Security is the forefront for any online business today. And on Amazon Web Services Cloud, security is job zero. This is perhaps the top reason why you would want to adopt the AWS Cloud for your business. You should keep a tab on the AWS security page to be on top of challenges and solutions to most common security issues on AWS. In this blog post we will go over some of the most important AWS cloud security best practices which you must know and enforce.
You may have enforced the basic AWS cloud security best practices. However, since a large volume of resources are modified and launched in your AWS cloud infrastructure on a daily basis, there are chances that you would have missed some vital AWS cloud security best practices. There would be some opportunities to implement new security measures as well as tweak your existing security plan. Doing so will ensure your AWS Cloud infrastructure is running smoothly and is fully-protected from any serious threats and data breaches.
Botmetric implements the AWS cloud security best practices for you and performs a comprehensive audit of your AWS cloud infrastructure to ensure protection against common threats.
Here’re the list of top 21 security checks that must be regularly performed to ‘bullet-proof’ your AWS infrastructure:
- Security Groups
A security group acts as a virtual firewall that controls the inbound and outbound traffic for one or more instances. You associate a security group with the launch of each instance. Since the data may have an open IP port or is open to public access, there are chances of data breach. In order to avoid exposure to security vulnerabilities, we recommend that only ports associated with relevant IP and security groups are kept open.
- IAM MFA Audit
To add an extra layer of security to your AWS account, it is recommended to enable Multi Factor Authentication for IAM users to safeguard your critical data from the online hackers.
- ELB Access Log
If you have not enabled AWS ELB Access for the Elastic load balancers, your data is exposed to some threats. We recommend you to enable the ELB Access log for enhanced security.
- Termination Protection
If the AWS EC2 instances don’t have API termination protection enabled, it may lead to accidental termination of machines through an automated process. It is recommended to enable termination protection all the mission critical EC2 instances running in your AWS cloud account. This is a good EC2 security group best practice.
- ELB Listener Security Audit
If a load balancer has no listener that uses a secure protocol (HTTPS or SSL), it is a threat to your data. Configure one or more secure listeners for your load balancer. You should create HTTPS or SSL listeners for publicly interfaced ELBs.
- Unused IAM Access Keys
If you have unused certain IAM access keys in the last 30 days or since creation, we would highly recommend you to remove them for better security and avoid key compromises.
- RDS Security Audit (for VPC SG and for list of ports)
For the AWS RDS instances which have DB port opened to public or a range of IPs, we recommend to open the port for only the required IPs and security groups.
- Root Account Access Key
The root account access key audit on Botmetric identifies if you have any active access key associated to your root account in AWS. One of the best ways to protect your account is to not have an access key for your root account. Create one or more AWS Identity and Access Management (IAM) users, give them the necessary permissions.
- IAM Admin Roles Audit
Having one unique IAM admin for your AWS account is risky. Instead, have one or more AWS IAM users, give them the permissions, and use these IAMs for everyday interaction with AWS. Also, try to use temporary security credentials (IAM Roles) instead of long-term access keys.
- IAM Password Policy
When you set a password policy for your AWS account, always remember to specify the complexity requirements and mandatory password regeneration on expiration of the IAM’s password. By doing this, you are ensuring that your account credentials are in safer hands!
- IAM Policy (for Managed Policies)
If you have granted complete control of your AWS account to a single IAM, there is a possibility of data breach as the IAM user can access any of your resource at any point of time. Botmetric lists out such IAM users for your AWS account so that you can pick and choose any particular IAM user whom you want to give the full access control or not. You may also exclude any IAM user you feel need not be given full IAM access in future.
No Cloudtrail= Security risks!
AWS CloudTrail is a web service that records API calls made on your account and delivers log files to your Amazon S3 bucket. Customers who wants to track changes to resources, answers simple questions about user activity, demonstrate compliance, troubleshoot, or perform security analysis should enable CloudTrail.
- IAM Admin Count
Total number of admin accounts. If there are too many IAM admin accounts, this may lead to security issues. It is recommended not to have many IAM users with admin rights.
- SSL Expiry
If you have uploaded SSL certificates to Amazon Web Services for ELB (Elastic Load Balancing) or CloudFront (CDN), then you would want to keep an eye on the expiration dates and renew the certificates on time to ensure uninterrupted service.
Botmetric SSL Expiry audit will get a list of all SSL certificates, sorted by expiration date.
- Root Account MFA
Never forget to enable MFA for your root account. The best option would be to give limited access to only privileged IAMs.
- Unused Security Group
If certain security groups are not used or attached to any instances, it is recommended to remove these security groups.
- AWS RDS Encryption
Encrypting your RDS is one of good AWS cloud security best practices. If the RDS instances are not encrypted at database storage level, you can use Amazon RDS encryption to increase data protection for your applications deployed in the cloud, and to fulfill any compliance requirements for data-at-rest encryption.
- Old IAM Access keys
As an administrator, we recommend you to regularly rotate /change the access keys for IAM users in your account. If you have given the users the necessary permissions, then they can rotate their own access keys. Meanwhile, change the access keys that are older than 60 days to enhance security of your AWS accounts.
- S3 Bucket Permissions
By default, all S3 bucket permissions are private and you need to give Read/Write access permissions to others by writing an access policy. Bucket permissions that grant List access to everyone can result in higher than expected charges if objects in the bucket are listed by unintended users at a high frequency. Make sure you are granting limited access permissions.
- Service Log Expiry
It is advisable to enable service log expiration for each of the logging buckets to ensure you don’t miss out of the expiration dates. Botmetric Security Audit Insights alerts you when your Service Log is due to expire.
- Domain Expiry
Botmetric also alerts you when your domain name is going to expire so that you can reset the domain name accordingly.
These were just a few of the security measures, which you must take in order to bring in a decent level of security to your AWS cloud infrastructure. Make sure you follow all these AWS cloud security best practices and enforce them in your AWS Cloud infrastructure.
Botmetric Security & Compliance solution performs a thorough security audit of all the above mentioned checks and more. These audits are performed on a regular basis. Summary of findings are delivered to your inbox. If you wish to view a concrete report for all your cloud insights, you can simply download the reports from Botmetric’s reports section.
If you need any further assistance, don’t hesitate to connect us on Twitter. We would love to help you.