Cloud computing has moved from being the “Next Big Thing” to “The Big Thing” today. Over the years, it has evolved from being a remote storage option to something that organizations can trust to run sophisticated applications from any part of the world without downloading it on their systems or servers, and probably no vendor provides such services better than Amazon.

AWS (Amazon Web Services), being one of the early entrants in the market, has the largest market share at present and it powers some of the world’s most complex and critical websites with its IaaS and PaaS offerings. However, increase in popularity and adoption rate has also put AWS setups right on the target of hackers.

AWS describes their security model as a “Shared Responsibility Model“, wherein security responsibility of the actual or what we call as underlying infrastructure lies with AWS and everything else(OS to app layer) is customer’s lookout. Simply put, components you deal with (except for the AWS dashboard) is your responsibility.

Some might think that responsibility on cloud must be on their service provider’s bucket, but actually that it’s not a big deviation from your on premise security except for of course you don’t have to bother about physical security with cloud.

How to Secure Applications on Amazon Web Services

Let’s take a look at 4 key aspects to address to make sure your applications on AWS safe:

  1. Infrastructure Security: Manage your critical assets
    As a part of shared responsibility model customers are responsible for the security of the OS and software installed with them, this includes installing latest updates and patches. You also need to ensure the configurations of these systems are hardened. AWS Trusted Advisor Security Checks services are pretty useful in assessing the security state. Installing anti-malware solutions on your EC2 instances is a very important check point you cannot afford to miss. Use for multiple factor authentication is highly recommended along with IAM to map users with their actual roles and responsibilities to achieve AAA (authentication, authorization & accountability) objectives of access control. Use of a bastion host is highly recommended to access all the EC2 instances remotely to avoid unnecessary exposure of critical assets on internet.
  2. Network Layer: Contain unnecessary traffic
    AWS provides security features that when used properly can fortify your applications against all sorts of network layer threats. Natively AWS protects against network attacks like IP spoofing, ARP cache poisoning, snooping through promiscuous mode and even Network DDoS attacks up to an extent. Use of VPC in the best way to enforce logical segregation of your internet facing and internal infrastructure using public and private subnets respectively. A typical setup would have the ELB and web servers in the public subnet and application servers and databases in the private subnet. Security groups and network ACLS can be used to provide strict control over inbound and outbound network traffic to your instances, think of it as a network firewall in on premise environment. They make sure only necessary traffic is allowed. By default all inbound access is denied.
  3. Application Layer: Scan and patch application vulnerabilities
    The amount and kind of focus needed here does not change a bit from what is required in and on premise deployments. The application custom developed or a COTS product should be tested frequently for vulnerabilities and these vulnerabilities should be fixed in a timely manner. Make sure you take permission from AWS before running any scan on AWS infrastructure internally or from outside. Ideally none of these vulnerabilities should come from AWS side unless you use PaaS services like DynamoDb, Redshift. Also encrypt all data at rest and in motion, which includes the use of TLS (for all communications between end users, Elastic load balancers, EC2 instances and databases) and encryption of EBS & S3 storage blocks and finally but most importantly managing the keys properly.
  4. Monitor & Protect: Enhance security with WAF
    While all the proactive security measures will give a peace of mind, you still need a robust vulnerability management mechanism that makes sure you have enough security to detect breaches and perform forensic analysis when required. AWS cloudwatch monitors and APIs enable you to do the same. You can even use cloudwatch APIs to send data to your SIEM setup. Also Web Application Firewall becomes a key tool in protecting your applications against web layer attacks including App DDoS something AWS natively can’t mitigate. It’s important to monitor the hosted applications as they are not only the internet facing assets of your IT system but also comprise of a major business channel these days.

Pick a Trusted App Sec Partner

While at the infrastructure and network layer you’ll have the expertise and guidance from AWS and your system integrators or cloud consultants the concerns of application layer require a specialized partner. Applications are multifaceted and constantly changing and it is important that your application security partner has the ability to detect security issues of your applications, protect your application against those issues and monitor continuously on the attacks coming in by leveraging the flexible cloud environment AWS provides.

Source: Figure 1- http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.