Are you a cloud security expert or enthusiast? Were you at the first-ever security-focused AWS conference in Boston? If your answers are Yes and No respectively, I have just one more question for you; Where were you?
The first-ever AWS re:Inforce was definitely a success by all means (aside from all the free t-shirts I got). It highlighted all the security components you need to properly secure your account, infrastructure, and application in AWS.
Here are my key takeaways that will highlight features to help you better secure your workload.
10 Security Pillars of AWS
Who has access to your account and what can they do?
- Federated Access
- Programmatic Key Rotation
- Enforce Multi-Factor Authentication
- Disable Root Account Programmatic Access
- Utilize IAM Groups to grant permissions
- Cognito – Identity management for your apps
Is my account exposed or compromised?
- Amazon GuardDuty to detect intrusion
- AWS Config to monitor changes to Account
- AWS Trusted Advisor to audit security best practices
- AWS Organizations to manage multiple accounts
- AWS Control Tower to secure and enforce security standards across accounts
Is my network properly secured?
- Network ACLs to control VPC incoming and outgoing traffic
- VPC to isolate cloud resources
- AWS Shield for DDoS protection
- Web Application Firewall (WAF): Filter malicious web traffic
- PrivateLink: Securely access services hosted on AWS
- Firewall Manager: Manage WAF rules across accounts
Can my compute infrastructure be hacked for bitcoin mining?
- AWS Systems Manager for patching
- AMI Hardening using CIS Standards
- Security Groups to limit port access
- AWS Inspector to identify security vulnerabilities
- AWS CloudFront to limit exposure of your origin servers
- Application Load Balancers to limit direct traffic to your app servers
Can my application be compromised or brought down by hackers?
- AWS Shield and Shield Advanced for DDoS protection
- AWS X-Ray for application request tracing
- AWS Cloudwatch for application logs
- Application runtime monitoring – Contrast e.t.c.
- AWS Inspector to identify application vulnerabilities
Am I enforcing security standards in my build and deploy systems?
- Infrastructure code analysis with cfn_nag
- Application code analysis – Spotbugs, Fortify
- Dependency vulnerability Checks – OWASP
- Docker image scanning (if using docker) – Twistlock, Anchore CLI
Always encrypt everything!
- KMS encryption for EBS volumes
- Server-Side Encryption for S3 Buckets
- RDS Encryption
Is my data safe? Am I leaking secrets?
- AWS Secrets Manager to rotate and manage secrets
- Amazon Macie to discover and classify data
- Regular Data backups and replication across regions
- Data Integrity Checks
- Client-side encryption
Am I securely moving my data?
- Enforce SSL/TLS Encryption of all traffic
- AWS Certificate Manager to generate SSL Certificates
- ACM Private CA to create and deploy private certificates
Are my engineers ready for security threats and breaches?
- Use PlayBooks and Runbooks to plan and prepare for security threats and breaches
- Utilize Cloud Native services when possible to leverage AWS best security practices
Other Noteworthy Mentions
Nitro allows micro-services concepts to be applied to hardware. This enables faster development and deployment of new instance types; while creating higher throughput and stability. Some security features include:
- Utilizes nitro controller as the root of trust
- Hardware acceleration of encryption
- Firmware is cryptographically validated
- Encryption keys are secured into nitro devices
- No SSH, hence, no human access
Nitro with FireCracker
This is most notably being used for running serverless workload (Lambda) by enabling the sharing of hardware infrastructure between multiple accounts. The security features of Nitro makes this possible. Some features include:
- Minimal device model reduces memory footprint and attack surface area
- User-space code in <125ms, 150microVM per second per host
- Low memory overhead with a high density of VMs on each server
AWS Control Tower
The easiest way to set up and govern a secure, compliant multi-account AWS environment. Features include
- Prescriptive guidance on IAM, Landing Zones
- Workflows to provision compliant accounts
- Set up AWS with multi-account structure
- Pre-configured architectures
That’s all folks! I’m looking forward to AWS re:Inforce 2020 in Houston. Until then, Stay Secured My Friends!
Stelligent Amazon Pollycast