Cloud technology has seen an unprecedented rise in recent years, with big players like Amazon and Microsoft investing in innovative offerings. Platforms like AWS (Amazon Web Services) have made it much easier for IT departments to manage their infrastructure.
Of course, this has created new challenges and driven a need for AWS security. Now, support specialists don't physically install hardware and upgrade a server's memory. Instead, they can make upgrades via an online interface to alter the configuration settings. This way, IT teams can scale their projects on demand to accommodate database growth or increased website traffic.
AWS offers many built-in security features, making it a popular Infrastructure as a Service (IaaS) platform. However, proper configuration of the cloud environment and AWS security settings is a must. There are also a number of third-party resources and cloud security tools, such as cloud data loss prevention (DLP) solutions, that help companies bolster their data security in their AWS environments. For instance, many companies invest in cloud security monitoring solutions like Digital Guardian's Cloud Data Protection to maintain visibility and identify potential vulnerabilities in their cloud infrastructure. With proper cloud security monitoring and rapid incident response and mitigation efforts, companies can avoid costly cloud data breaches.
Cloud computing comes with many benefits, but if security concerns have been holding you back from moving to the cloud, we've rounded up 50 expert AWS security tips below to help you keep your sensitive data secure in your AWS environments.
Table of Contents
- Basic AWS Security Practices
- Best Practices for Securing Your AWS Accounts
- Best Practices for AWS Infrastructure Security
- AWS Security Hub Best Practices
- Best Practices for Custom Applications Security
- Best Practices for Using AWS Security Groups
Basic AWS Security Practices
1. Use the Advisor Tool
It is recommended to use the AWS Trusted Advisor tool that offers a snapshot of your company's services and thus helps you recognize security misconfigurations. It will allow your team to follow AWS best practices by examining the AWS environment and offers recommendations for improving system performance to optimize your infrastructure, as suggested in an AWS Security Best Practices white paper by Amazon. Twitter: @awscloud
2. Categorize AWS assets
Recognize the information assets that need protection and categorize them so you can grant them the right type of security. Assets can be of two types:
- Essential elements: Web apps, customer financial data, customer personal data, etc.
- Secondary components: Software, personnel, partner organizations, etc.
When you categorize them, it becomes easier to prioritize their security requirements, as recommended in an AWS Security Best Practices white paper. Twitter: @awscloud
3. Design your company's Information Security Management System (ISMS)
Once your AWS assets are identified and categorized, you need to determine a standard for ISMS. This standard will help you implement, operate, monitor, review, maintain, and improve your security on AWS. This AWS Security Best Practices white paper by Amazon describes a phased approach for designing ISMS. Twitter: @awscloud
4. Manage AWS Accounts, Groups, and Roles
Since your AWS account is powerful and has root permissions, it is not advisable to use that account for daily AWS interactions. Instead, you can create IAM users and assign each user unique security credentials. An IAM user can be a person, application, or a service that requires access to certain AWS resources. You can create individual IAM users and assign fine-grained permissions, depending on the resources they need.
It's important to ensure that all users have appropriate permissions. They should have access to the required resources but not more than that. You can use IAM to make sure all users have correct permissions. You can either grant permissions directly to IAM users under the AWS account or create groups and assign users to those groups, as explained by Jack Naglieri. Twitter: @jack_naglieri
5. Design your AWS strategy to maximize security
You can centralize information security management for a single AWS account and thus reduce overhead. If you have three AWS accounts, you can have one account for development, one for production-related services, and third for testing. For multiple AWS accounts, you can have separate accounts for every autonomous organization part and determine the appropriate policies and permissions accordingly, as suggested in this article by Mercury Works. Twitter: @Mercury_Works
6. Manage AWS credentials
AWS accounts have their own unique identities and credentials. One good way to keep your account protected is to not have an access key for the root user AWS account. However, if you DO need a root access key, do not generate one. As an alternative, create multiple AWS IAM users. Assign necessary permissions to these IAM users and use these accounts to interact with AWS.
If you have already generated an access key, identify the places where you are using the key. Replace this access key with the IAM user key. Once all keys are replaced, disable the root access key, as recommended by this reference guide from Amazon AWS. Twitter: @awscloud
7. Use IAM roles for delegation and temporary security credentials
You might need to delegate system access to users that don't generally have AWS access. The best way to do this is by defining IAM roles. IAM roles are a set of temporary permissions or security credentials that can be assigned to users. They come with a configurable expiration date and can be automatically rotated. Using these temporary credentials means you don't have to worry about revoking the permissions when they are no longer needed. Since they can be automatically rotated, the same role can be assigned to another user on a rotational basis, as suggested in this article by Digital Cloud Training. Twitter: @DigitalCloudT
8. Use resource access authorization
Once an IAM role is authenticated, it can access system resources. You can ensure resource authorization using capability policies or resource policies. These IAM policies can restrict access to a particular source IP range, during specific times of the day, or even on specific days. You can set other conditions as well, and the resources will not be allocated based on those conditions, as this AWS Security Best Practices whitepaper explains. Twitter: @awscloud
9. Store encryption keys in the cloud
Digital security depends on encryption keys. When you keep your encryption keys in the cloud, you need to keep them secure. AWS offers key management to ensure your environment stays secure and minimize the data loss risk even if there's a breach.
According to this article by Townsend Security, the best practice is to use a virtual encryption key manager. This way, you'll be able to cut costs, minimize your IT footprint, and have your keys always readily available to you. Twitter: @townsendsecure
10. Protect your data at rest
Your data at rest might be stored in Amazon EBS, Amazon S3, or other AWS services. It's best to protect it for business or regulatory reasons, as suggested in this blog article by Cloud Security Alliance. To protect it, you can define policies for access control, data classification, and retention/deletion. Also, classify your data and make sure it's stored in the right AWS region. You can also use geo-restriction to stop certain users from accessing geo-based content. Encrypt the data at rest to make sure it's safe. Other security mechanisms you can use are access management and security credentials. Twitter: @cloudsa
11. Decommission the data securely
When you delete data from AWS, the underlying files on physical media are not decommissioned. Instead, it marks the storage blocks as unallocated. AWS reassigns these blocks elsewhere. It is a secure process, but there might be regulatory reasons for you to decommission that data. You can encrypt the data at rest with the help of customer-managed keys that are not kept in the cloud, according to this AWS Security Best Practices whitepaper. Twitter: @awscloud
12. Protect your data in motion
To protect your data as it moves, make sure it's encrypted using SSL/TLS or IPSec ESP, as suggested in this blog article by Cloud Security Alliance. All administrative access should be encrypted using strong mechanisms to secure your remote system management. Apart from this, data integrity can be authenticated using IPSec ESP/AH. The remote end can be authenticated using IPSec with IKE. If you run Windows servers, you can use X.509 certificates, and for Linux servers, you can use SSH version 2. Twitter: @cloudsa
13. Secure the applications on multiple operating systems
AWS lets you use the shared responsibility model to manage applications and operating systems securely. Use the virtual computing environment with Amazon EC2 to launch application instances on several operating systems. It is a good practice to create your standards for application builds and manage them from a central location. It lets you manage the security of the applications and operating systems from a single secure repository, as suggested by Plural Sight. Twitter: @pluralsight
14. Protect your system from malware
You need to protect your cloud assets just like you would protect your conventional infrastructure from outside threats, according to this article by Onix. These threats can be viruses, malware, rootkits, spam, and botnets. Customers get sets of security protocols depending on the AWS services they choose. As a customer, cloud security means protecting your applications and data that are set up in AWS. You also need to ensure the user accounts are protected by encouraging them to use strong passwords and two-factor authentication. Twitter: @OnixNetworking
15. Mitigate abuse and compromise
There could be some malware on your system that can cause harm to other internet applications and websites. This will result in an AWS abuse warning. If you get such a warning notice, you must immediately investigate the matter with the help of your operational and security staff. One simple thing to do is to categorize all assets based on their regions using a spreadsheet, according to a blog post published on the Amazon AWS website. This will be helpful when you have to respond to such sudden notices. You can also automate the response to abuse alerts. Twitter: @awscloud
16. Manage security monitoring
In the shared responsibility model, everyone is required to monitor and manage the environment at the layer they are working on. Security monitoring can be done by recognizing measurable parameters, finding a threshold for these parameters, and determining the escalation process. It's important to log the processes so they can be audited later, as suggested by this AWS Security Best Practices whitepaper . Twitter: @awscloud
Best Practices for Securing Your AWS Accounts
17. Use accurate contact information in AWS
When AWS contacts you regarding your account, you use the contact details given in the AWS management console. All the contact information should be accurate, including the email address. It's important to regularly check the contact information to verify that it is working and you're able to respond to important emails, especially the ones regarding security notifications. Some of them might come from [email protected]. Set alternate contacts so someone can receive important updates even if you're unavailable, as suggested by Nathan Case in this blog post. Twitter: @awscloud
18. Use MFA (Multi Factor Authentication)
When you use MFA, you can protect your account even if someone gains access to your password. It's important to set up MFA, especially on your root user and privileged IAM users. If you have users that have permissions to access sensitive resources, there should be MFA on their accounts. MFA is even more important if your business has multiple accounts and a user needs access to all of them.
When you enable MFA, users will have to enter their username, password, and an authentication code whenever they try to sign in. With multiple authentication factors, AWS resources become more secure, according to this article on TechTarget. Twitter: @TTintheCloud
19. Don't hard code secrets
When building apps on AWS, companies can use AWS IAM roles to develop temporary credentials to call AWS services. However, some apps need not-so-temporary credentials (such as API keys or database passwords). If that's the case, make sure you do not hard code these keys or passwords in the app. Also, do not keep these secrets in the source code, as suggested by this article on the Amazon AWS blog. Twitter: @awscloud
20. Act on findings
Managed AWS services such as AWS Security Hub and IAM Access Analyzer will give you actionable findings in your accounts. It's easy to turn them on and integrate them across several accounts. Once you get findings from these services, you need to take action on them, such as notifying the appropriate person. These findings could be unexpected activities or possible security issues. You can also automate the process of responding to certain findings, as this article on World Wide Technology recommends. Twitter: @wwt_inc
21. Participate in the dev cycle
When you participate in the dev cycle, you instill a security culture in your organization. When you get involved in the processes, you can help your team raise the security bar. It's important to keep in mind that security is everybody's job and not just the people on the security team. While the security team is vital to every organization, companies should implement security in all processes, as suggested by this article on the Amazon AWS blog. Twitter: @awscloud
22. Rotate the keys
Security Hub lets you view the compliance of all your AWS accounts using CIS benchmarks. It also lets you search for IAM users that have access keys older than 90 days. If you rely on access keys instead of roles, it's best to rotate the keys regularly, as recommended by this article published on Medium. Twitter: @Medium
Best Practices for AWS Infrastructure Security
23. Tighten the security configurations of CloudTrail
You can create a trail to keep a record of events going on in your AWS account and get history information for 90 days from CloudTrail. However, it's not permanent, and it doesn't record all kinds of events. If you need an ongoing record of all types of events, you need to create a trail that will deliver log files to a specific Amazon S3 bucket, according to a blog post published on the Amazon AWS website. For this, you need to configure the trails and you'll be able to log events in all your AWS regions. Twitter: @awscloud
24. Follow IAM best practices
IAM is the first step towards having secure cloud resources. You can follow practices such as strong passwords and multi-factor authentication. Also, timely audits will help you remove unused credentials and reduce the chances of a security breach, as suggested by this blog post published on Cloud Checkr. You can define custom policies or use AWS-defined policies, which are made in accordance with common IT functions. Twitter: @cloudcheckr
25. Create timely backups
Backups should be made regularly and frequently. If your backups are not timely, you might lose a large chunk of data in an unforeseen event such as database corruption, accidental erasing of data, or a natural disaster. Since backups are duplicate data, it just adds to redundancy. You can use AWS Backup to centralize and simplify the process, as suggested by this blog article by Data Floq. AWS Backup can be completely automated using policies. Twitter: @datafloq
26. Follow best practices for using Amazon VPC
Amazon Virtual Private Cloud (VPC) provides a private area that's isolated from other customers. It also has layer 3 isolation from the internet. You can make VPC IPSec to integrate with your VPC resources securely. VPC IPSec offers transparent services and high-level protection for your apps, but you still might want to implement additional protection techniques such as SSL/TLS over IPSec. There are several configurations of VPC so you can select the right architecture implementation for your organization, as recommended by this guide published on Cloud Academy. Twitter: @cloudacademy
27. Use network segmentation and security zoning
It's a good idea to segment your infrastructure into various zones with similar security controls. Most of the AWS infrastructure is run by AWS security and operational teams. However, you can build infrastructure components as well. For example, with network segmentation, you can isolate one network from the others. A security zone can create a set of components that have the same security level. This way, you can create segments of your entire infrastructure, as suggested by this article on Security Intelligence. Twitter: @ibmsecurity
28. Strengthen network security
With the shared responsibility model, AWS securely configures all infrastructure components such as routers, switches, and data networks, etc. The access control to the cloud lies in your hands. You can configure network security with Amazon VPC and by securing inbound and outbound network traffic, as suggested by an article published by Search Cloud Security. You can use Network Access Control Lists (NACLs) and security groups to secure your network within AWS. Twitter: @SearchSecurity
29. Secure the periphery systems such as DNS
DNS is an important part of your infrastructure and thus forms an essential element of your security management plan. If you do not secure your DNS systems, malicious entities can intercept the DNS client traffic. If your infrastructure lacks basic controls, even simple methods like spoofing can lead to a data breach. You can use SSL/TLS for additional protection. Many AWS customers opt for Amazon Route 53, a secure DNS service. But if you need internal DNS, you can implement a custom DNS solution based on an Amazon EC2 instance, as suggested by this whitepaper published on the Amazon AWS website. @awscloud
30. Build threat protection layers
Layered security is often considered to be the best practice in AWS for protecting the infrastructure, particularly the networking infrastructure. You can use a mix of firewall rules, Amazon VPC, network access control lists, and security groups in the cloud to create a layered network security solution. These threat protection layers will add more security to your data , as suggested by this AWS Security Best Practices whitepaper. Twitter: @awscloud
31. Test security
All Information Security Management Systems (ISMS) should conduct regular reviews of security policies and controls. It protects the infrastructure from possible attacks, so the controls should be effective against new vulnerabilities and threats, as suggested by an article published on Apriorit. Twitter: @apriorit
32. Manage metrics
It's important to measure the effectiveness of the ISMS. With the help of certain metrics, you can see how the security controls are keeping the environment protected. You need quantitative and qualitative metrics for proper risk management. Some best practices include quickly detecting errors in processing and identifying attempted security breaches, as suggested in this whitepaper by AWS. Twitter: @awscloud
33. Protect against DoS and DDoS
Businesses offering online applications run a risk of a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack. It's important to mitigate these risks. One way to do this is by minimizing the area that can possibly be attacked, as suggested in this AWS article. This can be done by placing your resources behind load balancers or Content Distribution Networks (CDNs). This way, you can restrict direct traffic to your database servers. You can also use a Web Application Firewall (WAF) to protect against certain attacks such as a cross-site request or SQL injections. Twitter: @awscloud
AWS Security Hub Best Practices
34. Use AWS Labs script
AWS can help you automate AWS Security Hub processes by adding your script to AWS Labs. For example, you can turn on/off the Security Hub in your AWS accounts in all regions using your AWS Labs scripts. You can also use them to establish the existing Amazon GuardDuty hierarchy, as suggested in an article by Jacek Biernat. AWS Lab script is available on GitHub along with step-by-step instructions to automate the process. Twitter: @lcloudpl
35. Enable AWS Config
Turn on AWS Config in your AWS regions and accounts. Also, enable the AWS CIS Foundations if not enabled already. When Security Hub is enabled in a region, the CIS standard checks are also enabled by default. In this article, Bruce Cutler recommends that it's best to leave them enabled as they implement security measures and are applicable in all AWS accounts. Twitter: @SlalomBoston
36. Use managed IAM policies
You can use different IAM policies for different types of Security Hub users. This means you can give the right permissions to your employees. While these policies are maintained by AWS and are already present in your account, you can also create custom policies. By default, only the owner of the account gets access to the Security Hub resources. You can give extra permissions to certain users, depending on your requirements. Keep in mind that only the most trusted users should be granted Security Hub write permissions, Jacek Biernat suggests. Twitter: @lcloudpl
37. Use tags for access control
You can assign metadata tags to Security Hub resources. Each tag contains a key and key value that will let you identify and manage AWS resources. With tags, you can manage all resources that are given the same tag and you can assign a particular function to them. Tagging is a simple method to categorize the elements of your infrastructure. You can also automate the tagging process and keep tagging policies at scale.
According to best practices, nametags serve as unique identifiers, allowing every resource with a nametag to be manipulated individually. This is especially important if the same resource is available in multiple numbers, as suggested in an article by TotalCloud. Twitter: @totalcloudio
38. Integrate your security products
There are many tools you can use to augment the security of AWS accounts. And some tools have their own findings – in their own formats. Security Hub normalizes and integrates the findings from AWS services as well as third-party providers using a standard format, so the security teams don't have to convert the findings to the right format. You can use partner products like Slack, Splunk, and PagerDuty to receive the findings from Security Hub, according to a blog post published on the Amazon AWS website. Twitter: @awscloud
39. Resolve findings automatically
You can automate AWS testing tasks such as scanning and enumeration to save time and resources, reduce error rates, and increase efficiency. All findings are automatically sent from Security Hub to Amazon CloudWatch Events. It helps you by automating your responses to threats and lets you take the right action through AWS Systems Manager Automation documentation. With the help of these tools, you can have your custom incident handling plan and thus have better security for your AWS environment, according to an article by CloudSecOps. Twitter: @cloudsecops
40. Create custom actions
You can also create custom actions such as sending a copy of Security Hub findings to an internal or external AWS resource. You can create custom actions using Security Hub to send findings to places such as email, chat, or an automated remediation system. You can also send custom actions to your own AWS resources, as suggested in this article by AWS. Twitter: @awscloud
41. Customize the insights
Use the 'managed insights' to customize your insights, such as security events that require your attention and intervention, and to prioritize your resources. While you can't alter AWS managed insights, you can create your own customized insights to track security issues in a better way and to mitigate the risks related to the AWS environment, as this article on World Wide Technology recommends. Twitter: @wwt_inc
Best Practices for Custom Applications Security
42. Involve the security team throughout the development lifecycle
Since security must be implemented throughout the development lifecycle of the app and not as a separate process, the IT security team should be involved throughout the lifecycle. This way, you can ensure the system is protected from threats. Weaknesses can be detected at each stage and data loss or theft can be avoided. DevOps should invite the testing methodologies and tools of the security team when generating production code, as suggested in a blog post by Edology. Twitter: @EdologyOnline
43. Grant the minimum privileges to application users
Any program, user, or process should be allowed only the bare minimum privileges that are required to perform its function. When there are overly permissive users or processes, it increases the risk of a data breach or data loss. Make sure your AWS credentials are kept secret and specific point-of-use credentials have the minimum privileges, as Digital Guardian recommends. Twitter: @DigitalGuardian
44. Use a single set of policies for data loss prevention
All policies across custom applications should be consistent. It's best to use a single data loss prevention policy engine, incident detection, and remediation. This way, your organization can get better operational efficiency. Data Loss Prevention consists of protocols and tools that can be used by an organization to avoid data theft, unauthorized access, or malicious loss. These tools and policies should be used in any AWS architecture to ensure the security of data and the application being developed, as Digital Guardian recommends. To develop a data loss prevention policy, an organization first needs to identify the data they need to protect. The best way to do this is to categorize and prioritize the data that needs to be protected. It's important to define the role of people or processes that will be involved in data loss prevention. Twitter: @DigitalGuardian
Best Practices for Using AWS Security Groups
45. Configure AWS VPC Flow Logs
Configure AWS VPC Flow Logs to capture accept/reject entries that flow through the security groups. These VPC Flow Logs should be enabled and the security team can scan their entries to find attack patterns and detect abnormal activities inside the VPC. It can also provide insights to help the security team to protect data from further attacks, according to this article published on DZone. Twitter: @DZoneInc
46. Establish naming conventions
Establish naming conventions for your AWS security groups that follow enterprise standards so it's easy to navigate and manage your groups across multiple environments. Keep your naming standards internal and choose a naming convention that's not self-explanatory for an added layer of security against hackers, 8KMiles suggests. Twitter: @8KMiles
47. Lower the number of your discrete security groups
Many sources can cause an account compromise, including misconfigured groups. When you lower the number of your discrete security groups, your organization can mitigate the risk of a threat due to a misconfigured account, according to the tutorial published on Cloud Security Alliance. Twitter: @cloudsa
48. Remove unused security groups
As you create security groups for different processes, there might be some groups that are left unused. These are the groups that are not attached to any instance. Deleting such groups will ensure that your AWS environment is clean. This will also reduce the risk of accidentally attaching the group to an instance and thus opening the environment to possible attacks. If you delete a group and need it again later, it can be recreated by just making an API call, as suggested in an article by Fugue. Twitter: @FugueHQ
49. Assign policies to groups instead of individual users
Instead of assigning policies to individual users, it's best to create individual IAM users and assign them to groups. The policies can then be attached to the groups, as suggested in this AWS user guide. This way, policies can define the group permissions, allowing the group users access to specific AWS resources. It becomes easy to fine-tune a policy when it is attached to a group instead of particular users. Twitter: @awscloud
50. Create email alerts for critical notifications
Set up email alerts that can be triggered when a rule or an entity in a critical security group is deleted, modified, or added. If the threats are recognized in time, they can avert a big data loss or data breach, as suggested in an article published by 8KMiles. Timely detection will help your security team implement the right response and help in audit purposes as well. Twitter: @8KMile
