This is our second post on AWS security best practices, to be compiled into a short paper. The first post on defending the management plane is here.

Implement Built-in AWS Infrastructure Security Features

Once you lock down and establish monitoring for your Amazon Web Services management plane, it’s time to move on to protecting the virtual infrastructure. Start with these tools that Amazon provides:

Use Security Groups and VPCs for network defense

AWS uses a proprietary Software Defined Network with more security than physical networks. All new accounts on AWS use Virtual Private Clouds for underlying networking, giving you extensive control over network configurations, allowing you to run dozens or hundreds of separate virtual networks. Security Groups combine features of network and host firewalls. They apply to groups of instances like a network firewall, but protect instances from each other like a host firewall. These are the basis of AWS network security:

  • By default, instances in the same security group can’t talk to each other. This prevents attackers from spreading horizontally.
  • Separate application components across security groups, with only required ports open between them.
  • External administrative access (ssh or RDP) should be restricted to the IP addresses and subnets used by your administrators.
  • Minimize the number of public subnets, and use NAT gateways to connect private subnets to the Internet as needed, just like most enterprise networks.
  • Establish Access Control Lists to isolate subnets. They aren’t a substitute for security groups, but a complementary tool.
  • Require administrators to connect through a VPN or ssh “jump box” before connecting to instances. This can be an existing Privileged User Management tool.

Defend hosts and data

AWS is a mixture of Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). Amazon bears most responsibility for keeping back-end components secure, but you are still responsible for properly configuring each service and your own instances. IAM is, again, your main tool for defense, but Amazon also offers features which can help you secure instances and protect data.

  • Establish an incident response process for compromised instances and other AWS services.
  • Use the AWS API or command line to collect all metadata, snapshot storage volumes, quarantine with IAM, and quarantine network connections.
  • Design applications to use Autoscaling Groups. Instead of patching running or compromised servers, you can terminate them and replace them with clean up-to-date copies without downtime.
  • AWS supports encryption for several data storage tools – including S3, EBS, and RedShift. You can manage the keys yourself with their Key Management Service (located in the IAM console).
  • Amazon can access keys in the Key Management Service. If you need extra security consider using CloudHSM instead, although service integration isn’t as simple.
  • If you use CloudHSM make sure you have at least two redundant instances so you don’t lose your keys. Amazon cannot view or recover them.