AWS Cloud Security Best Practices
As the number of cloud users keeps growing, IT infrastructure security is among their top three concerns, while cloud cost optimization and lack of expertise/resources are the other two, according to Flexera 2023 State of the Cloud Report.
We’d like to share AWS cloud security best practices used at Apiko, based on over 8 years of experience and dozens of successful projects.
Cloud services: reasons for the growing popularity
According to SaaSworthy, 94% of companies report improvements in online security after migrating to the cloud. It’s largely due to monitoring, testing and alerting automation, as well as special mechanisms that, when configured appropriately, ensure data security and make the IT infrastructure resistant to cyber attacks.
Besides, using cloud services provides more flexibility compared to on-premises computing when it comes to
data processing and AI implementation
software scalability and maintenance
adding new functionality and third-party integrations, and more.
Cloud-based infrastructure is also required for software transition to SaaS model, as it provides high availability due to workload distribution, and is easy to scale within a few minutes. SaaS data security and IT cost minimization are other crucial reasons for choosing the cloud.
You can find real-life examples with more details in our migrating to AWS cloud case study.
Managed cloud security services
As lack of expertise and resources is one of top three concerns of cloud users, managed security services are a real game saver.
Ensuring a safe environment is one of the competencies of Apiko DevOps services. Their initial IT infrastructure audit provides overall examination, including a summary about the security condition in general.
Regardless of the types of cloud architecture, for a thorough in-depth check we run an IT security audit. It is based on AWS security best practices, the main ones we’ll describe below.
AWS cloud security best practices
There are numerous factors that must be taken into account to secure IT infrastructure both on granular level and as a whole. That’s why our AWS security best practices checklist is rather broad.
Let’s take a closer look at what exactly stands behind these practices.
Identity and Access Management
IAM is the foundation for securing your AWS resources. It enables you to safely manage access permissions to AWS services and resources. Our key suggestions for IAM are to:
Implement multi-factor authentication (MFA) for all IAM users and roles
Grant the least privileged access to resources which is enough to complete user’s tasks and duties using IAM policies
Delegate permissions to AWS services and applications using IAM roles
Manage multiple AWS accounts and apply security policies across them using AWS Organizations.
Cloud data security
Data protection is essential for ensuring its confidentiality and integrity in AWS. Besides the preventative measures, it’s necessary to make sure that your data is backed up and you have a plan to recover from a disaster or a data loss event. To protect cloud data we suggest to:
Limit access to sensitive data using access control
Encrypt data at rest and in transit
Create and control encryption keys using AWS Key Management Service (KMS)
Manage Secure Socket Layer (SSL) and Transport Layer Security (TLS) certificates, and enable HTTPS for your web applications using AWS Certificate Manager
Log API calls to AWS services with AWS CloudTrail
Classify and label data to identify and protect sensitive data
Set up data backup and recovery
Back up your data regularly
Test your backup and recovery procedures regularly
Store your backups in a different region or account
Use AWS disaster recovery services, such as AWS CloudEndure, to replicate your systems to another region or account
Manage the lifecycle of your data with data retention policies.
Besides the above-mentioned practices, it’s necessary to pay special attention to Amazon S3 bucket (a highly scalable object storage service) and cloud database security.
Amazon S3 bucket security tips
Grant the least privilege access to S3 buckets and objects using S3 bucket policies and IAM policies
Protect your objects from accidental deletions or overwrites with S3 bucket versioning
Protect data at rest using S3 server-side encryption (SSE)
Manage the encryption keys for SSE with KMS
Improve data transfer speed and reduce latency using S3 Transfer Acceleration
Cloud database security
There are numerous Amazon database services, and some of the most frequently used at Apiko include
Amazon Relational Database Service (RDS)
Amazon DocumentDB
Amazon DynamoDB.
Besides, Amazon ElastiCache is a data store service that provides high-performance scalable caching for web applications. Our cloud data security best practices are the following:
Use a private IP address for your DB instance
Encrypt data in transit using SSL
Control access to your instance or table/cluster using IAM
Use automated data backups
Encrypt your data at rest
Control inbound and outbound traffic to your DB instance or ElastiCache cluster using Virtual Private Cloud (VPC) security groups
Connect to DynamoDB securely with VPC endpoints
Use Amazon CloudWatch to monitor your DynamoDB tables for suspicious activity
Enable multi-region replication and disaster recovery with DynamoDB global tables
Use SSL encryption for Amazon ElastiCache client connections.
Network security best practices
Network security is critical for protecting your AWS resources from external attacks. Below we’ll briefly describe some of the most useful cloud security technologies.
AWS Virtual Private Cloud (VPC) allows you to create an isolated virtual network in the cloud. Here are some key considerations for securing your VPC:
Control access to resources and limit exposure to the public internet using VPC
Isolate resources and reduce the attack surface with private subnets
Filter traffic at the subnet level with Network Access Control Lists (NACLs)
Filter traffic at the instance level using security groups
Protect your resources from DDoS attacks with Amazon CloudFront, Amazon Route 53, and AWS Shield
Encrypt data in transit using SSL/TLS
Manage SSL/TLS certificates with AWS Certificate Manager
Use HTTPS for web traffic and secure protocols for other types of traffic
Access AWS services securely without exposing your traffic to the public internet with AWS PrivateLink
Connect to your VPC securely with VPN or AWS Direct Connect.
AWS Web Application Firewall (WAF) protects your web applications from common web threats, e.g. SQL injection and cross-site scripting (XSS) attacks. It also secures APIs from exploits, such as distributed denial of service (DDoS) attacks and bad bots, and blocks traffic from known malicious IP addresses and botnets.
AWS Shield is a managed service that helps protect your applications from DDoS attacks. AWS Shield Advanced provides additional DDoS protection and offers AWS DDoS Response Team support during a DDoS attack.
Logging and monitoring
It’s essential to detect and respond to security incidents in AWS. That’s where logging and monitoring come in handy, allowing to
Log API calls to AWS services using AWS CloudTrail
Monitor AWS resources and applications with Amazon CloudWatch
Monitor and manage compliance with AWS resources using AWS Config
Aggregate and analyze security alerts with AWS Security Hub
Detect and prevent security threats using Amazon GuardDuty.
Application security in the cloud
When you host your application in the cloud, it’s necessary to protect its users and data. Here are the basic security measures we use at Apiko and suggest you to follow.
Use strong authentication and authorization mechanisms
Secure user accounts with strong passwords and multi-factor authentication.
Implement OAuth or OpenID Connect for third-party authentication.
Enable HTTPS and HSTS
Encrypt all communication between the client and server using HTTPS.
Prevent downgrade attacks with HTTP Strict Transport Security (HSTS).
Protect against cross-site scripting (XSS) and SQL injection attacks
Sanitize user inputs to prevent XSS attacks.
Use parameterized queries to prevent SQL injection attacks.
Implement rate limiting
Implement rate limits to prevent brute force attacks and Denial of Service (DoS) attacks.
Set up rate limiting for your RESTful APIs using Amazon API Gateway, so that the number of requests per second cannot exceed a certain limit, and once it does, an error occurs.
Secure your sessions
Prevent session hijacking with secure cookies.
Use HTTPS for session management.
Store sessions securely using AWS ElastiCache.
Implement CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) for user submits
Implement CAPTCHA to prevent automated attacks and account creation.
Set up CAPTCHA for serverless architectures using AWS Lambda.
Conclusion
It’s a good idea to implement security measures starting from the initial steps of application development. You can also always use the AWS security best practices checklist provided in this article to double check if your cloud network, resources and application are protected.
Do not hesitate to contact Apiko if you feel like you could use a hand. We’ll make sure you stay up-to-date with the latest security practices, and we’ll provide a regular audit of your security policies and techniques so your application remains secure.