (IAM) policies and AWS Security group. These controls are applied from Identity and Access Management (IAM) policies to AWS Security Groups. Organizations can also regulate access for all the cloud components. When there is a need to control access for specific inbound and outbound network traffic for specific region, then AWS security groups play a crucial role.

  • Layer 2 – Encryption: Customers can explore server-side and client-side encryption for cloud resources. Server-side encryption provides client data protection for at-rest and in-transit data. It encrypts data stored on AWS servers and encrypts communication between user devices and AWS servers. Client-side encryption permits users to encrypt data before sending it to AWS servers.

  • Layer 3 – Identity Management: Users can leverage single sign-on, multifactor authentication, and directory services. Single sign-on (SSO) allows users to access AWS resources with one set of credentials, while multifactor authentication (MFA) adds an additional layer of security by requiring users to enter a PIN code or use a biometric device to authenticate. AWS directory services permit users to manage user access and authentication within an AWS environment.

  • Layer 4 – Logging and Monitoring: AWS CloudTrail and AWS CloudWatch provide users with tools to record and monitor AWS API calls and resource activities. Users can view detailed logs of events and track suspicious activities. They can also set up alarms for abnormal behaviors so that they can quickly detect and respond to threats.

 

By leveraging these four security layers, AWS users can protect their cloud resources from unauthorized access and malicious activities. However, it is important to note that the security of an organization’s cloud resources depends on the individual user’s security practices. As such, users should ensure they have proper security policies, configurations and procedures in place.

 

 

Application Security

Organizations should use Amazon’s CloudWatch service to monitor application performance and security. Amazon’s Elastic Compute Cloud (EC2) also allows organizations to deploy secure applications. Amazon’s Web Application Firewall (WAF) is recommended to protect against malicious attacks. In addition, proper application security testing should be performed to identify specific threats for that application.

 

 

Insufficient Access Controls

Many organizations that use AWS fail to properly configure access controls, leaving their data and resources vulnerable to malicious activity. Solutions include creating roles and policies to grant least-privilege access to resources and implementing multifactor authentication to control access to the AWS account.

 

 

Data Loss

Without proper configuration and monitoring, data stored in the cloud can be lost. Solutions include using multiple backups and redundancies to protect data, setting up alerts for changes in the AWS environment, and using replication and automated backup processes to ensure data is available. MFA should be enabled on S3 buckets to protect the data.

 

 

Security Breaches

While Amazon provides effective physical security for its cloud platforms, there are still opportunities for malicious actors to gain access to sensitive data. We suggest using encryption for data stored in the cloud, implementing a security-minded architecture, and regularly monitoring for suspicious activity.

 

 

Malware and Ransomware Attacks

Malware and ransomware attacks can target AWS customers’ systems and data. We recommend creating a list of acceptable use policies and regularly monitoring for malicious activity, implementing firewalls and intrusion detection systems, and using software to scan and patch systems.

 

 

Key Takeaways

Overall, it is important for organizations to compare their Amazon Web Services cloud environment with the CIS benchmark to streamline the configurations of each AWS assets and components. This comparison aids in securing the cloud environment.

Vandankumar Pathak
Senior Application Security Consultant | Optiv
Vandankumar Pathak is a Senior Application Security Consultant in Optiv’s Threat Management community. Pathak’s role is to deliver a variety of service offerings, including web application assessments, mobile application assessments, Static and Dynamic Code Analysis, and thick client assessments. Over the past few years, Pathak’s passion for information security and hacking has motivated his participation in penetration testing projects.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.