When you are running your entire or even a part of your IT infrastructure in AWS cloud, it is really important that you ensure; your workloads, applications, the infrastructure as a whole is secured enough to stand security threats. “Cloud Security is a Shared Responsibility”, and you should align with this statement when you are thinking about cloud security. When it comes to scaling the resources in the cloud infrastructure, you might miss the details of the security plans due to lack of governance, proper security measures or automation. The solution for all cloud management problems is a Cloud Management Platform (CMP).
But, everything comes with a price and this one has a real, good price if you are planning for a complete security audit. How about if you could get the key security best practices and take your cloud security a level up for not even a penny charged against it. Here is the list of recommended best practices examining your permissions, rules, policies, and more.
1. Security Groups – Specific Ports Unrestricted
You probably do not want malicious activities like data loss, data theft, hacking or denial of service to occur; across your cloud infrastructure where your applications are running in a critical state. CMPs provide a check on the security groups that are associated with the rules that allow unrestricted access (0.0.0.0/0) to only certain ports. Ports that open doors for these security threats, holding the most elevated risk are highlighted with a red warning. Those with comparatively lower security risks are marked as yellow and the ports hailed green are the ideal ones used by applications. These applications need unrestricted access like HTTP, SMTP, etc.
In the event that you have purposefully organized your security groups in this way, our recommendation to you is utilizing additional security checks & measures to ensure a secure cloud infrastructure, (for example, IP tables).
2. Security Groups – Unrestricted Access
Just like the ports, unrestricted access to a resource makes your cloud more prone to malicious attacks; like data loss, data theft, hacking or denial of service. The security groups should be checked thoroughly for the rules that allow unrestricted access to a resource.
3. IAM Use
The “IAM Use” check examines your utilization of Identity and Access Management (IAM) in AWS. IAM is a service that is utilized for creating users, groups, and roles in your AWS cloud. You can also make use of permissions to control access to AWS assets or resources.
4. Amazon S3 Bucket Permissions
Amazon Simple Storage Service (Amazon S3) buckets that have permissions to open access should be checked as they might contain confidential and critical data that are open to the public. Permissions to buckets in Amazon S3 that concede List access to every user in the loop can bring about higher charges than expected. If the objects in those buckets are utilized by unauthenticated, unwanted users at a high recurrence. Plus, the bucket permissions of Upload and Delete access to everyone increases potential vulnerabilities of security risks. This is because it allows any & every user to upload, edit or delete objects in an S3 bucket. This check explicitly scrutinizes bucket permissions, without checking the related bucket policies for that may override the permissions.
5. MFA on Root Account
You should examine your AWS root account thoroughly and if your multi-factor confirmation (MFA) is not enabled, you should get a warning. As a part of advanced security, CMP should give you a recommendation on securing your account by enabling MFA. In which a user is required to enter a unique authentication code from his/her MFA equipment or virtual gadget while collaborating with the AWS console and related sites.
6. IAM Password Policy
The policy for a password is checked for your account and a severity warning is given if a password policy is disabled; or even if the content requirements for password have not been defined or enabled. Checking password content requirements is important since strong user passwords ensure the strong overall security of your AWS infrastructure. Whenever a policy for the password is changed, the change is imposed promptly for new users; however, the existing users are not required to change their passwords.
7. Tagged-Untagged Resources:
Security Audit should check for resources in your AWS cloud against the configured settings by the user. The EC2 resources can be tagged or categorized with a tag(key, value) which is used for resource analysis and monitoring. This check helps to identify the association between your resources and user-configured tags. According to the severity level, this check gives you one of the following three statuses of your resources (tagged or untagged):
- Green: The user has not configured any tags in the settings but some resources are tagged.
OR
The user has configured tags in the settings and all resources are tagged accordingly
- Yellow: The user has not configured any tags in the settings and no resources are tagged.
- Red: The user has configured some tags in the settings, but some resources do not have the configured tags.
8. Amazon RDS Security Group Access Risk
Amazon Relational Database Service (Amazon RDS) has security group configurations that are examined explicitly, and a warning is released if a rule for security group grants or is probable to grant excessive access to your database. For any security group rule, it is recommended that access from only certain Amazon Elastic Compute Cloud (Amazon EC2) security groups or from a particular IP address should be granted.
9. AWS CloudTrail Logging
This security check examines for your AWS CloudTrail utilization. AWS CloudTrail gives amplified visibility into all activities occurred in your AWS account by keeping record or logs of AWS API calls made on the account by a user. One can make use of these logs to identify which users have made all actions on a specific resource during a particular time period. Since CloudTrail sends log files to an Amazon Simple Storage Service (Amazon S3) bucket, CloudTrail must have the bucket permissions written.
10. Amazon Route 53 MX and SPF Resource Record Sets
An SPF (sender policy framework) record distributes a rundown of servers that are authorized to send emails for your domain. The resource recordset of an SPF is checked for every Amazon Route 53 MX resource recordset. Since an SPF helps in minimizing spam activities by detecting and preventing spoofing of email addresses.
11. ELB Listener Security
This security check detects the listeners in load balancers that are not using secure configurations recommended for encrypted client-to-load balancer communication. It is highly recommended to configure the front-end connections (client to load balancer) with secure protocols (HTTPS or SSL), ciphers and up to date policies of security. Reason being, encrypted requests between your clients and the load balancer in use. Elastic Load Balancing provides a pre-defined set of security policies along with ciphers and protocols that stick to AWS security best practices.
12. ELB Security Groups
This one checks load balancers for misconfigured or missing security groups and also, for a security group with access to suspicious ports that would expose your data to malicious attacks. On the off chance that a security group attached with a load balancer is deleted, the load balancer will not function properly.
13. CloudFront Custom SSL Certificates in the IAM Certificate Store
Examines and notifies about the credibility of SSL Certificates for alternate domain names of CloudFront in the IAM certificate store. Alerts are sent for certificate expired, certificate about to expire, the outmoded encryption being used, or is misconfigured. The browser displaying your CloudFront content gives a warning message if the custom certificate for an alternate domain expires. Also, if a certificate has domain names that match neither Origin domain name nor Host header domain name of viewer requests, an HTTP status code 502 saying bad gateway is returned to the user via CloudFront.
14. CloudFront SSL Certificate on the Origin Server
Checks your origin server for the current status of SSL Certificates; whether they have got expired, about to expire, using obsolete encryption or they are missing. In case the certificate expires the CloudFront returns an HTTP status code 502 displaying, “Bad Gateway” in response to your content requests.
15. IAM Access Key Rotation
Centilytics’ Security Audit recommends that access keys should be rotated regularly or periodically (within the recommended period); in order to protect resources from unauthorized access. The most recently activated or created access key signifies the last rotated date and time.
16. Exposed Access Keys
An exposed access key can breach the security of your account, thereby causing a violation of the AWS Customer Agreement and worse, incurring high unexpected charges due to illegal activities. This security check scrutinizes for the exposed access keys in popular code repositories, and checks if the usage of Amazon EC2 (Elastic Compute Cloud) is lop-sided for it could result in a compromised access key. AWS can partially protect your account from unauthorized access by preventing the ability to create some vulnerable resources.
17. Amazon EBS Public Snapshots
The permission settings of your Amazon EBS (Elastic Block Store) are thoroughly checked; notified if any snapshots of your EBS volume are open to the public. One can customize the permission settings and share snapshots only with a desired group of users, a specific user or accounts by marking it as private.
18. Amazon RDS Public Snapshots
Similarly, the permission settings of your Amazon Relational Database Service (Amazon RDS) DB snapshots are examined. Also, alerts are sent to you if any snapshots are open to the public. You can customize the permission settings of your RDS snapshots. These snapshots can only be shared with a desired group of users, a specific user or accounts by marking it as private.
To know more best practices, research and thought leadership blogs around security click here.