AWS Security Best Practices: The Complete Guide
June 22, 2017
Cloud-based storage and solutions can help streamline your business and offer more services your clients need. But the use of third-party cloud tools also leaves your company vulnerable to hacking. Cisco’s Q2 2016 Cloud Cybersecurity Report found that 27% of apps are considered high-risk due to the permissions users grant to the apps. The result is often full access to users’ files in the cloud environment, including sensitive data that could compromise the integrity of your business.
Fortunately, AWS (Amazon Web Services) security best practices include built-in firewalls and protections to keep businesses safe. They also partner with third-party tools to enhance overall security. However, that focus isn’t a security catch-all for your business. You still need to be diligent about security at your own company – and when using any other third-party tools – to help you avoid data breaches and intrusions.
Unfortunately for companies large and small, hacking shows no signs of slowing down. Holding data for ransom is a growing problem that will prompt cybersecurity spending to exceed $1 trillion between 2017 to 2021. The world also saw the number of data breach incidents increase by 40% between 2015 to 2016. And CSO reported that the human attack surface will reach 4 billion people by 2020, giving hackers more opportunities to target people’s businesses and bank accounts.
The statistics are sobering, but there are ways to combat security issues. However, using a firewall-protected tool like AWS isn’t enough. Your business also needs to understand and adhere to AWS Security Best Practices to keep your business safe. Here’s a beginner’s guide on what you need to know.
AWS Security Best Practices
Understand Who is Responsible for What
Before getting started with AWS, understand who is responsible for handling what. AWS is responsible for the security of the cloud, and its customers are responsible for security in the cloud. This subtle difference may seem like a non-issue, but it’s highly significant. In other words, AWS works to secure its own platform and solutions, but it’s up to your company to secure the “Applications” that you are running in AWS and files and materials you’re uploading and accessing.
Your responsibilities also extend to how you and your clients are accessing AWS. Start by keeping your login and relevant AWS credentials encrypted. Next, use security certificates to authenticate access to AWS services. It’s also wise to stay on top of any security patches for your own devices and systems, as malware often attacks through these vulnerabilities. Otherwise, you could be facing catastrophic data loss.
Remember that expired operating systems and outdated patches were blamed for the recent WannaCry hack, which infected over 300,000 devices where data was held for ransom. Not enough people bothered to keep their systems up to date, ignored prompts to upgrade their systems, and fell victim to sophisticated hacking. Give your own clients some training on best security practices and keeping logins and credentials safe to protect the integrity of your AWS accounts.
Use Multi-Factor Identification
Despite hackers making headlines for attacks like WannaCry and data breaches now becoming the norm, people still aren’t using secure passwords. According to reports from Entrepreneur, 21% of people use passwords over 10 years old, and 47% of people use passwords that are at least 5 years old.
But that’s not the worst of it. Seventy-three percent of online accounts are guarded by duplicate passwords used with multiple devices and apps, including email. You need added protection for your passwords, especially if multiple team members and clients are accessing your AWS account and other apps.
Add an additional layer of security to AWS by requiring multi-factor authentication (MFA) to access all accounts. The process is simple but can beef up your security without requiring much time to set up or use. Once enabled, MFA prompts users to enter their username and password, followed by an authentication code from their AWS MFA device. However, businesses can also create MFA under their account for individual IAM users. This can be helpful if you have multiple team members or clients accessing AWS.
Manage Access to Multiple AWS Accounts
One of the draws of AWS is the ability to create groups of accounts, and then apply policies to each group. This can help you oversee which groups have access to which data and can let you organize and monitor how data is being used.
It’s unlikely that everyone in your company needs to have access to the same data. Protect your business by restricting AWS and all other data access to only essential personnel to lower the number of data breaches.
Unfortunately, hacking does happen at the hand of former employees who never had their login credentials and access revoked. That’s why revoking access should be part of the process when employees are terminated or leave the company. Involve your IT team in the process of regulating and appropriately revoking data access, maintaining data logs, and collecting any company devices, from laptops to smartphones.
Protect Data in Transit
Transferring data over public Wi-Fi can leave your business’s most valuable assets vulnerable. Revisit how your materials, website, and method of data transfer are secured. Use a private Internet connection, mandate that remote workers use a VPN, and make it a policy that workers cannot connect from public places like cafes.
The method you’re using to transfer files is also a part of AWS Security Best Practices. HTTP traffic is unprotected by default, and your business should always use SSL/TLS protection as industry-standard dictates.
Users can also manage services from AWS using the Management Console or AWS APIs. Use the console for SSL/TLS protection where traffic is encrypted and data integrity is authenticated. As AWS explains, once the client browser authenticates the identity with an X.509 certificate, an SSL/TLS connection is established and all HTTP traffic is now protected.
Leverage Vulnerability Reporting
It’s not uncommon to receive phishing emails from hackers posing as legitimate businesses. Phishing emails often look like they come directly from companies you work with and the tools you use, like AWS. However, one wrong click and you could end up with ransomware that holds your data hostage and gains access to your AWS account.
AWS educates its users on refraining from clicking on any links, entering passwords, or downloading attachments through email. Instead, use Amazon’s system to report suspicious emails to keep your company safe. Reporting information can help create a culture of security in your office, and alert AWS to which vulnerabilities may be impacting your business.
Aside from alerting Amazon to phishing scams and potential hacking, you can also report illegal hacking to the proper authorities. The U.S. Department of Justice details how to report different types of hacking, from intrusion to password trafficking. Depending on the hacking crime, an FBI local office, the U.S. Secret Service, or Internet Crime Complaint Center may be your best point of contact.
Security Audit of your Applications
As part of the shared responsibility model mentioned above, you are responsible for ensuring the security of the applications and services running on AWS. To ensure this periodically conduct Security Audit and ethical hacking tests of your applications hosted on AWS. This ensures you at least know about the hackable risks of the applications before a hacker can exploit it
Get the Right Tech
Using the right tech can enhance your security when sharing and downloading files from AWS. Malware protection and antivirus tools help support your systems to monitor for malicious activity and stop, or at least slowdown data breaches. You can also use AWS partner tools to help improve your security.
For example, their Barracuda Web Application Firewall aligns with your AWS environment to instantaneously secure it. For security scanning, Indusface offers Total Application Security for a fully-managed security solution. The app detects application-layer vulnerabilities with web application scanning, and monitors and analyzes traffic for hacking threats and DDoS attacks.
Create a Culture of Security
At the end of the day, adhering to AWS Security Best Practices requires a strong culture of security at your company. Using the right tech and securing passwords are just part of the process, but will fall short without more commitment from your team. Proactive diligence and training are what anchors your security culture.
Ongoing spear-phishing simulations are just one way to train your team. You can also make the training engaging by turning it into a game. Quiz teams on different security issues and malicious activity like malware. Award employees who take security seriously with a free lunch for winning a quiz contest, or a day off each quarter to the employee with the most flagged phishing simulations. The more fun and engaging you to make it, the more likely employees are to retain and utilize the information – far more than they would read a security manual.
Get Help from AWS
AWS also offers additional resources to help optimize your account and stay secure. AWS Trusted Advisor promises to help reduce costs, increase performance, and improve security by optimizing your AWS environment. Trusted Advisor makes recommendations and adheres to best practices, including examining Amazon S3 bucket permissions and exposed access keys.
Whether you use AWS Trusted Advisor or not, it’s still important to stay on top of any changes in AWS security policies or best practices. Look for alerts in your account or email to keep up to date.
AWS can help transform your business and add more robust services to your clients, but it isn’t a set-it-and-forget-it tool when it comes to business security. Stay on top of the latest trends in hacking and security best practices to be proactive and keep your business safe.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.
