AWS security is a set of practices you can use to secure your data and resources in AWS. These practices are based on a model of shared responsibility in which AWS secures infrastructure and you secure data, applications, and connections. You can manage this security through a combination of your own tools and configurations and those provided by AWS.
This is part of an extensive series of guides about network security
In this article, you will learn:
Within AWS, there are many native security services and tools that you can apply to secure your assets. Some services are included in your account or service costs and others are elective services.
Learn more in our in-depth guides: AWS security services (coming soon) and AWS security as a service (coming soon)
AWS data protection services focus on protecting workloads, accounts, and data from illegitimate access. These services can provide continuous monitoring, threat detection, encryption, and encryption key management capabilities.
Services for data protection include:
AWS network protection services focus on filtering traffic according to security policies. You can use these services to protect your endpoints and web applications with filtering based on HTTP request content, IP addresses, and URI strings. This can help you block a range of web application threats, including cross-site scripting and denial of service attacks.
Services for network protection include:
AWS identity and access management (IAM) services focus on managing user permissions and identities, and controlling access to resources. You can use these services to secure workloads, internal resources, and applications.
Services for IAM include:
AWS provides multiple services for continuously monitoring network and account activity and identifying threats. These services enable you to collect log and metrics data to track events in your systems and alert to potential threats.
Services for monitoring and detection include:
AWS can provide compliant environments for the most common regulations, including PCI and GDPR. It also offers services to help you audit compliance and evaluate your current configurations.
Services for data privacy and compliance include:
When configuring your AWS resources, following these principles can help you ensure greater security:
In addition to the above design principles, these best practices can help you increase your security posture.
Learn more in our in-depth guide to aws security best practices (coming soon)
The dynamic and distributed nature of cloud resources can make it challenging to maintain consistent visibility of your assets. However, this visibility is essential to ensuring your data and applications are protected and that no resources are being abused.
To ensure visibility, you need to adopt services and solutions that can centralize your monitoring and alerting. These solutions should enable you to correlate activity across your resources regardless of host or location. Additionally, services should integrate service discovery capabilities. These capabilities help ensure that no resources are overlooked.
While you cannot entirely prevent abuse of privileges, you can significantly reduce the damage that attackers can cause. Make sure to limit the privileges given to users or roles and separate high level privileges.
When privileges are distributed across users, each individual identity is less powerful. This makes it harder for users to intentionally or accidentally harm systems or data. It also makes it more difficult for attackers to increase their own privileges if they gain compromised credentials.
Compromised credentials are a huge liability that can be minimized with strict authentication measures. This means enforcing strong password policies with password rotation and complexity limits. You should also consider adopting multi-factor authentication (MFA). MFA requires multiple proofs of identity before access is granted, making credentials harder to steal.
Additionally, you should make sure to educate staff and users about the importance of secure authentication. This includes training them to spot authentication vulnerabilities, such as phishing attempts, writing down passwords, or sharing credentials.
Cloud environments are naturally more vulnerable to attacks due to their connectedness to the Internet. Every resource, port, and interface you have is a gateway to your systems; known as an endpoint. To prevent breaches, you need to secure these endpoints with monitoring, traffic filtering, and intrusion detection and prevention measures.
One way to limit this access is by disabling any endpoints that you are not actively using, such as unnecessary ports. Another is to create policies limiting which IP addresses or IP ranges are allowed. Ideally, you should only allow addresses you know are safe in a process known as whitelisting.
Depending on your operations and your data, there are multiple regulations that you may need to comply with. In addition to helping you avoid fines for failing to secure data properly, these regulations can help you protect your broader assets.
To ensure that you are following compliance guidelines and best practices, you should periodically audit your systems. Depending on the regulations that apply to use, tools may be available to automate this process. You also have the option of hiring compliance experts to periodically audit and verify your compliance. For compliance measures specific to AWS, including built-in practices, you can visit the AWS Compliance Center.
Because no security measures are 100% effective at all times, you need to have a recovery plan in place. This means creating and maintaining active backups of your data and configurations. Although AWS services automatically duplicate data for availability, this data does not help recover lost or corrupted data.
Depending on your services, there may be built-in mechanisms for snapshot backups. Alternatively, you can use the AWS Backup, which enables you to create, automate, monitor, and manage backups. Whichever method you choose, make sure that you are taking frequent backups and storing those backups in one or more separate locations.
NetApp Cloud Insights is an infrastructure monitoring tool that gives you visibility into your complete infrastructure. With Cloud Insights, you can monitor, identify security issues, troubleshoot and optimize both public clouds and private data centers.
Cloud Insights helps organizations reduce mean time to resolution by 90%, prevent 80% of cloud issues from impacting end users, and reduce cloud infrastructure costs by an average of 33%. It can even reduce your exposure to insider threats by identifying risks to sensitive data.
In particular, NetApp Cloud Insights protects organizational data from being misused by malicious or compromised users, through advanced machine learning and anomaly detection.
Start a 30-day free trial of NetApp Cloud Insights. No credit card required
When setting up your resources and data in AWS, it can take a few tries to get your security configurations right. This may be okay if you test your deployment with dummy data but if you have live data in AWS, you need to get security right from the start. Discover 9 AWS security best practices you can adopt to ensure your AWS resources and any connected environments remain safe from critical risks.
Read more: AWS Security Best Practices: How to Protect Your Cloud (coming soon)
Types of AWS Security Services: How to Choose?
AWS offers many native services that you can use to ensure the security of your systems. By implementing native services, you gain the benefits of avoiding complex integrations, automatic access to updated capabilities, and the ability to leverage the knowledge of AWS security expertise.
This article explains what AWS security services are available and highlights four services that you should consider implementing.
Read more: Types of AWS Security Services: How to Choose?
Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of
Authored by Exabeam
Authored by Tigera
Authored by NetApp