Best Practices for Securing your AWS Infrastructure

  • On March 18, 2018

We all know the incident that happened to Code Spaces last 2014. The attack was one of the many instances wherein a secured code-hosting service provider was breached by an attacker. Despite Code Spaces’ attempt to stop the hackers, they we’re not able to secure their database. This resulted in the deletion of Code Spaces’ resources which hosted AWS, thus hampering both their security and files.

As one of the leading cloud service provider, AWS is certainly an easy target for these hacking incidents too. That’s why they encourage users to fortify their walls in order to lessen cyber-attacks. With these best practices, your AWS infrastructure will be safe from outsiders.

Familiarizing AWS’s Shared Responsibility Model

 

Every cloud provider has a shared responsibility model. For AWS, they are responsible for any breaches that might possibly happen in their domain. As a user, it’s best that you familiarize yourself with this. Here, you can check out AWS’s platform security updates. Their security model is designed to intercept hackers and immediately notify their users if abuses and frauds are detected in their system.

The users should also make sure that they’re keeping a safe environment by securely configuring it. It’s the user’s responsibility to keep their data away from possible danger while making sure that nothing is loosely shared outside or even inside the company.

Tightening your CloudTrail Security Configurations

 

The CloudTrail is designed to let users monitor the activities going on in an AWS environment. Because it provides a detailed account of all activities done, CloudTrail is one of the most targeted AWS services by hackers ever since. The good thing is that users can certainly maximize CloudTrail’s security configurations. Here’s what you should do:

  • You should enable your CloudTrail to all AWS services and geographic regions. Doing this will prevent gaps when you’re monitoring your activity logs.
  • Always turn on the log file validation on CloudTrail. This would help users track down the changes made in the logs after they’re being delivered to the S3 bucket. Enabling this makes it super safe for your AWS environment.
  • Allow the access logging in your CloudTrail too. Once you enable this in your S3 bucket, you’ll see who’s trying to access it. With this, you can easily identify unauthorized requests, so users will be notified of any unwanted requests.
  • To delete your S3 bucket, turn on AWS’s multifactor authentication. This will automatically encrypt the log files in the CloudTrail.

Following the Identity and Access Management Service

This service limits the control that users have in an AWS environment. When an administrator uses this, he can choose not to give an individual or group access to his resources and APIs. Here’s what you should do when enabling the IAM service:

  • You don’t have to give access individually. To lessen hassles and unnecessary permissions, you can assign your IAM policies per company roles or groups.
  • Always use the IAM policies on an individual when he’s accessing a resource so that any compromised or misplaced credentials are tracked without unauthorized access.
  • Make sure that you limit the administrative privileges of every IAM users and rotate your access keys on a daily basis. Only provide a standardized one to a selected few – one that has an expiration date for extra measures.
  • You IAM password should have a minimum of 14 characters. Passwords should have at least one number, one symbol, and one uppercase letter. Also, apply reset policies for the users to notify you of any password breach attempts.
  • Lastly, activate a multifactor authentication in the users’ separate accounts. This will act out as an additional line of defense when an account gets compromised by an attack.

 

Add Amazon Database Services

Your data storage services should be kept secured at all times. You can choose any kind of database services like Amazon RDS, Aurora, ElastiCache, Redshift, and the like. Here are ways that you could optimize your database and data storage security:

  • Do not make your S3 buckets available in public; it shouldn’t be writable and readable to the public unless it’s necessary for business purposes.
  • You can add Redshift in your database. This helps to audit any issues and investigations in your database. Also, make sure that you turn on the require_ssl parameter in a Redshift cluster to avoid possible MITM attacks.
  • Heighten the restriction access in your RDS to lessen DoS attacks and SQL injections.
  • Don’t forget to encrypt the data in your EBS and RDS to add extra layers of security.

These are some of the best practices that you could apply in your AWS environment. Keep posted for the latest updates and services around. The key to fully securing your database is simply applying these hacking preventive tools, and learning as much you can about data security.  If you want to know more about Amazon recommends in regards to security guidelines to follow, check the CIS AWS Benchmark.