With over 1 million business customers [TechCrunch, 2015], it’s safe to say that AWS is being used ubiquitously by cloud-forward orgs. The benefits in efficiency and cost-savings are clear. But now there is growing concern around the security of AWS. There are a number of different techniques that you allow you to secure AWS and many can be quite complicated and expensive.
We’ve put together a short list of best practices for AWS security that everybody can do with a small budget and without expensive security experts. In our estimation, these are the basics that you need to be doing for your AWS security.
Why AWS Security Matters
We know that focusing on security can be an expensive and time consuming chore. Obviously, keeping AWS secure is worth it. But if you’re not careful you can end up spending more time on securing your AWS infrastructure than you do running your product or service from it.
That’s not the goal, but you do need to be secured. These best practices balance the need to be secure with being cost-effective and efficient with your time. Take the four steps below and you will dramatically reduce the chances of a security breach.
Best Practices for AWS Security
#1 Enable Multi-factor Authentication on AWS IAM –
AWS IAM is AWS’s web console to manage AWS. AWS IAM can give IT admins or sysadmins a way to adjust the infrastructure and give people the ability to setup instances, change permissions, and delete infrastructure. It’s incredibly powerful and in the wrong hands, they own your infrastructure.
A simple step to increase the security and help ensure that your AWS infrastructure stays in the right hands? Enable multi-factor authentication to AWS IAM.
#2 Lock Down AWS Security Groups –
What traffic can get in or out of your AWS infrastructure is important to protecting your AWS infrastructure. AWS Security Groups is effectively your firewall to your infrastructure. There are defaults that are helpful, but you are going to want to try and lock it down much more. Decide why you need inbound ports open and ensure that you keep those to an absolute minimum. The less traffic that you have entering the network, the better. Ideally, it would be at the absolute minimum.
#3 Keep Your AWS Instances Patched –
Like any of your other machines, you want to keep your AWS cloud servers patched. This still applies even if the systems aren’t really publicly accessible. The same goes if you’re only using the servers for test and dev. You still want them patched.
If your AWS servers aren’t current, there should be a very strong reason. It’s just too much of a risk and it is an easy solve. Leverage a SaaS-based patching solution such as Automox to cover your AWS cloud server patching.
#4 Tightly Control User Access –
Who has access to your AWS cloud infrastructure is a critical issue. Some organizations will tell you to use a bastion host or jump server. We’d advocate a much tighter method where you are controlling access on each system.
You are required to use SSH keys with AWS cloud servers, and that’s a great start. But you need a system to help control that access. Manually managing access and keys is a recipe for disaster. Controlling user access may be one of the most critical aspects of AWS security.
Many sysadmins will opt for using Chef or Puppet to automate their user management, but we suggest implementing a cloud directory service. This solution integrates identity management across your on-prem and cloud infrastructure, which means that you have a single identity across your on-prem systems, applications, and WiFi, as well as on your cloud servers. In addition, when a user is removed from your cloud directory, they are terminated everywhere ensuring that they can’t access your critical cloud servers. Directory-as-a-Service will help solve your user access problem for you.
More AWS Security Methods
There’s no doubt that we could give you twenty other security techniques that would be beneficial. The list would include web application firewalls, intrusion detection, audit logging, and much more. All of those are great and we wouldn’t deny their value.
But for the purposes of a short, must-have list of best practices, the four items above are at the top of the list. Lock down your user access with MFA and cloud identity management. Control what traffic can get to your AWS network, and make sure that all of your systems (and applications, too) are up-to-date. These are the basics that must be done. If you do a great job with them, you are dramatically changing your security posture for the better.
Of course, that doesn’t mean that you can stop and rest, but it does mean that you have taken care of the basics that will help make sure that you aren’t an easy target.
Want to Enact these Security Measures for AWS?
If you would like to learn more about how to enact these AWS security best practices without investing a ton of time and effort, drop us a note. JumpCloud is in the business of helping cloud-forward organizations achieve better identity management and security.
We also invite you to get started with our modern cloud IAM platform. With JumpCloud’s Directory-as-a-Service®, you can sign-up for an account here and your first 10 users are free forever.