Amazon Web Services (AWS) is currently the most widely adopted cloud service provider, with nearly a million companies using their services. With exabytes of data stored in their services, it should be no wonder that data security is a huge issue for AWS and the customers it serves.
If you are one of these customers, this article should help you understand how security is managed in AWS and teach you some best practices for ensuring that your data remains secure.
Security Responsibility in AWS
Before considering best practices for keeping your data secure in AWS, it helps to first know what you are responsible for. AWS services operate under a shared security responsibility model which states that Amazon is responsible for infrastructure and you are responsible for everything else, including access and authentication, data, operating systems, external networks, applications, and third-party integrations.
To help with this responsibility, however, Amazon does provide tools for your use, such as built-in encryption and Identity and Access Management (IAM). Some of these features are enabled by default, depending on the service you’re using, but in the end, it’s up to you to make sure that your configuration is appropriate and that you are making use of the resources AWS provides.
Effective data security requires understanding not only where your data is vulnerable but what can be done to identify security faults and how to eliminate them. Each service and data type is different and the methods that will work best for your system will depend on those variables, but the following best practices should apply to most configurations.
Duplicate Your Data
It may seem obvious but backups only work if you make them, consistently and frequently. If you are not backing up your data in a reliable way, it will be difficult if not impossible to recover regardless of whether your database gets corrupted, data gets mistakenly erased, an attacker holds your systems ransom, or a natural disaster occurs.
An additional point to remember is that if you keep your backups with the data they are duplicating, they probably won’t be as useful. A better strategy is to keep copies isolated, either on different services, different networks, or different devices.
AWS Backup was recently released to help simplify and centralize this process for you. It’s fully managed, allows automation through policies, and covers a range of services, including EFS, DynamoDB, RDS, EBS, and Storage Gateway.
If Backup doesn’t cover the services you’re using, or if you just want extra flexibility, you can still automate through Lambda or the CLI. You can see an example of this with EBS snapshots to get a better idea of how to set it up. The same process can be used with any service that can be reached through API.
Audit Your Risks
Knowing how to secure your data requires awareness of what you have and where it is stored. If you tagged your resources during configuration, this may be easy to figure out but if you didn’t, now is the time to do so. Tagging will help you prioritize data security through access permissions, backup policies, monitoring, and more.
After you have an inventory of your data, you need to evaluate how your data can be accessed, what your current protections are, and how you are verifying that your data remains secure. This information will dictate how you should configure access rights and permissions, what authentication types you should be using, and how closely you need to monitor your systems.
Limit Data Access
If you focus on the principle of least privilege when configuring access rights and permissions you’ll have a good start. With AWS, in general, you will be controlling access through a combination of IAM policies and Access Control Lists (ACLs).
With IAM, you can create and manage policies that separate management flow and database administration from application flow and assign them based on individual users, groups, or roles. IAM also allows resource-based policies but they only work for a limited number of services.
When creating policies, avoid the use of general permissions and root users to minimize the potential damage caused by compromised credentials and periodically audit your users and roles to eliminate “ghost” accounts or inactive users.
With ACLs, you can restrict network traffic and access rights by resource and by minimizing open ports by instance. If possible, you should extend these restrictions to isolate your services, known as micro-segmentation. By reducing entry points to your data and systems, you reduce your overall vulnerability.
Limiting access also involves systematically making sure that the data in your systems needs to be there and evaluating if it can’t be stored more securely elsewhere. Infrequently accessed data such as compliance logs or legacy projects don’t need to be stored with your production data and can likely be safely moved to cold storage. If you find that you have data that you can eliminate, make sure that it is cleanly erased to further reduce liability.
Encrypt Your Data
AWS offers tools for encrypting data both at-rest and in-transit as a built-in feature. Unless you have access to a better solution or have a very good reason not to use encryption, you should use it. The specific tools available to you depend on which services you’re using and many services can be integrated with third-party security tools as well.
The primary tool used by most AWS services is the Key Management Service (KMS) which grants centralized control over your encryption keys. With KMS, you can use either an AWS defined customer master key or a key imported from your own encryption infrastructure. KMS can automatically rotate master keys once a year, without needing to re-encrypt, to further secure your data. It can be used to manage both server and client-side encryption, both of which you should use if possible.
Arguably, AWS cloud services provide more security than most organizations would be able to accomplish on their own, if only for the sheer amount of security expertise that the provider employs. Nevertheless, enabling the security features that AWS offers, verifying that your configuration is correct, and monitoring your system is all up to you.
To make sure that your data is kept safe and your liabilities are minimized, ensure that you are meeting these best practices and set aside some time to stay updated on the newest security tools, features, and vulnerabilities as they arise. The OWASP Cloud Security Project is a great resource to start with.