There’s no question that Amazon Web Services is an incredibly powerful and secure cloud services platform for delivering all sorts of software applications. AWS offers an extensive number of products and services for creating a scalable, reliable, and flexible architecture that meets the unique needs of your development. However, it can be difficult to know how to approach securing your AWS infrastructure. While we can’t give you insight into all of them, of course, we are going to talk about the security benefits provided by three of our favorites, just to get you started.
CloudTrail gathers information about API calls for your account (such as the caller, time, and source IP address of the call as well as request and response information about the API call), and drops it all into an S3 bucket so you can access it later on for security tracking, incident response, and compliance auditing. And by the way, CloudTrail encrypts all of this data by default. Amazon even provides a free tier of CloudTrail that currently enables you to look up events over the previous seven days in each region.
Here’s an example of how we use CloudTrail at Threat Stack. We will pop an alert when a Route53 DNS change occurs in our production environment. While this might be an expected action, CloudTrail captures the data, and Threat Stack quickly alerts us that it’s happening.
EBS stands for Elastic Block Store and is used to store persistent data for your EC2 instances. Think of it as hard drives attached to your EC2 instance. EBS is different from S3 in that it can only be used in conjunction with EC2. The huge upside to using EBS encryption is that you can turn it on with no performance penalty. And it only requires you to select a check box to enable it. If anyone ever gets access to your previously used volumes, there’s no way they can access any of the data on them.
Enable IAM With STS
IAM is Identity and Access Management, and STS is Amazon’s Security Token Service. STS basically allows you to request temporary and privilege-limited IAM credentials for users. While this is a bit trickier to set up than the previous two features, it’s worth it. By using STS, you can protect your users’ Access keys and Secret IDs with Two Factor. Instead of giving your users Access Keys with long-lived permissions, they will authenticate with the Amazon IAM API with their keys AND their Two Factor device. Next, the IAM API will respond with a set of keys that give a user access for the next hour, after which the keys become invalid. IAM supports shorter lifetimes for the keys as well; the minimum is 15 minutes, and the maximum (and default) is one hour. While this isn’t a silver bullet for solving the issue of Access Key loss, it can dramatically improve your ability to contain any sort of access key leaks and ensure that time-limited access is behind Two Factor devices.
Wrapping It Up . . .
A huge number of variables can come into consideration when you’re planning to add security to your AWS account, and even expert practitioners can become a little overwhelmed by the possibilities. We hope the examples discussed in this post will help you cut through some of the complexity and enable you to strengthen your security posture with minimal effort.