Maintaining a strong AWS security posture comes with its fair share of challenges. From the availability of security talent to the rapid pace of innovation, inexperienced staff, and the increasing complexity of the public cloud, the struggle is real. However, security is a journey, and continuous improvement is key. In this post, I will share some ways to further strengthen your AWS security posture.
Enable AWS CloudTrail Insights
You have most likely enabled CloudTrail, the built-in analytics service that helps you with operational and risk auditing, governance, and compliance of your AWS account across your active AWS regions. For security reasons, you’ve likely also followed best practices for logging CloudTrail events to a separate account. That’s great! Now, consider the benefit of being alerted to any atypical activity discovered within the CloudTrail logs. This is where CloudTrail Insights becomes an important part of your AWS security posture. While it’s not enabled by default (it comes with a slight cost), enabling this feature allows you to detect potentially malicious behavior and react appropriately. You can read more about CloudTrail Insights here: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-insights-events-with-cloudtrail.html
Utilize AWS IAM Access Analyzer for Least Privilege
The concept of least privilege access is simple but often challenging to implement. Granting least privilege access is crucial to an effective identity and access management (IAM) strategy on your network. Discovering “who needs what” across your cloud engineers can be a daunting task, and editing JSON permission policies can be a hassle. It’s common to find a relatively large number of users with Administrator access when observing AWS accounts for customers—a situation I refer to as the “Oprah Effect.”
AWS IAM Roles
The AWS IAM Access Analyzer’s policy generation feature can greatly improve your IAM security posture and do the heavy lifting of least privilege for you. By analyzing all CloudTrail events during a specified date range, Access Analyzer will create a custom policy with proper permissions based on observed activities for the user or role being analyzed. Worried about overly broad permissions attached to an EC2 instance role, such as access to all S3 buckets? With Amazon Access Analyzer, you can ensure that only the necessary bucket permissions are granted for the role, without needing expertise in JSON.
Gain Visibility into Your Security Posture
Peter Drucker is often quoted as saying, “You can’t manage what you can’t measure,” and this holds true for cybersecurity. A Cloud Security Posture Management (CSPM) tool can greatly benefit you in this regard. I’m surprised by how often AWS Security Hub is not enabled for AWS accounts, and if you haven’t yet, now is the time! While it may not be the most robust CSPM tool available, it is cost-effective (typically under $100/month for most midsized companies) and provides a “single pane of glass” for monitoring the health of your security and compliance. For third-party tools, I recommend Orca Security, the recipient of the AWS Global Security Partner of the Year award in 2022. Zscaler and Palo Alto Networks also provide CSPM tools for the cloud. Regardless of the tool you choose, continuous measurement of your security posture is vital to protecting your cloud assets. Learn more about the AWS Security Hub.
Enable AWS Config Conformance Packs
AWS Config rules evaluate the configuration settings of your AWS resources, and Conformance Packs are bundles of individual Config rules designed to achieve a desired state of compliance. For example, if you’re storing credit card information on AWS, you should use the PCI (Payment Card Industry) Conformance Pack. Designing a Cybersecurity Maturity Model Certification (CMMC) enclave? Use the CMMC Conformance Pack. Other Conformance Packs include support for HIPAA (the Health Insurance Portability & Accountability Act), AWS Best Practices, CIS Benchmark, National Institute of Standards & Technology (NIST) Cybersecurity Frameworks, operational best practices for individual services, and many more. If you’re not currently measuring your security posture against a published framework, I suggest starting with the Conformance Pack for the CIS AWS Foundations Benchmark. Read about Conformance Packs
Discover Where Your Sensitive Data Lives
While we often have a good idea of where our sensitive data is stored, it can be a moving target. You could subscribe to Macie, Amazon’s built-in security service that uses machine learning to automatically discover, classify, and protect sensitive data to identify that data within S3 buckets, but what about data living on your Elastic Block Storage shares or within your databases? This is where Data Security Posture Management (DSPM) tools prove their worth. Once you find all your sensitive data within AWS, make sure to appropriately tag those resources with data classification tags. If you’re unsure which DSPM tool to consider, I recommend looking at Orca Security, which includes DSPM along with many other security features. Learn more about Orca Security.
Review AWS Security Recommendations for Individual Services
The speed of innovation makes secure configuration a challenging prospect, and security best practices often evolve over time. Fortunately, AWS makes it easy to research security guidance on individual AWS services. Before going live with any AWS service, I strongly encourage you to visit https://docs.aws.amazon.com/security/ and familiarize yourself with prescriptive security guidance for the services you use on AWS.
Use AWS Backup Vault Lock for Immutable Backups
Preventing ransomware from encrypting your AWS data is crucial, but it’s equally important to ensure your backups cannot be altered or deleted. AWS Backup’s vault lock feature enables write-once-read-many (WORM) functionality, safeguarding your backups and potentially your job. Learn more about AWS Backup Vault Lock.
Own Your Vulnerabilities
The old IT mantra of “if it isn’t broken, don’t fix it” no longer applies in this security climate. Having a strong vulnerability management program is essential to live safely in the public cloud. Palo Alto Networks recently published a finding that 63% of codebases in production have unpatched vulnerabilities and 11% of public facing hosts in the public cloud have high or critical vulnerabilities. To help, AWS provides Amazon Inspector, a vulnerability management service that continuously scans your AWS workloads for software vulnerabilities and unintended network exposure.
Summary
By incorporating these recommended practices into your AWS security strategy, you can significantly enhance your security posture and better protect your cloud resources and data.
Remember, security is an ongoing journey, and regularly assessing and improving your security measures is essential to stay ahead of evolving threats. Blue Mantis can help you find and mitigate security risks in the most complex of AWS environments. Our team of experts holds multiple AWS Certifications to help you implement best practices for securing your business data in AWS. Stay tuned for Part 2 of this series, where I will cover more techniques.