It is no news that Cloud Computing technology has come to stay. With the skepticism that existed in its early days, it has stood the test of time and is now the de-facto for application infrastructure for businesses all over the world.
There are three major flavors of delivering Cloud Computing technologies and they are:
-
Public Cloud: This means the technology will be available on the public internet and is accessible by anyone who has an internet connection
-
Private Cloud: This means that the cloud services are not publicly available on the internet. This type of cloud delivery is used by special agencies such as government, financial, and telecommunications institutions.
-
Hybrid Cloud: This is a combination of public and private cloud. Some companies deploy both offerings to meet compliance and regulatory requirements.
But as interesting as the cloud may be, there are many security implications that trail its innovation. According to TechNewsWorld, a cloud misconfiguration in January 2022, caused the exposure of 400GB of personal data to the public internet. SecurityMagazine also reported that over 22 billion records were exposed in 2021 due to security breaches. There are certain edge points in an AWS account that we should pay close attention to which will help to protect the account. These edge points include:
AWS in the Cloud
AWS has been in the cloud space for over a decade now and they offer both public and private cloud delivery. They have also been recognized as number one for a decade in Cloud IAAS according to the Gartner rating. AWS boasts of hundreds of services for Compute, Storage, Containers, Database, Networking, Blockchain, Media Services, Productivity Tools and more. Anyone can practically deploy an app in AWS with little or no prior knowledge of the vast services and capabilities of AWS Cloud.
But in performing these deployments either as an enthusiast, intermediate or an expert, security of the AWS account is essential. This will protect the account from malicious actors taking over it, or performing malicious activities. I shall be mentioning 5 key services/activities that should be carried out immediately an AWS account is created.
The Five Essential Activities to Secure your AWS Account
Enable MFA for Root and All Users
Multi-factor Authentication or 2-Factor Authentication (2FA), is an extra layer of security that is sure to reduce security risk. This creates an extra layer of validation to ensure that the access to your AWS account is secured. MFA is configured in the IAM Management Console. This documentation shows the steps to configure MFA in your AWS account. When MFA is not activated in an AWS account, it is easy for a malicious actor to access the AWS account with only the password.
Close All Security Groups
Security groups are firewalls to different compute and databases services in AWS. They ensure that only allowed IP addresses and ports can perform Ingress and Egress requests on the attached resource. So the best practice in using security groups, is to ensure that it is not opened to the public internet. What this means is that the port allowed for Inbound rules should not be open to all port ranges and the Source IP should not be 0.0.0.0/0, as shown in the diagram below.
Only allowed IP Addresses and ports should be listed in the Inbound section of the security group configuration. When security groups are open to the internet, it exposes EC2 Instances, RDS Instances to unsolicited network access and brute force attacks.
Never Allow Public S3 Buckets
In 2021 Facebook had to contact Amazon to close public S3 buckets that were part of a security breach that happened to Facebook. When you create a bucket AWS makes it private by default. There are situations where users might want to make a bucket public to give access to objects in the bucket, this is not a secured way to allow access to objects in an S3 bucket. S3 is built with sophisticated security configurations to give fine-grained access to services or applications outside of AWS. Some of which are:
- Origin Access Identity (OAI)
- Signed URLs and Cookies
- Bucket Policy
- Access Control List (ACL)
- AWS PrivateLink for S3
IAM Password Policy
Password is enforced by default for every user in AWS. But to ensure that the password created is secured enough, there needs to be a password policy that ensures that users do not create in-secure passwords. There have been situations where users create passwords using just the wordpassword , or their name or something quite easy for attackers to guess using brute-force or password generators. The password policy ensures that any password created contains elements such as special characters and numbers which helps to improve the security of the password. This documentation shows how to configure password policies in IAM.
Use Roles instead of Access/Secret Key
When integrating AWS with a third-party service, there is a chance that the service would require you to generate an Access Key and Secret Key from AWS IAM Console. While this is a fast and easy way to give third-party applications access to AWS, it comes with its downsides. Such as:
-
Forgetting to Rotate Keys Periodically.
-
Keys having unlimited access to all resources in the AWS account.
-
Keys not properly kept in a secured location.
A more secured way to give access to third-party services in AWS is to use IAM Roles. IAM roles does not require Access and Secret Keys to give access to third-party services. AWS has also recently extended the capabilities of IAM roles by introducing IAM Roles Anywhere. This means you can integrate IAM roles for services in your OnPrem services or Non-AWS servers to allow access to AWS services.
Conclusion
The security of your AWS account has a direct relationship with business revenue, business continuity and security of data integrity. It is also the core responsibility of the user of the account to ensure that AWS services and access follow best security practices at all times. Security is a continuous process and not a one-time operation.
Also published here.