We have to build security into every layer of our infrastructure. AWS enables us to implement security at the perimeter as well as within and between our resources. In this article, we will go through deeply about AWS security.
Principles of the Security Pillar
When it comes to security, we have to think of identity and access management (IAM), detective controls, infrastructure protection, data protection and incident response.
- Apply security at all layers – use firewalls and other security control on all of our resources.
- Enable traceability – log and audit all actions and changes.
- Automate responses to security events – monitor and automatically trigger responses.
- Focus on securing our system – AWS provides secure infrastructure and services while customer can focus on securing the application, data and operating systems.
- Automate security best practices – use software-based security mechanisms and create entire infrastructure as a template.
Prevent Common Security Exploits
Firstly, Protecting against attacks is a shared responsibility between AWS and customers. AWS can provide some services while customers should also learn the behavior of the attacks. We can use Amazon inspector to prevent common exploits. It includes a knowledgebase with hundreds of built-in rules.
Generally, viewers see our content through HTTPS if using CloudFront. Custom SSL certificate support features let us use our own domain name and our own SSL certificate.
For advanced SSL features of CloudFront security, it provides high-security ciphers so we improve the security of HTTPS connections. In addition, it also provide perfect forward secrecy so we have additional safeguards against eavesdropping of encrypted data. Moreover, Online Certificate Status Protocol (OCSP) stapling improves the time taken for individual SSL/TLS handshakes by moving OSCP check. Finally, session tickets help speed up the time spent restarting or resuming an SSL/TLS session.
Not only CloudFront, we should also restrict access to S3 content by creating an origin access identity (OAI). Perhaps, we also require users to use signed URLs.
The above figure shows the basic principle of encryption.
However, when we use AWS KMS, a managed encryption service, the process will become much more simple. AWS MKS master keys encrypt data keys and never leave the AWS KMS system. Data keys are unique and two-tiered key hierarchy using envelope encryption.
Also, AWS KMS integrates with many other AWS services e.g. EBS, S3, RDS, Redshift, Elastic Transcoder, WorkMail, EMR and so on.
We can also have AWS CloudHSM to protect our cryptographic keys using a dedicated, tamper-resistant Hardware Security Module (HSM).
Encrypting Source and Output Data at Rest in S3
First of all, data stored in S3 is private by default, we need AWS credentials for access. Also, S3 provides server-side encryption using AWS keys or customer keys. Finally, we can also encrypt data before storage in S3 (client-side encryption).
Similar to Microsoft AD, AWS also has its own directory service. AWS Directory Service is a managed service to run Microsoft AD as a managed service within AWS Directory Service. It can connect to on-premises Microsoft Active Directory through AD Connector.
AWS Security Token Service (STS) is a lightweight web service that enables us to request temporary, limited-privilege credentials for IAM users or for users that we authenticate federated users.
In addition, STS supports SAML 2.0 as well. It is open standards and no coding required.
In this article, we have discussed many ways to enhance our security in AWS. Even though we could outsource some security services to AWS, customers should also take the responsibility to learn the behavior of attacks and adopt the proper approach.