AWS penetration testers call this process hardening. In layman terms, these AWS security best-practices are an important part of ensuring that your AWS account is as fortified as possible.
Because we all know that one mistake or lapse in your AWS security can impact a lot of your users, your team and your reputation as a business and tech professionals.
Without a doubt, AWS cloud security is a complex topic. It encompasses many different cloud services and technologies and includes policies, guidelines and procedures around these services, technologies and data.
The best way to optimize your cloud infrastructure security posture is by running a scan using a best-in-class Cloud Security Posture Management tool like Cyber Chief Raider.
It is not just something you can pick up overnight. It requires a lot of planning, preparation and tools to implement. That's why the 45 best practices you find below will be a great stepping stone to helping you secure your AWS resources.
Is AWS security good?
Yes, AWS has a lot of security features, which include encrypted data transfers, access control, key management and security groups.
You can restrict who has access to your instances, and you can also set up firewalls to block access to your AWS infrastructure.
However, while AWS itself is secure, the security of YOUR AWS account itself is left to you and the strength of your security practices.
For example, if an attacker gets hold of your login credentials, AWS keys or other exploits insecurely configured services and permissions, they might be able to access everything you have, including sensitive data.
Think of it this way: your car's manufacturer could equip your car with the most advanced GPS-tracked, anti-theft, missile-guided, biometric enabled car security system. But if you forget to take the keys with you and leave the ignition on, then all of those systems are going to be useless.
Your AWS environments follow a similar principle. At the end of the day, it's up to you to ensure that your security and compliance practices follow best practice standards.
That's why our list of 47 critical AWS security activities below will help you do this.
Which security tasks are the responsibilities of AWS?
Security is a vital part of the cloud, but it's not just a responsibility of AWS. It's the responsibility of you as someone who builds products that use the cloud.
The primary responsibility of Amazon Web Services is to provide security to ensure that their core infrastructure is not hacked and that when one of their clients is hacked, that the attacker isn't able to access other clients' data and AWS accounts.
To do this AWS provides a number of cloud security tools, managed services and other resources to give you, their customer, the best possible security controls at your fingertips. Some of these are even free so that you can maintain the highest levels of cloud security and data security.
While AWS provides a number of ways to secure your AWS resoure, ultimately it is up to you, the user, to be aware of the risks and how to mitigate them.
AWS is not responsible for configuring your web application firewall. They are not responsible for making sure that you do not expose ports in your firewall. They are not responsible for setting up your security groups. They are not responsible for activitating and watching a security monitoring service. They are not responsible if you do not have MFA for your root account and IAM account. They are not responsible for...you get the drift, right?
Is AWS responsible for securing my web application, mobile application & cloud servers?
AWS, despite being one of the best managed cloud platforms in the world - is not responsible for securing your web application, mobile application and cloud servers. You are responsible.
Just so I'm clear and that you are left in no doubt: AWS expects YOU to take responsibility for securing your Amazon RDS datbases, Amazon EC2 instances, Amazon S3 buckets and every other AWS service you use and the data and applications you store on those services.
AWS is not Santa Clause and it's definitely not your minion. AWS is an infrastructure provider, which means all the hard work of cloud security is your responsibility.
AWS does provide you with several tools to help you secure your servers and applications, but it all comes down to you implementing cloud security best practices in the first place.
Once done, you have to then ensure that each of your AWS environments maintains those security best practices irrespective of the number of people in your team or the AWS services you consume.
Later in this article I will tell you about the AWS vulnerability scanning tool that will help you maintain strong security controls on your account. But first, let's do the groundwork.
What are AWS best practices?
AWS best-practices are (highly recommended) actions that you should take if you and/or your team use AWS services to host, build, manage and grow your cloud software solutions.
The foundations of AWS cloud security best-practices are split into 4 main categories:
- Identity and Access Management (IAM)
- Logging events
- Networking restrictions
- Monitoring activities on your account
Which AWS security tasks are a user's responsibilities?
As an AWS account admin you should feel comfortable that your AWS environments and everything within it, including your sensitive data and IP, is your responsibility to protect.
Once you make this mindset shift, it will become a lot easier to handle the work of actually securing and maintaining the security of your AWS account.
You as an AWS user or admin should undertake at least these steps to secure your AWS account:
AWS Identity and Access Management (IAM) best practices
- Avoid the use of the "root" account
- Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password - there is no easy way to do this, but this AWS documentation about enforcing MFA will help you.
- Ensure credentials unused for 90 days or greater are disabled
- Ensure access keys are rotated every 90 days or less
- Ensure IAM password policy requires at least one uppercase letter
- Ensure IAM password policy requires at least one lowercase letter
- Ensure IAM password policy requires at least one symbol
- Ensure IAM password policy requires at least one number
- Ensure IAM password policy requires minimum length of 14 or greater
- Ensure no root account access key exists
- Ensure MFA is enabled for the "root" account
- Ensure security questions are registered in the AWS account
- Ensure IAM policies are attached only to groups or role
- Enable detailed billing
- Maintain current contact details
- Ensure security contact information is registered
- Ensure IAM instance roles are used for AWS resource access from instances
AWS event logging best practices
- Ensure CloudTrail is enabled in all regions
- Ensure CloudTrail log file validation is enabled
- Ensure the S3 bucket CloudTrail logs to is not publicly accessible
- Ensure CloudTrail trails are integrated with CloudWatch Logs
- Ensure AWS Config is enabled in all regions
- Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
- Ensure CloudTrail logs are encrypted at rest using KMS CMKs
- Ensure rotation for customer created CMKs is enabled
AWS networking best practices
- Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
- Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
- Ensure VPC flow logging is enabled in all VPC
- Ensure the default security group of every VPC restricts all traffic
- Ensure each of your services only sends encrypted data outside your VPC
- Ensure encryption is turned on by default for all S3 buckets
AWS account monitoring best practices
- Enable a log metric filter and alarm for unauthorized API calls
- Enable a log metric filter and alarm for Management Consolesign-in without MFA
- Enable a log metric filter and alarm for usage of "root" account
- Enable a log metric filter and alarm for IAM policy changes
- Enable a log metric filter and alarm for CloudTrail configuration changes
- Enable a log metric filter and alarm for AWS Management Console authentication failures
- Enable a log metric filter and alarm for disabling or scheduled deletion of customer created CMKs
- Enable a log metric filter and alarm for S3 bucket policy changes
- Enable a log metric filter and alarm for AWS Config configuration changes
- Enable a log metric filter and alarm for security group changes
- Enable a log metric filter and alarm for changes to NetworkAccess Control Lists (NACL)
- Enable a log metric filter and alarm for changes to network gateways
- Enable a log metric filter and alarm for route table changes
- Enable a log metric filter and alarm for VPC changes
- Run an AWS vulnerability scanning tool to ensure that your best practice security controls remain in place
- Ask your highly rated penetration testing company to perform an AWS network penetration test on your AWS accounts, at least annually
Which tool can automatically find AWS security vulnerabilities?
Whether you’re a cloud novice or a seasoned cloud veteran, it’s important to understand security in the cloud. It’s not enough to know what to do; you need to know what to do first and how to do it in a cost-effective, sustainable and scaleable way.
That’s where we come in. The Audacix certified AWS penetration testing team is here to help you understand the security basics of the AWS Cloud and how to build security into your applications.
But these days, that's not enough, because you need to ensure that AWS security best practices are followed every day by your team.
That's why our AI-powered Cyber Chief web application automated penetration testing tool is also an AWS vulnerability scanning tool. It has an automated AWS security and compliance feature that helps you maintain security best practices across your AWS infrastructure, irrespective of the AWS services you use.
It assesses your AWS environment for compliance with the best-practice CIS security framework and alerts you when a vulnerability is found. It has your back so that you can sleep easier at night, even if you don't have in-house security teams.
Can any vulnerability scanning tool find AWS security vulnerabilities?
To be completely honest, most vulnerability scanners are not as effective as they should be. Too many vulnerability scanners try to do it all and end up loading you with false positives and frustrating your efforts to improve your security resilience.
While this might better than nothing, it is not enough to secure your systems.
You need a vulnerability scanning tool that can not only finds vulnerabilities but also help you apply security best practices in your infrastructure. This could be in the form of code snippets or step-by-step instructions to perform in your AWS account.
That's why we built Cyber Chief. It does all of the above and helps software teams ensure that their web applications, APIs, sensitive data, cloud infrastructure and AWS accounts are as secure as they should be.
How does AWS penetration testing help me implement best practice security controls?
The Audacix certified AWS penetration testing team works like your remotely accessible security team to help you baseline and maintain the highest levels of AWS cloud security.
AWS penetration testing, like any other technology-based security testing, is geared towards compliance and regulatory requirements.
Audacix's AWS certified penetration testers perform various security tests on your AWS environment using the most appropriate and best practice framework.
The result of the testing is a report that specifically pinpoints the vulnerabilities present in the AWS architecture.
The biggest difference between Audacix's AWS penetration testers is that they can not only help you find vulnerabilities in your AWS cloud infrastructure, but they can also help you fix them!
What if I need help in implementing AWS cloud security best practices?
This a more common question than you might think! I get it, security in cloud computing is not always easy.
Sometimes you just need someone to hold your hand through the process so that you can prepare to fly later.
That's exactly what Audacix offers through its various AWS network penetration testing services. Grab your free consult and quote to see if they can help you take control of your AWS security.