A Guide to Cloud Security in AWS: How to Embrace AWS with Confidence
Written By: Pratik Amin
Share this post
Many businesses are moving infrastructure and services to Amazon Web Services (AWS) to gain the advantages of the cloud. Cloud is billed only for usage, so it can be more cost-effective than purchasing inventory and space for on-premises infrastructure. That flexibility in AWS also makes it easier for your business to test new services, launch new offerings, and scale up.
Some businesses are hesitant to move into the cloud, or move more decisively into the cloud, due to concerns about AWS cloud security. However, AWS is mature enough that there are well defined structures and best practices that actually make it more secure than managing on your own on-premise. If you go into a migration understanding the risks and how to address them before they become an issue, you can take advantage of all the cloud has to offer while remaining confident that you can still support your business’s security goals.
What Is the Structure of AWS?
Much of the trepidation around cloud security comes from the differences between the paradigms of on-premises infrastructure security and the cloud. Security is no longer about securing the perimeter and the endpoints, as it was with on-premises infrastructure. For example, you no longer have one or more firewalls that your devices “sit behind.” Instead, each service in the cloud is protected by security group rules that define what users, groups, and traffic can access it.
In AWS, you aren’t configuring a firewall. Instead, you are building from a foundation of data classification and then developing robust Identity and Access Management (IAM) policies. IAM policies work similarly across different services that your company runs on AWS. Thus, instead of your security team having to learn different security configurations and schematics for different infrastructure and services on-premise, in AWS, your team can use a more unified approach. Instead of learning different setups, your security team can instead apply their knowledge of IAM to focus on granting proper privileges to services running in the cloud.
How Worried Should You Be About Cloud Security Risks?
Just like any infrastructure decision, there are risks to moving to the cloud. But the risks are not insurmountable. Many data breaches associated with cloud services relate to companies not doing the basics of cloud security correctly. Understanding those things now, and understanding how to avoid these pitfalls, mean you can have a successful future in the cloud.
The most common AWS data breaches are due to misconfigured S3 buckets: in short, the Identity and Access Management (IAM) controls on stored data are not set using AWS security best practices, allowing people who shouldn’t be able to access or alter your business’s data on AWS to do so. These misconfigurations can include setting a bucket to public, assigning it to the wrong access control lists, or incorrectly configuring encryption.
These breaches can be prevented by knowledge and auditing. Make sure that configurations of cloud services are created by people with experience in securing AWS services. Configurations should not depend on the security defaults within AWS, but rather take into account how best to configure the available options for your business needs. It also requires frequent auditing and penetration testing to identify and remediate misconfigured buckets before attackers find them.
With this all in mind, there is plenty of room to operate securely in AWS, possibly even more securely than you operate in traditional infrastructure.
Underlying Infrastructure Can Be More Secure
From your company’s perspective, infrastructure in AWS is a matter of code and configuration. Of course there is underlying physical infrastructure. But control over that rests with Amazon.
In terms of security, this can be great news for your business. The data centers operated by Amazon (and other industry-leading cloud providers like Google and Microsoft) are typically more securely and reliably operated than other enterprise data centers. Thus, your team will have less to worry about in the sense of physical security and uptime.
Major cloud services like AWS also have a team of people consistently working on the security of their underlying infrastructure, both in terms of hardware and patching. This frees up more time and energy for your security team to focus on the security tasks that matter, including hardening workloads, securing the code and configurations that define your business’s own infrastructure, storage, and encryption in AWS, and evaluating security through measures like penetration testing.
Automation Is Key
Automation is at the core of successful operations in the cloud. From creating services and instances to remediating configuration issues, automation makes it possible to do security at scale. It forms the backbone of strong cloud security.
In the cloud, you can automate the creation of services using tested, approved configurations. In addition, you can and should employ tooling with native automated remediation. Previously, when security misconfigurations were identified, a ticket would be created and then an engineer would fix it. The engineer may have access to some automation, or may have to manually fix it in multiple places in the network. In AWS, native automated remediation means that configuration corrections can be fixed and then deployed to multiple services on AWS more quickly. Though learning this paradigm can take time in the beginning, in the long run, the cloud can make it smoother than ever to strengthen the security of your infrastructure.
Governance and Documentation
Governance can be a challenge in cloud services. After all, with the flexibility and ease of setting up services in AWS, it is easy for people to stand up instances to test. This flexibility is helpful, if done in the proper way, since being able to set up new services to test can help your business add new services and scale up much more easily than with on-premises infrastructure. However, it also opens up the possibility of undocumented test instances, instances that do not fit vetted security standards, or shadow IT in the cloud.
It is possible to overcome these challenges, however. When moving to the cloud, making sure that instances are consistently documented and reviewed is crucial, in order to avoid data exposure from undocumented or misconfigured test instances. Make sure that policies and procedures are in place that define how to test in the cloud, and how to document new cloud instances. Your security practices should also require frequent auditing, not only of the documentation but of the actual instances and services that exist on your AWS platform. With those in place, your business can securely take advantage of the flexibility of AWS.
Secure Your Future in AWS
Moving to the cloud helps your operations to become more nimble and scalable. If you take the time to do cloud security right, AWS cloud security features can make establishing, strengthening, and correcting security configurations easier than ever.
A successful, secure cloud transition is easier with a partner. Security Compass Advisory has been at the forefront of software security for fifteen years, and remains at the leading edge of cloud technologies. Security Compass Advisory has guided some of the largest and most respected companies in the world toward robust, secure cloud operations.
Learn more about how Security Compass Advisory can help you transition to AWS with confidence.
Pratik is a Principal Security Consultant at Security Compass. Over his many years on the advisory team he has worked with a wide array of clients, leading large and complex assessments across a wide range of assessments. During the last 4 years Pratik has lead a multi-millionare dollar program which performs hundreds of highly complex and extremely visable assessments a year. Pratik has been responsible for oversight on the delivery of these projects from a technical perspective as well as elevating the perform of the team that is working on them. Pratik has years of expereince working with modern cloud infrastructure.