Security is the first “pillar” in the AWS Well-Architected Framework (WAF), probably because, “Is it safe?” is the first question companies ask when considering migrating infrastructure, services and applications to the cloud. AWS, like all cloud providers, operates on a shared security model. This means that AWS is responsible for the security of the cloud, and users are responsible for the security of what’s in the cloud–their content and applications that make use of AWS services.
According to Amazon’s AWS WAF documentation, “the Security pillar encompasses the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.”
The WAF security pillar emphasizes five areas of concern: Identity and Access Management, Detective Controls, Infrastructure Protection, Data Protection, and Incident Response. This blog will look at each area and review the AWS tools and best practices that can be used to address each one.*
- Identity and Access Management–this is about creating robust AWS credentials and creating “fine-grained” access and authorization policies to cloud resources.
- Administrators can set up password requirements and enable federation among trusted system. When federation isn’t practical, you can dynamically create temporary credentials that in turn can be used to access AWS APIs.
- For fine grained authorization, AWS supports groups that enable categories of users to be granted access only to those resources they need.
- Detective Controls–these controls are used to identify possible security incidents. AWS offers two kinds of detective controls–capturing and analyzing logs, and integrating auditing controls with notification and workflow.
- The AWS best practice is to use CloudTrail to log service activity and to capture API activity globally. This makes it possible to centralize the data for storage and analysis. If you direct CloudTrail logs to Amazon CloudWatch Logs or other endpoints, so you can receive events in a consistent format across compute, storage, and applications.
- To integrate auditing controls with notification and workflow, AWS recommends using CloudWatch Events to route events to a rules engine that will examine incoming events, parse the incoming values, and properly route the event to any number of targets, such as email or mobile devices, ticketing queues, and issue management systems.
- Infrastructure Protection–AWS control methodologies to meet industry or regulatory requirements include protecting network and host-level boundaries, system security configuration and maintenance, and enforcing service-level protection.
- Protecting network and host level boundaries requires the careful management of your network topology and design to provide isolation and borders for resources within your environment. Amazon VPC Security Groups provide a per-host stateful firewall allowing you to specify rules and define relationships to other security groups. Use AWS Direct Connect to establish your own direct connectivity from your data center to your VPC.
- The security configurations of the running systems within your environment are the foundation of how you will maintain robust, secure, scalable systems. Amazon VPC security groups per-instance firewalls are the primary tools to support the protection of systems. Security groups act as a firewall for associated EC2 instances, controlling both inbound and outbound traffic at the instance level. Your own controls such as OS firewalls, vulnerability scanners, virus scanners can form another layer in a system control strategy.
- Data Protection–AWS supports multiple approaches to data protection including data classification, encryption/tokenization, protecting data at rest, protecting data in transit, and data backup/replication/recovery.
- Data classification allows you to protect data based on the classes of sensitivity and corresponding protection requirements. You can use AWS resource tagging and set access policy based on resources tagged according to security levels.
- Tokenization allows you to define a token to represent an otherwise sensitive piece of information like a social security number, representing the sensitive information with otherwise meaningless information. Encryption makes information unreadable without a key. AWS allows you to define your own tokenization procedures using a lookup table in an encrypted RDS or DynamoDB database and issue tokens to your end applications. AWS Key Management Service provides an easy-to-use, secure, and redundant key management service.
- Data at rest describes stored data on your AWS infrastructure. Amazon storage products like S3, EBS and RDS all support encryption. Protecting stored data from unauthorized access can also be done using AWS Key Management Service.Data in transit is unstored data that is moving between services within your AWS environment and to and from end users. AWS supports HTTPS for endpoint communication to provide encryption in transit and AWS Certificate manager to support encryption in transit between systems.
- Data backup and recovery are critical in the event of data deletion or destruction due to a disaster or malicious attack. Amazon RDS performs regular backups, and you can take regular snapshots of EBS data. Amazon S3 is designed for 11 9’s of durability for data that is likely to be reused. S3 can be configured to create copies of the content that can be duplicated in locations and accounts for additional protection. Amazon Glacier is a lower cost storage product to archive data for long-term backup.
- Incident Response–even with all the protections AWS offers, it is important to be prepared for a security incident. Best practices include using tags to define data sensitivity so that incident responders can quickly determine the severity of the incident. It also important to be prepared to quickly grant access to affected resources to incident responders through your identity and access management system. Because investigating a compromised asset can introduce additional risk you can use AWS CloudFormation to quickly create a new, trusted environment in which to conduct a deeper investigation.
*This blog summarizes a more detailed AWS document, AWS Well-Architected Framework: Security Pillar.”
Learn more about the other Well-Architected Framework pillars: