Lepide Blog: A Guide to IT Security, Compliance and IT Operations

AWS Security Best Practices

AWS Security

AWS (Amazon Web Services) is the world’s most popular public cloud infrastructure provider. They provide on-demand cloud computing platforms to individuals, companies, and governments. Amazon takes security very seriously, and generally does a good job of it, as security is an integral part of its business model. However, the platform is not without its security challenges.

AWS Security Challenges

To start with, Amazon has faced several security issues in recent years, including storage containers (S3 buckets) that were exposed to the public internet by default. More recently, during a routine cybersecurity audit, it was found that AWS had not been properly protecting certain categories of client data – such as credit card numbers and social security numbers – from unauthorized access. After this discovery, AWS announced that it would be updating its policies for sensitive data access for all services that store or process such information.

AWS customers are also faced with a plethora of security challenges when using the platform. To start with, they must understand the cybersecurity role of AWS, and familiarize themselves with the built-in security features. Enterprises must also maintain visibility into the resources they have in AWS, as well as keep track of all changes made to them.

Customers also need to make sure that they are following AWS security best practices, like enabling multi-factor authentication and encrypting sensitive data before uploading it to AWS.

AWS Security Best Practices

Below are some of the AWS security best practices you need to adhere to

Familiarize yourself with the Well-Architected Tool

The AWS Well-Architected Tool – found in the AWS Management Console – will help you identify high-risk issues, evaluate workloads, and more. The ‘Security’ section of the tool covers a broad range of AWS security best practices that will help to keep your data secure.

Use strong passwords

In order to prevent unauthorized access to your AWS accounts, you must ensure that employees are using strong passwords. Make sure that passwords have at least 12 characters, with a mix of numbers, symbols, and upper/lower case letters.

Enable multi-factor authentication

Another security measure that you can take is to enable multi-factor authentication on all accounts that have access to sensitive data. This will require you to enter a code in addition to your password every time you log in to the AWS Management Console. The option to use biometric information as an additional verification factor is also available.

Perform regular audits of your environment

When you’re looking to audit changes to sensitive data in AWS, the best way to do it is with a solution that integrates with your existing tools and processes. With an integrated solution, you’ll be able to see exactly who made what changes, and when. This will help to ensure that only authorized people have access to your data and that no one else can access it without your knowledge. An integrated solution will also allow you to process changes more quickly than if they were handled manually.

Restrict access to access to sensitive data

It is imperative that you only give users the privileges they need to fulfill their tasks. And, when privileges are no longer required, they must be revoked immediately. You can accomplish this by carrying out routine audits of employee privileges to ensure that they are aligned with their job function.

Encrypt data at rest and in transit

In addition to being necessary for regulatory compliance, encryption adds another layer of security, thus helping to protect your sensitive data. The simplest way to use encryption in AWS is to enable the native encryption feature which automatically encrypts sensitive stored in an S3 bucket. You can also use the Key Management Service (AWS KMS) to help you manage your encryption keys. To be on the safe side, it’s a good idea to encrypt sensitive data before uploading it to the cloud.

Keep your managed nodes up-to-date

It is crucial that patches are applied to your AWS infrastructure as soon as they are made available. You can use the Patch Manager, found in the AWS Systems Manager, to automate the process of patching managed nodes.

How Lepide Helps with AWS Security

AWS buckets are a logical unit of storage in Amazon Web Services (AWS) object storage service, Simple Storage Solution S3. Buckets are used to store objects, which consist of data and metadata. S3 Customers create buckets to share data amongst users and privileges are controlled through the AWS Policy Generator.

It’s important for your IT security and compliance posture to not only understand who is accessing the data but also any changes to the security settings surrounding the content of the buckets. This is where Lepide Amazon S3 Auditor comes in.

With Lepide, you can report on open AWS S3 buckets. Open buckets present a very large security risk so identifying and securing them is a quick win to improving AWS security. It’s also important that you understand how users are interacting with the data shared within the buckets. As well as being able to identify if new files are added and removed to the storage buckets, Lepide also provides insight into who’s accessing the data, and how frequently, to help in determining unauthorized access or privilege abuse.

Finally, to prevent privilege abuse in the first place, it’s important to design a stringent security model around access management to the storage buckets. With Lepide Amazon S3 Auditor, you will be able to see if there are any unauthorized changes to the Access Control Lists surrounding the data. This will help in ensuring permissions are not granted to those who don’t need them and also help to prevent privilege sprawl across the unstructured data.

If you’d like to see how Lepide can help to secure your sensitive data on AWS, schedule a demo with one of our engineers.