AWS has a very granular set of Security layers. AWS Security Hub needs to be used when deploying into AWS. NIST, OWASP, CIS, CNCF, OSCAP and other models should also be assessed. Below is an example of the complexity involved with securing a production environment.
Planning, Architecting
A security strategy must be developed once you consider moving to the cloud. Security embraces the entire OSI stack, including RBAC, networking, firewalling, security groups, key management, SSH access (or not), bastion hosts, jump boxes, private links, secure end points, reverse proxies, gateways, monitoring and logging, S3, database, data and code security, SAST, DAST, cyber testing, ransomware protection, backup and disaster recovery.
Use Cloud Native
By leveraging Amazon’s built-in tools and the best practices for AWS cloud security will not only reduce the amount of work your security team will have to perform but will strengthen the defense of your environment with tested and reliable mechanisms.
Standardise, stop drift
Your security policy needs to be Enterprise wide across AWS accounts, credentials, roles, IAM users, and groups. AWS Configuration should be used to detect drift. Cloud Formation should be utilised to ensure commonality.
Implement User Access Control
AWS access should be effected through federated SSO accompanied by strong passwords and MFA. Besides, unused credentials must be disposed of, and access keys need rotation at least once every three months.
Define Password Policy
Password cracking is by far the most common penetration attack undertaken by cybercriminals. Use complex passwords suggested by generators, introduce multi-factor authentication, establish automatic lockout in case of several failed login attempts, and renew passwords once in a short while (within 60 days or so). PAM tooling can also be used.
Make Data Encryption a Rule
Employ native AWS encryption tools including scalable key management to perform various operations with encryption keys (creation, rotation, and auditing included). Secrets Manager can be used to store keys, certificates. Applications should not have passwords hard coded.
Backup and Recovery
AWS offers native solutions (AWS Backup, Amazon RDS, Amazon EFS, AWS Storage Gateway, and others) that are instrumental in performing backups of databases, storage volumes, and file systems.
Documentation and diagram
The documents related to the company’s security policies are available for all stakeholders to access, which holds them on the same page. Regular updates keeping abreast of the latest security practices are also mandatory. Diagram and document your security architecture and ensure it is updated.