AWS Security Best Practices Part 3 : Data Security

In this AWS security best practices series, we will talk about the next major AWS security threat landscape: data security. We have previously discussed about best practices with respect to access controls and network security on AWS.

Customers raise many questions with IT management, mainly when it comes to securing their data. To lessen the fears of losing data, it is now-a-days suggested that data should be stored in the cloud. Cloud security, with AWS in the fore front has come a long way in providing data security tools and mechanisms. Now, cloud storage is considered a safer way compare to storing data on a corporate network.

As part 3 of our AWS security best practices series, we will discuss how data security is accomplished in AWS, and the best practices to be followed to achieve an efficient data security strategy on AWS.

In a recently published Gartner report, it has been shown that the market of data loss prevention solutions is growing rapidly. It is crossing the growth rate of more than 20 percent year over year. Yet the report also clarifies that enterprises are aggressively struggling to set up appropriate data protection policies. They are trying hard to establish best data security measures as they interact with susceptible data.

AWS understands that maintaining customer’s data security is a continuous commitment. That’s why AWS informs its clients of the important data security policies, tools, mechanisms and best practices. These policies include:

Encrypting Data at Rest

Encrypting sensitive data requires majorly three mechanisms:

  1. Availability of data to encrypt
  2. A way to encrypt the data using a cryptographic algorithm
  3. Encryption keys that can be used in conjunction with the data and the algorithm

Most of the new programming languages offer a variety of accessible cryptographic algorithms, for example the Advanced Encryption Standard (AES). By choosing the right algorithm you can successfully encrypt your data. As much as an encryption algorithm is important, protection of the keys from unauthorized access is also important. The keys are often encrypted with the help of a key management infrastructure (KMI). A familiar way to secure keys in a KMI is to use a hardware security module (HSM). It usually offers resistance to protect keys from unauthorized access.

AWS suggests that enterprises find out which encryption and key management model is correct for their data classifications. Then they can choose a managed service to enable easier operation and tighter incorporation with AWS cloud services. This will help them in encrypting several services that store their data.

AWS provides in-built mechanism for data encryption with it’s data storage services. It also provides the ability to configure the encryption mechanism as well. Below are the list of data storage services for which AWS provides encryption mechanisms:

  1. S3
  2. RDS
  3. Redshift
  4. EBS

For more details on the storage services and respective encryption mechanisms, please refer to this white paper on Encrypting Data at Rest on AWS.

AWS Key Management Service (KMS)

The new AWS Key Management Service (KMS) offers you complete management of control over your encryption keys. It provides you a new alternative for data protection. It also helps you in handling the scalability and accessibility issues that you face when you carry out key management. With proper use, AWS Key Management Service can effectively tackle persistent concerns related to moving sensitive data to the cloud.


AWS CloudHSM can help not only to large enterprises but also to small and midsize industries. It is helpful to AWS cloud customers as well as to customers of other cloud providers, who store their cryptographic keys on AWS.

In a simple way it can be said that AWS CloudHSM is a service that can safely produce, store, and handle cryptographic keys of every customer using the public cloud. It has emerged as a best way to use and supervise cryptographic keys in the public cloud itself. Even if you want to have protected key management, outside of the public cloud, with CloudHSM, it is possible.

Data Security Do’s

Below are some of the best practices organizations must follow to enhance their data security on AWS.

Ensuring all the sensitive data are encrypted at rest.

To avoid unauthorized access, it is imperative to make sure that your data is encrypted at every end. This is where AWS can help much by providing data encryption services and standing behind for their performance. It is always better to use native encryption provided with RDS, S3, EBS, etc.

Ensuring proper permissions for your S3 buckets.

By default, all Amazon S3 buckets are private. The permission to get access to the S3 bucket is granted only to the resource owner and the AWS account that was used to create the bucket. However, resource owner can decide to allow access to other resources and users by writing an access policy. It is necessary to not give access to S3 buckets to everyone to avoid data breach.

Using HTTPS/SSL every time while transferring data over the internet or across regions.

The Internet is a terrifying place for businesses. That is why it is important to pay close attention towards securing file transfers. To protect data from being snipped as it traverse over the Internet, HTTPS/SSL should be used every time while transferring data.

Data Security Don’ts

Below are some of the things you must never do if you don’t want unauthorized access to your data on AWS.

Do not disclose unnecessary information about an individual to a third-party.

Data exposure scanning is not a one-time project. You should always avoid sharing any individual’s data to a third-party without the prior approval of the individual.

Do not ignore the security checks of your supply chain partners.

Many of today’s security hacks are coming through third parties or partners that manage sensitive data of enterprises. You should never ignore to check your partners’ authenticity. This will ensure that your customer’s data won’t be compromised.

Don’t forget to frequently update and patch specialized hardware.

You should keep updating your specialized hardware regularly. It is advisable to use two-factor authentication for all remote access to ensure better safety.

To summarize, in order to secure your data, you must do 2 things:

  1. For data at rest : Encrypt
  2. For data in transit : User HTTPS/TLS

Following these simple best practices, you can protect your business applications from data security threats to a great extent.

Botmetric helps you in performing regular security scans of your AWS infrastructure and provides you the list of security best practices violations. If you haven’t started using Botmetric yet, sign up for a 14-day free trial and let us help you in security examination of your AWS infrastructure.

We hope that with this article, we can help you in implementing effective data security measures. We would love to listen to your feedbacks and suggestions. Tweet to us.

Next in our AWS security best practices series, we will talk about another major threat landscape: Inventory/Config.