AWS Network Security Features – best practices
Secure network access
- AWS endpoints are secured with HTTPS/TLS for secure communication
Built-‐in firewall
- Egress and ingress filtering of network traffic through VPC network ACLs
- Instances utilize security groups as built-‐in firewalls
Private subnets
- Private subnets for isolated private resources
- Ability to add IPSec VPN tunnel between on-‐premise and cloud VPC
End-‐to-‐end encrypted transmission
- Ability to add SSL/TLS endpoints on self-‐managed resources such as ELB
Dedicated connection option
- AWS Direct Connect provides a dedicated connection from on-‐premise to AWS. Both public and private IP access can be configured with AWS direct connect
Advanced cipher suites
- Available with services like ELB or CloudFront and also utilize Perfect Forward Secrecy to ensure data is not compromised even if the long term keys are
AWS Access Control
API request authentication
- Every API request is digitally signed using cryptographic hash function and the API users secrete access key
SSH access to instances
- Access to Linux instances have password authentication disabled by default and require the use of RSA key pair for accessing the instance
Unique users
- IAM allows each AWS user to have unique setup, API keys, and password policy. This ensures that users do not need to share passwords to access AWS resources and easy to maintain log trail of who performs certain API calls
Multi-‐factor authentication (MFA)
- Available for root and IAM users when used with CloudTrail, CloudWatch, and SNS
Fine-‐grained permissions for S3 buckets and objects
- ACLs to grant S3 bucket and object access to specific groups of users within other AWS accounts.
- IAM is used to grant permissions to bucket or object access to users within the same AWS account
Restricted viewer access to private CloudFront content
- Geo-‐restriction allows CloudFront to restrict access to requests originating from certain IP addresses
- Signed URLs create a temporary unique URL that expires at a specific time
Temporary IAM security credentials
- Grant temporary access to users and/or services that do not have normal AWS access.
- Credentials last from 1 to 12 hours and cannot be reused after expiration
Asset identification and configuration
- AWS CloudConfig monitors AWS resource configuration and changes
- Integrateswith SNS to send notifications of resource changes
- Does not support every AWS resource
Security logs
- Utilize CloudTrail service to monitor ALL api requests and the user/api keys that made the request
Resource and application monitoring
- CloudWatch integration with SNS allows for the monitoring of application logs on EC2 instances and the health of AWS resources
Fine-‐grained access logging for S3 buckets
- When configured, access logs for each object and access request will be provided
- Logs include request type, requested resource, requester’s IP, and time/date of the request
Automated identification of security gaps
- Trusted advisor is only for higher level accounts and is not available to all accounts
- Trusted advisor provides insights such as:
- Security
- Testing of opened reports
- Unrestricted access
- S3 Bucket permissions
- MFA on Root account
- IAM password policy
- RDS Security Group Access Risk
- CloudTrail logging
- Route 53 MX and SPF Resource Record Sets
- ELB Listener Security
- ELB Security groups
Backup and Replication
- EBS backups are stored automatically in multiple physical locations to create redundancy.
- EBS (snapshots) data backups will be encrypted if the EBS volume is encrypted
- Automatic snapshots of Redshift data
- Redshift snapshots are backed/stored by Amazon S3
- RDS database instance replication
- Multi-‐AZ failover, when enabled, provides synchronous replication to a standby in another AZ
- Object versioning in S3
- Automated and continuous archiving to Glacier
- Protection from accidental deletion of S3 objects
- Enabled S3 versioning MFA delete feature
- Each version to be deleted must be verified with MFA
- Seamless, secure backups for on-‐premise data
- AWS Storage Gateway
Data Encryption
Encrypted data storage
- The following services allow data to be encrypted: EBS, S3, Glacier, Redshift, SQLServer, and MySQL server
Centralized key management
- AWS Key Management Service provides a management feature for administrating keys for AWS services that utilize encryption at rest
- Dedicated, hardware-‐based crypto key storage
- CloudHSM, higher security on dedicated key storage hardware
Best Practices Summarised (high level)
- Keep the number of ports open on a security group limited and limit who can access them when available (for example limited for SSH port 22)
- Ensure that users are using IAM
- Utilize “least privilege” permission design and grant the least amount of privileges required
- Enforce password policy for IAM users
- Ensure RDS security groups are locked down and any data not being sent within the same region is utilizing HTTPS endpoints
- Enable CloudTrail logging in order to log all API calls and the accounts that make them
- Ensure proper ELB security permissions and take advantage of HTTPS/TLS when encryption is required
- Use IAM roles on EC2 instance
- Use policy conditions for extra security
- Rotate API keys no less than once a year