This is our third post on AWS security best practices, to be compiled into a short paper. See also our first post, on defending the management plane and our second post, on using built-in AWS tools.

Finish with Additional Security Tools

AWS provides an excellent security foundation but most deployments require a common set of additional tools:

  • Amazon’s monitoring tools (CloudTrail, CloudWatch, and Config) offer incomplete coverage, and no correlation or analysis. Integrate their feeds into existing log management, SIEM, monitoring, and alerting tools that natively support and correlate AWS logs and feeds, so they can fill gaps by tracking activity AWS currently misses.
  • Use a host configuration management tool designed to work in the cloud to automatically configure and update instances.
    • Embed agents into approved AMIs or bootstrap through installation scripts.
    • Insert baseline security policies so all instances meet security configuration requirements. This is also a good way to insert security agents.
  • Enhance host security in key areas using tools and packages designed to work in highly dynamic cloud deployments:
    • Agents should be lightweight, communicate with the AWS metadata service for important information, and configure themselves on installation.
    • Host Integrity Monitoring can detect unauthorized changes to instances.
    • Logging and alerting collect local audit activity and alerts on policy violations.
    • Host firewalls fill gaps left by security group limitations, such as rule set sizes.
    • Some tools can additionally secure administrator access to hosts without relying solely on ssh keys.
  • For web applications use a cloud-based Web Application Firewall.
  • Some services also provide DDoS protection. Although AWS can support high levels of traffic, DDoS protection stops traffic before it hits your instances… and your AWS bill.
  • Choose security assessments and scanning tools that tie into AWS APIs and comply with Amazon’s scanning requirements.
    • Look for tools that not only scan instances, but can assess the AWS environment.

Where to Go from Here

These fundamentals are just the surface of what is possible with cloud security. Explore advanced techniques like Software Defined Security, DevOps integration, and secure cloud architectures.