Volg ICTI

Information Security at Amazon Web Services

| Joost Krapels | Security

Amazon Web Services forms, together with Google Cloud and Microsoft Azure,  The Big Three; the three largest cloud providers. Their clients store tons of data, making the web services vital to their company. To help with information security, Amazon provides many features and allows for a lot of APIs. They have thousands of pages of information available, which can make it a bit hard to find what one needs. In this article we provide an overview of the most important AWS security and privacy guidelines, tools, and best practices.

Information provision at AWS

AWS is an incredibly large organization that processes data for over a million organizations, from SME’s to multinationals. This large size makes them a valueable target to cybercriminals, and puts them in the spotlights of lawmakers and -enforcers. For all services AWS provides, they have detailed documentation. Besides that, they also have detailed guidelines and best practices for governing information security of all services. This information can be openly accessed on the many information hubs, but can be easy to miss and hard to find. We have made an overview of the most important resources, and where to find them.

The main information hub for security at AWS is called the Security Center. The hub links to five main categories of information:

  • Penetration Testing contains all the rules Amazon puts on PEN-testing. Amazon is not against having their servers attacked by ethical hackers, but they do have strict guidelines for it.
  • Security Bulletins is an overview of security and privacy notes from Amazon. It contains both security notifications/incidents and useful information.
  • Resources is the full collection of papers, articles, and guidelines published by Amazon themselves. Later in this article we will have a structured overview of the most important documents.
  • Compliance is the tab where Amazon provides all information about complying with national and international law. This is also the place they attend to privacy related matters.
  • Partners is an overview of partner organizations that offer services integrated in- or complementing AWS.

Luckely AWS is not completely unaware of their large amount documentation, and have published an overview of the top 10 most downloaded AWS security and compliance documents in 2017.

Amazon also offers a few free and paid courses, such as AWS security fundamentals and security operations on AWS. You can find them at the bottom of the Resources tab.

Security best practices

Amazon brings out whitepapers quite frequently, on topics ranging from cloud computing economics to products. They are categorized by subject, and the interesting category for information security is called Security and Compliance. In 2016 they published a whitepaper called Security Best Practices, which is a good place to start.

Other interesting whitepapers are:

Our advice

From the whitepapers and documentation, we have collected five easy steps to take to immediately improve your AWS security:

  1. Manage your AWS account. The main account you use to sign up for AWS should not be used to work with AWS. This account has full access to everything, which is a security risk. By using the Identity and Access Management (IAM) feature, you can create users and groups that only have the permissions they need.
  2. With IAM in place, you can manage your S3 database access by only allowing certain users or groups to access certain buckets.
  3. Use AWS CloudTrail. Organizations using AWS often have many users, or even multiple accounts. AWS CloudTrail logs all activities performed, which can be a required security measure and is useful for auditing. CloudTrail is not free, but far from expensive. Similarly, access logging is a quick and easy way to improve S3 database usage security.
  4. Request and perform a penetration test. Amazon’s clients have to submit a form to request approval for a PEN-test, and may only test a select set of resources. More information and the request form can be found here. We have made an overview on our Dutch website of organizations that perform PEN-tests.
  5. Set up and configure the AWS Web Application Firewall. This feature allows for an incredible level of personalization, but also has a pre-configured setup to get started. AWS WAF is one of the best tools to protect your cloud against the OWASP top 10 web application vulnerabilities.

Discussion

In the open special interest LinkedIn group Information Security NL we like to discuss the latest news on privacy and security. This article has been posted there as well, and we are curious about your take on the situation. Information Security NL is a free initiative for sharing knowledge on information security. Did you find it useful? Please let us know.

Image credit: @ngilfanov via Unsplash

Author: Joost Krapels
Joost Krapels has completed his BSc. Artificial Intelligence and MSc. Information Sciences at the VU Amsterdam. Within ICT Institute, Joost provides IT advice to clients, advises clients on Security and Privacy, and further develops our internal tools and templates.