AWS Cloud Security
Security is the forefront for any online business today. And on Amazon Web Services Cloud, security is job zero. This is perhaps the top reason why you would want to adopt the AWS Cloud for your business. You should keep a tab on the AWS security page to be on top of challenges and solutions to most common security issues on AWS.
You may have enforced the basic AWS cloud security best practices. However, since a large volume of resources are modified and launched in your AWS cloud infrastructure on a daily basis, there are chances that you would have missed some vital AWS cloud security best practices. There would be some opportunities to implement new security measures as well as tweak your existing security plan. Doing so will ensure your AWS Cloud infrastructure is running smoothly and is fully-protected from any serious threats and data breaches.
Amazon VPC enables customers to provision their resources in a logically segregated section of AWS cloud. This section is completely isolated from those of other customers and enables users to select their own IP address ranges, subnets, and gateways. With Amazon VPC, AWS cloud can be used to securely expand on-premises resources. It also disables internet access to database and application servers while enabling access to web servers.
Amazon VPC can enhance cloud security using features such as:
A security group acts as a virtual firewall that controls the inbound and outbound traffic for one or more instances. You associate a security group with the launch of each instance. Since the data may have an open IP port or is open to public access, there are chances of data breach. In order to avoid exposure to security vulnerabilities, we recommend that only ports associated with relevant IP and security groups are kept open.
Network Access Control Lists
A network access control list (ACL) is an optional line of defense for your VPC and is configured at subnet level. Default ACLs allow all inbound and outbound traffic, both IPv4 and IPv6, through your subnet.
If the AWS EC2 instances don’t have API termination protection enabled, it may lead to accidental termination of machines through an automated process. It is recommended to enable termination protection all the mission critical EC2 instances running in your AWS cloud account. This is a good EC2 security group best practice.
Use EBS Encryption
EBS stands for Elastic Block Store and is used to store persistent data for your EC2 instances. Think of it as hard drives attached to your EC2 instance. EBS is different from S3 in that it can only be used in conjunction with EC2. The huge upside to using EBS encryption is that you can turn it on with no performance penalty. And it only requires you to select a checkbox to enable it. If anyone ever gets access to your previously used volumes, there’s no way they can access any of the data on them.
Have only one SSH key per person, and never create shared SSH keys
It’s best to have only one key per person, even across different laptops and desktops. When you have to upgrade your laptop, don’t generate a new SSH key, instead, transfer the old one to your new laptop and delete it from the old one.
Never, ever, create a shared SSH key for multiple people to use.
Don’t use expired certificates
Avoid using expired SSL/TLS certificates because they may no longer be compatible with AWS services, leading to errors for custom applications, impacting productivity and overall security.
Keep your servers patched
Like any of your other machines, you want to keep your AWS cloud servers patched. This still applies even if the systems aren’t really publicly accessible. The same goes if you’re only using the servers for test and dev. You still want them patched.
● Connections between your app and MySQL aren’t encrypted by default. So in theory, someone that can see your packets could capture and view your database traffic. This is the same with RDS. Per FAQs you can use an SSL connection on RDS or if you’re launching into a VPC it’s a non-issue.
● Make sure you lock down who can actually connect to your database. With RDS, you can use Database Security Groups to restrict what IP addresses or EC2 security groups can connect to your database.
● Be vigilant of what privileges individual users have. RDS won’t help you out here, but make sure users can only access data and perform commands that they have to.
● For the AWS RDS instances which have DB port opened to public or a range of IPs, we recommend to open the port for only the required IPs and security groups.
● Encrypting your RDS is one of good AWS cloud security best practices. If the RDS instances are not encrypted at database storage level, you can use Amazon RDS encryption to increase data protection for your applications deployed in the cloud, and to fulfill any compliance requirements for data-at-rest encryption
Web Application Security
Secure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.
AWS Web Application Firewall (WAF) is a security system that controls incoming and outgoing traffic for applications and websites based in the Amazon Web Services public cloud. AWS WAF protects applications and sites from common Web attacks that could otherwise negatively affect application performance and availability.
Rules created by AWS WAF
● Bad bot & scraper protection
● SQL injection protection
● Cross-site scripting protection
● Scanner & probe protection
● Whitelisting & blacklisting IPs
● Known attacker protection
● HTTP flood protection