By Greg Keller Posted December 24, 2014
Controlling access to Amazon Web Services (AWS) infrastructure is critical to ensuring that your most important infrastructure isn’t breached. Recent breaches, including that of Code Spaces (check out this NetworkWorld article for the story), highlight an organization’s increasing need to tightly control AWS user management, especially as companies move to place mission-critical applications and data onto cloud infrastructures like AWS. A company’s vigilance and cloud-based education are important as the sophistication and sheer number of cyber attacks grow. Moreover, AWS—while a highly secure infrastructure—leaves the actual security of server instances to their customers. In other words, it’s up to an organization’s IT admins to ensure security. Perhaps the most critical issue in this area is protecting access credentials to AWS and to the specific services utilized.
There are two levels of access that should be tightly controlled at AWS:
The main AWS account is the account that organizations are billed against; the master control for the AWS infrastructure. Think of this as the primary access to management consoles and APIs. AWS has taken great pains to tightly control access to the main AWS account. Their Identity and Access Management solution, or AWS IAM, is where organizations control access to the main account. Master administrators can ensure their users have specific levels of rights so that the right people can do the right things on the account. IAM can be populated by Active Directory or LDAP user stores so that AWS functions as an extension of the central directory.
Every organization should enable multi-factor authentication on the AWS master account. Multi-factor authentication requires users to input not only their username and password but also a second password “factor”. Generally, that second factor is sent as a pin via text message to the master administrator’s mobile phone. This second step of authentication, though seemingly minimal, is powerful enough to have saved Code Spaces from going out of business.
Individual AWS services are enabled via the console, but their access is controlled at the service level. For example, EC2 servers are given a root account, but then individual access to that server must be controlled by the customer. This is similar to AWS RDS. Since most people leverage the core compute infrastructure, it’s important to understand how to control access to those cloud-based servers. Most organizations take a simplistic approach to server user management by manually managing users or leveraging configuration automation tools such as Chef or Puppet. The risk with this approach is, of course, a terminated user still having access because of an error. Furthermore, it is time intensive.
There are two methods that help secure access to individual AWS services such as EC2. The first is to create a bridge leveraging JumpCloud® between your on-premise directory such as Microsft Active Directory to AWS infrastructure. The second is to leverage a cloud-based Directory-as-a-Service® solution that gives you full control over your AWS services.
Both of these methods systematize the process of adding, modifying, and deleting user access for AWS services. A user that has been terminated is immediately removed from all AWS cloud servers. A new user is added to the right group to ensure that they only have access to what they need. Further, multi-factor authentication is leveraged at the server level to ensure that only the right admins have access. JumpCloud, which is a SaaS-based directory service, helps organizations tightly control access to individual AWS services.
Controlled Access To AWS Infrastructure Via JumpCloud
AWS has become a critical piece of infrastructure for any organization. It also has become a target for hackers. Leveling up your AWS access control is arguably the most critical step you can take to protecting your applications and data. JumpCloud’s virtual identity provider can easily help control your access and give you the visibility you need. Drop us a note to chat about how to more tightly control access to your AWS infrastructure.