Information Security at Amazon Web Services
| Joost Krapels |
Amazon Web Services forms, together with Google Cloud and Microsoft Azure, The Big Three; the three largest cloud providers. Their clients store tons of data, making the web services vital to their company. To help with information security, Amazon provides many features and allows for a lot of APIs. They have thousands of pages of information availlable, which can make it a bit hard to find what one needs. In this article we provide an overview of the most important AWS security and privacy guidelines, tools, and best practices.
Information provision at AWS
AWS is an incredibly large organization that processes data for over a million organizations, from SME’s to multinationals. This large size makes them a valueable target to cybercriminals, and puts them in the spotlights of lawmakers and -enforcers. For all services AWS provides, they have detailed documentation. Besides that, they also have detailed guidelines and best practices for governing information security of all services. This information can be openly accessed on the many information hubs, but can be easy to miss and hard to find. We have made an overview of the most important resources, and where to find them.
The main information hub for security at AWS is called the Security Center. The hub links to five main categories of information:
- Penetration Testing contains all the rules Amazon puts on PEN-testing. Amazon is not against having their servers attacked by ethical hackers, but they do have strict guidelines for it.
- Security Bulletins is an overview of security and privacy notes from Amazon. It contains both security notifications/incidents and useful information.
- Resources is the full collection of papers, articles, and guidelines published by Amazon themselves. Later in this article we will have a structured overview of the most important documents.
- Compliance is the tab where Amazon provides all information about complying with national and international law. This is also the place they attend to privacy related matters.
- Partners is an overview of partner organizations that offer services integrated in- or complementing AWS.
Luckely AWS is not completely unaware of their large amount documentation, and have published an overview of the top 10 most downloaded AWS security and compliance documents in 2017.
Security best practices
Amazon brings out whitepapers quite frequently, on topics ranging from cloud computing economics to products. They are categorized by subject, and the interesting category for information security is called Security and Compliance. In 2016 they published a whitepaper called Security Best Practices, which is a good place to start.
Other interesting whitepapers are:
- Introduction to AWS Security (07/2015)
- Introduction to AWS Security Processes (06/2016)
- AWS security checklist (07/2015)
- Using AWS WAF to Mitigate OWASP’s Top 10 Web Application Vulnerabilities (07/2017)
- Security at scale: Logging in AWS (10/2015)
From the whitepapers and documentation, we have collected five easy steps to take to immediately improve your AWS security:
- Manage your AWS account. The main account you use to sign up for AWS should not be used to work with AWS. This account has full access to everything, which is a security risk. By using the Identity and Access Management (IAM) feature, you can create users and groups that only have the permissions they need.
- With IAM in place, you can manage your S3 database access by only allowing certain users or groups to access certain buckets.
- Use AWS CloudTrail. Organizations using AWS often have many users, or even multiple accounts. AWS CloudTrail logs all activities performed, which can be a required security measure and is useful for auditing. CloudTrail is not free, but far from expensive. Similarly, access logging is a quick and easy way to improve S3 database usage security.
- Request and perform a penetration test. Amazon’s clients have to submit a form to request approval for a PEN-test, and may only test a select set of resources. More information and the request form can be found here. We have made an overview on our Dutch website of organizations that perform PEN-tests.
- Set up and configure the AWS Web Application Firewall. This feature allows for an incredible level of personalization, but also has a pre-configured setup to get started. AWS WAF is one of the best tools to protect your cloud against the OWASP top 10 web application vulnerabilities.
In the open special interest LinkedIn group Information Security NL we like to discuss the latest news on privacy and security. This article has been posted there as well, and we are curious about your take on the situation. Information Security NL is a free initiative for sharing knowledge on information security. Did you find it useful? Please let us know.
Image credit: @ngilfanov via Unsplash
Joost Krapels has completed his BSc. Lifestyle Informatics (Artificial Intelligence) and MSc. Informations Sciences at the VU Amsterdam. During his Master study he evaluated several compliance tools for GDPR compliance and interviewed many business owners about the impact of the GDPR. Within ICT Institute, Joost Krapels helps develop the Security Verified standard, improves our GDPR tools and templates and provides IT advice to clients.