Ultimate AWS Security Info, must be aware before y...
Cloud security done right is a solution that answers all these questions, making it an essential component to creating a cloud environment that works for businesses (and customers) around the globe. By providing a scalable and flexible network solution, the cloud enables tremendous opportunities, but it also brings challenges. As a web presence grows, websites need to be prepared with a plan to fend off increasingly complex attacks against web infrastructure, like DDoS (distributed denial of service) attacks and Level 7 (application layer) attacks.
Cloud security done right is a solution that answers all these questions, making it an essential component to creating a cloud environment that works for businesses (and customers) around the globe. By providing a scalable and flexible network solution, the cloud enables tremendous opportunities, but it also brings challenges. As a web presence grows, websites need to be prepared with a plan to fend off increasingly complex attacks against web infrastructure, like DDoS (distributed denial of service) attacks and Level 7 (application layer) attacks.
What is Cloud Security?
Cloud security provides multiple levels of controls within the network infrastructure in order to provide continuity and protection for cloud-based assets like websites and web applications. Whether in a public or private cloud, businesses need to balance DDoS protection, high availability, data security, and regulatory compliance in their cloud security provider.
Data protection
AWS provides services that help you protect your data, accounts, and workloads from unauthorized access. AWS data protection services provide encryption and key management and threat detection that continuously monitors and protects your accounts and workloads.
Infrastructure protection
AWS protects web applications by filtering traffic based on rules that you create. For example, you can filter web requests based on IP addresses, HTTP headers, HTTP body, or URI strings, which allows you to block common attack patterns, such as SQL injection or cross-site scripting.
Threat detection & continuous monitoring
AWS identifies threats by continuously monitoring the network activity and account behavior within your cloud environment.
Compliance & data privacy
AWS gives you a comprehensive view of your compliance status and continuously monitors your environment using automated compliance checks based on the AWS best practices and industry standards your organization follows.
Identity & access management
AWS Identity Services enable you to securely manage identities, resources, and permissions at scale. With AWS, you have identity services for your workforce and customer-facing applications to get started quickly and manage access to your workloads and applications.
Shared Responsibility Model
In this the responsibility is shared between AWS and Customer limitations were clearly demarcated and it is our responsibility to be foolproof from our side by doing enabling encryption of data, providing role access to developers to specific service needed keeping in mind least privilege principle.
Secure your root account and credentials and never share root account credentials (Access keys ) and use the root account only for monitoring and Billing purpose and for other usage create IAM(Identity and Access Management) Roles and give programmatic access or Console Read-only access depending on the need.
Even though we are giving Role access ensure that we provide Role Credentials with limited privilege (Credentials Expiry ) Restrict long-standing access keys and enable MFA(Multi-Factor Authentication)as mentioned in the security pillar out of 5 pillars of the AWS Well-Architected Framework.
Fine-grained access control with analytics
AWS Identity Services enable you to quickly grant the right access, to the right people, at the right time by selecting permissions from a library of AWS managed policies, which you can also copy and create your own custom managed policy. AWS also supports the use of resource tags to define and manage fine-grained highly customizable user permissions. Finally, AWS helps you continuously improve your security posture by analyzing access patterns and identifying unused permissions across all AWS accounts so you can remove unnecessary access quickly and confidently.
AWS Secrets Manager: Easily rotate, manage, and retrieve database credentials, API keys, and other secrets through their lifecycle
AWS Firewall Manager: Centrally configure and manage firewall rules across accounts and applications
AWS Certificate Manager Private Certificate Authority: Easily and securely manage the lifecycle of your private certificates
AWS Web Application Firewall: It is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources.
AWS Key Management Service
Keys created within the KMS are protected using Hardware Security Modules. This is an ideal service for organizations that don’t want to manage the underlying infra or software that is required to create and manage encryption keys.
AWS Inspector
This service can be used to test the network accessibility of Amazon EC2 Instances, It can also be used to check the state of security of the underlying applications that run on those instances with this we can also automate security vulnerability assessments throughout your development & deployment systems.
Some Hacks to ensure Security
Create Restrictive Firewall Policies
Monitor Your Instances
Encrypt Sensitive Data
Multi-Factor Authentication
Keep patches up-to-date
Host-Based Intrusion Prevention Systems
Conduct Vulnerability Assessments, Personal Health Dashboard & Trusted Advisor
Enable Guard duty, Cloud trail, Build Automated Notifications connect them to Cloud Watch and SNS
Config Rules helps in detecting anomalies
Some Hacking Tactics often used by Hackers
DDoS
Malware Injection
Hijacking of accounts
Phishing and Social Engineering Attacks
Penetration Testing
We can do on a maximum of 8 services, without prior approval
like EC2, ELB, RDS, API, and others
Prohibited
Denial of service, DDoS
Simulate DoS, Simulated DDoS
Port Flooding, Protocol Flooding, Request Flooding
Incident Response
Have a plan and Test it
Elements of Incident Response Plan
Roles & Responsibilities
Identify
Contain
Respond
Recover
Backup & Restore
Disaster Recovery and Strategies to handle it will be covered in our next article, Please be in touch and if you feel any points came to your mind not present here.let us know by mentioning those in the comments section:)