Amazon Web Services (AWS) enables organizations to build and scale applications quickly and securely. However, continuously adding new tools and services introduces new security challenges. According to reports, 70 percent of enterprise IT leaders are concerned about how secure they are in the cloud and 61 percent of small- to medium-sized businesses (SMBs) believe their cloud data is at risk.
AWS provides many different security tools to help customers keep their AWS accounts and applications secure. In fact, there was significant focus on AWS security best practices at re:Invent 2020. See the Best practices with Amazon S3 recap and Jeremy Cowan’s Securing your Amazon EKS applications: Best practices session for some of the details.
In this article, we’ll review the top ten AWS security tools you should consider using to improve your security posture in 2021 and beyond. Before we do that, we will briefly explain AWS account security versus application and service security. Organizations must focus on keeping both secure to protect against different types of attacks.
Account Security Versus Application And Service Security
AWS provides security tools designed to improve both account security and application and service security.
An AWS account is an attack vector, as resources and data are accessible through the public application programming interface (API). Implementing a secure identity and access management strategy helps prevent leaking data — such as in S3 buckets — to the public. AWS’s many tools provide insights into your configured permissions and access patterns, and record all actions for compliance and audit purposes.
Applications and services hosted in AWS are susceptible to different kinds of threats from the outside. Cross-site scripting (XSS), SQL injection, and brute-force attacks target public endpoints. Distributed denial-of-service (DDoS) attacks may attempt to bring down your services, potentially compromising your architecture security. Without proper management, sensitive information — such as database credentials — may leak.
Therefore, it’s critical that organizations migrating to the cloud focus on minimizing risk and improving their overall security posture by addressing both account security as well as application and service security. The following AWS services lock down your cloud security, helping keep your customer data and systems safe from attack.
Top 6 AWS Account Security Tools
1. AWS Identity and Access Management (IAM)
AWS Identity and Access Management (IAM) is a web service for securely controlling access to AWS resources. It enables you to create and control services for user authentication or limit access to a certain set of people who use your AWS resources.
The IAM workflow includes the following six elements:
- A principal is an entity that can perform actions on an AWS resource. A user, a role or an application can be a principal.
- Authentication is the process of confirming the identity of the principal trying to access an AWS product. The principal must provide its credentials or required keys for authentication.
- Request: A principal sends a request to AWS specifying the action and which resource should perform it.
- Authorization: By default, all resources are denied. IAM authorizes a request only if all parts of the request are allowed by a matching policy. After authenticating and authorizing the request, AWS approves the action.
- Actions are used to view, create, edit or delete a resource.
- Resources: A set of actions can be performed on a resource related to your AWS account.
Let us explore the components of IAM in the next section of the AWS IAM tutorial.
To review, here are some of the main features of IAM:
- Shared access to the AWS account. The main feature of IAM is that it allows you to create separate usernames and passwords for individual users or resources and delegate access.
- Granular permissions. Restrictions can be applied to requests. For example, you can allow the user to download information, but deny the user the ability to update information through the policies.
- Multifactor authentication (MFA). IAM supports MFA, in which users provide their username and password plus a one-time password from their phone—a randomly generated number used as an additional authentication factor.
- Identity Federation. If the user is already authenticated, such as through a Facebook or Google account, IAM can be made to trust that authentication method and then allow access based on it. This can also be used to allow users to maintain just one password for both on-premises and cloud environment work.
- Free to use. There is no additional charge for IAM security. There is no additional charge for creating additional users, groups or policies.
- PCI DSS compliance. The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes. IAM complies with this standard.
- Password policy. The IAM password policy allows you to reset a password or rotate passwords remotely. You can also set rules, such as how a user should pick a password or how many attempts a user may make to provide a password before being denied access.
In the last section of the AWS IAM tutorial, let us go through a demo on how to create an S3 bucket using the multifactor authentication (MFA) feature.
2. Amazon GuardDuty
Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. These include use of compromised credentials, simplified forensics and continuous monitoring of all security events seen in an AWS customers environment. With the announcement of new Malware Production, GuardDuty will scan EBS-backed EC2 instances with malicious behavior based on GuardDuty’s existing findings and report malware detected on EC2 and containers running on EC2 and instantly send data to Trellix Helix.
3. Amazon Macie
Amazon Macie is a security service that uses machine learning to automatically discover, classify and protect sensitive data in the Amazon Web Services (AWS) Cloud. It currently only supports Amazon Simple Storage Service (Amazon S3), but more AWS data stores are planned.
Macie can recognize any PII or Protected Health Information (PHI) that exists in your S3 buckets. Macie also monitors the S3 buckets themselves for security and access control. This all can help you meet regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and General Data Privacy Regulation (GDPR) or just continually achieve the security you require in the AWS Cloud environment.
Within a few minutes after enabling Macie for your AWS account, Macie will generate your S3 bucket list in the region where you enabled it. Macie will also begin to monitor the security and access control of the buckets. When it detects the risk of unauthorized access or any accidental data leakage, it generates detailed findings.
The dashboard provides you with a summary that shows you how the data is accessed or moved. This dashboard gives you a view of the total number of buckets, the total number of objects, and the total number of S3 storage consumed.
It also breaks down S3 buckets by whether they are shared publicly, encrypted or not, and buckets shared inside and outside your AWS account or AWS Organization.
Create and run sensitive data discovery jobs to automatically discover, record, and report sensitive data in Amazon S3 buckets.
You can configure the job to run only once for on-demand analysis, or periodically for periodic analysis and monitoring.
A finding is a detailed report of potential policy violations for sensitive data in S3 buckets or S3 objects. Macie provides two types of findings: policy findings and sensitive data findings.
Macie can also send all findings to Amazon CloudWatch Events so you can build custom remediation and alert management.
4. AWS Config
AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance.
With AWS Config you can discover existing AWS resources, export a complete inventory of your AWS resources with all configuration details, and determine how a resource was configured at any point in time.
These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.
Allow you to assess, audit and evaluate configurations of your AWS resources.
Very useful for Configuration Management as part of an ITIL program.
Creates a baseline of various configuration settings and files and can then track variations against that baseline.
5. AWS CloudTrail
AWS CloudTrail is an application program interface (API) call-recording and log-monitoring Web service offered by Amazon Web Services (AWS).
AWS CloudTrail allows AWS customers to record API calls, sending log files to Amazon S3 buckets for storage. The service provides API activity data including the identity of an API caller, the time of an API call, the source of the IP address of an API caller, the request parameters and the response elements returned by the AWS service.
CloudTrail can be configured to publish a notification for each log file delivered, allowing users to take action upon log file delivery — a process that according to AWS should only take about 15 minutes. It can also be configured to aggregate log files across multiple accounts so that log files are delivered to a single S3 bucket.
The service can facilitate regulatory compliance reporting for organizations that use AWS and need to track the API calls for one or more AWS account. CloudTrail can also be configured to support security information (SIEM) and event management platforms and and resource management.
6. Security Hub
AWS Security Hub combines information from all the above services in a central, unified view. It collects data from all security services from multiple AWS accounts and regions, making it easier to get a complete view of your AWS security posture. In addition, Security Hub supports collecting data from third-party security products. Security Hub is essential to providing your security team with all the information they may need.
A key feature of Security Hub is its support for industry recognized security standards including the CIS AWS Foundations Benchmark and Payment Card Industry Data Security Standard (PCI DSS).
Combine Security Hub with AWS Organizations for the simplest way to get a comprehensive security overview of all your AWS accounts.
Now that we have addressed the top account security tools, let’s focus on the top four AWS application sSecurity tTools you should consider.
Top 4 AWS Application Security Tools
1. Amazon Inspector
Amazon Inspector is an AWS software tool that automatically assesses a customer’s AWS cloud deployment for security vulnerabilities and deficiencies. Amazon Inspector evaluates cloud applications for weak points or deviations from best practices before and after they are deployed, validating that proper security measures are in place. The service then provides and prioritizes a list of security findings, including detailed descriptions of issues and recommendations to fix problems.
Amazon Inspector is available through the AWS Management Console and is installed as an agent on the operating system of Elastic Compute Cloud instances. Amazon Inspector requires an AWS Identity and Access Management (IAM) role, which grants the service permission to itemize instances as well as tags to assess before evaluating the security of a cloud deployment. The service can create an AWS IAM role, if needed.
An IT administrator defines an assessment template, which includes the rules packages to follow, the duration of the assessment run, the topics that result in notifications from Amazon Simple Notification Service and other attributes. The analysis of the target environment is called the assessment run, which analyzes behavioral data within a target, including network traffic on running processes and communication between cloud services.
Amazon Inspector pulls best practices from a knowledge base consisting of hundreds of rules (individual security practices or tests) that are updated by AWS security researchers. Amazon Inspector provides public-facing APIs that allow a user to incorporate the service on non-cloud technologies, such as email or security dashboards.
Amazon Inspector is billed based on the number of assessment runs and systems assessed, combining those elements into a metric called agent-assessments. Amazon provides a free trial before billing a customer per agent-assessment.
2. AWS Shield
AWS Shield protects AWS components against DDoS attacks. These attacks produce huge numbers of artificially generated requests to disrupt public applications. Shield is available in two presentations: Standard and Advanced.
AWS Shield Standard is enabled by default in CloudFront and Route 53 at no extra cost. AWS Shield Advanced is available for those two services plus several others: Elastic Load Balancing, EC2, Elastic IPs and Global Accelerator.
AWS Shield Standard offers protection against certain attacks but lacks flexibility for custom configurations. Shield Advanced integrates with the AWS WAF service to configure specific protection rules. Additionally, Shield Advanced provides access to the AWS Shield response team, a 24/7 support group available for emergencies. It also protects against extra AWS charges that could incur as a result of increased usage due to a DDoS attack; affected customers can request credits.
AWS Shield Advanced costs $3,000 per month. There is an additional data transfer fee, which varies depending on the protected resource type and the amount of data transferred (e.g., <100 TB, 400 TB, 500 TB). The Shield Advanced data transfer fee could be between $25 to $50 for 1 TB of data transferred within the initial 100 TB bracket, depending on the protected resource type. This is in addition to the data transfer fees applicable to each protected resource. The monthly fee is applicable per AWS Organization. Therefore, deployments across multiple AWS accounts within one Organization would pay only a single fee.