This article is the second post in our five-part series on security in the cloud today. In Part 1, we discussed what you need to focus on when developing your cloud security strategy, along with some controls you should consider and the best approach for implementing them. The rest of the series aims to explore the security tools and services delivered by the three leading cloud platforms—Azure, GCP and AWS.
Here in Part 2, we’ll focus on the features and limitations of the security solutions offered by Amazon Web Services (AWS). We’ll cover network security, cloud security posture management, cloud workload protection platforms, vulnerability management, container security, and SIEM, along with some additional tools AWS offers to ensure cloud security for your workloads.
So, let’s dive right in.
AWS uses a networking model that is very close to on-premises networks. It uses concepts, terminology, and a virtual network topology that resembles what is typically found in on-site server rooms, meaning network engineers will find themselves in a familiar environment and be able to get to work quickly.
AWS implements the Virtual Private Cloud (VPC), roughly equivalent to an entire on-premises network, as the highest order of its networking concepts. This is then followed by subnets, which are segments of a VPC that use non-overlapping CIDR blocks, and route tables, which are associated with the subnets and direct or deny the flow of network traffic. You are in control of the routing from subnet to subnet, and subnet to/from the internet. You can thus configure your routing tables to enforce strict segregation of workloads.
AWS also provides tools that are akin to network firewalls: Security Groups (SGs), which work at the level of network interfaces, and Network Access Control Lists (NACLs), which work at the subnet level. SGs can be used to further restrict traffic within a subnet and only allow traffic based on a destination port number and source (either IP address or another security group). Meanwhile, NACLs are stateless and can be used to explicitly deny traffic—not possible with SGs. However, aside from this additional feature, NACLs aren’t that useful if you already use SGs.
Note: The fact that you can specify an SG as an allowed source of traffic to another SG is very powerful and allows you to semantically build your authorized traffic paths, instead of painstakingly working out your various CIDR blocks.
Web Application Firewall
AWS offers its own Web Application Firewall (WAF). A web application firewall inspects the HTTP traffic between clients (usually on the internet) and web servers. It monitors and filters this traffic in order to protect a web application from certain attacks, such as SQL injection, cross-site scripting, and many others. AWS WAF integrates seamlessly with other AWS services that provide ingress from the internet, namely Elastic Load Balancing, Amazon API Gateway, and CloudFront. But remember, you can’t use AWS WAF directly in front of an EC2 instance.
AWS WAF allows you to create your own WAF rules, but it also provides some Managed Rules that let you simply and easily address common threats, such as the OWASP Top 10 security risks. Finally, Firewall Manager simplifies the management of AWS WAF and VPC security groups and can do so even across multiple AWS accounts.
AWS Shield in its Standard form is enabled by default and protects most of your AWS components from the most common DDoS attacks. AWS Shield Advanced offers more advanced DDoS attack protection and mitigation; for example, it automatically sets rules on NACLs and allows you to defend EC2 instances that are directly exposed to the internet.
Cloud Security Posture Management (CSPM)
Enforcement of Security Policies and Configuration
AWS Config is a very useful tool that should at least be evaluated as part of your CSPM strategy. It continuously scans the entirety of your AWS resources and records any change in the configuration of any of your AWS resources.
This tool can then compare the detected resource configurations against rules and send you an alert and/or take automated remedial actions. You can use pre-defined rules created by AWS (for example, no publicly exposed port 22 [SSH]), or you can define your own custom rules. AWS Config also helps you make sure that your AWS workload complies with certain standards (such as HIPAA or PCI).
Runtime Security Assessments
AWS Inspector performs security assessments at runtime on EC2 instances. Such assessments are helpful from a CSPM perspective, detecting potential security issues and allowing developers and DevOps engineers to fix them quickly.
Additionally, AWS Security Hub can also help with CSPM. Indeed, it is able to automate continuous security checks and resource configuration checks. This is typically done as part of a compliance program to bring a certain workload into compliance with standards such as PCI and CIS, but such checks can be performed as part of a CSPM strategy as well.
The AWS Systems Manager Patch Manager allows you to define patches that must be present in Linux and Windows instances. Once configured, Patch Manager works in the background to ensure your selected instances have the correct patches. Configured properly, Patch Manager makes sure your instances’ operating systems are free from known vulnerabilities; having said this, Patch Manager can be quite cumbersome to work with because the patches and destination machines must be selected manually. It does offer pre-defined configurations, but they probably won’t cover your particular use case.