You’ve migrated your application to the cloud. Congratulations! Now that your code is in EC2 instances and your files are in S3, you’ll need to ensure everything’s secure. AWS uses a shared responsibility model in terms of security. This means AWS is responsible for security “of” the cloud, while you and your development team are responsible for security “in” the cloud. AWS will protect the infrastructure of the cloud, including hardware, software, and networking that run AWS services. Other security, including access to your AWS resources and the security of your application, is your responsibility.
Here is an overview of four of the most common AWS security features you’ll need to keep your cloud secure.
1. Identity Access Management (IAM)
IAM is a free feature of AWS that lets you manage what users have access to what services and resources. Access to resources is denied by default, so you’ll have to grant users permissions in IAM. Permissions are incredibly granular, allowing you to specify the resource a user can access, what they can do with the resource, and what conditions have to be true for the permissions to be active - for example, accessing AWS from a specific IP address. Here are some best practices you should consider with IAM:
- Create groups. A group is a collection of users that allow you to specify permissions for those users. This makes it easier to track who has what permissions, as well as adding permissions to many users at once. For example, a group called Admins could be given free reign over AWS, while another group, Developers, may only be given access to Lambda and S3.
- Grant least privilege. Grant users only the permissions they need to perform the tasks they need to perform, and nothing more. Remember, you can always grant more permissions, but you can’t get back the databases that were deleted because you made everyone an admin.
- Enable multi-factor authentication, or MFA, for all users. MFA means that, once a user signs in, they’ll have to enter an additional code that is sent to them through a secondary device, like a smartphone. With MFA enabled, even if a user’s password is compromised, their account won’t be accessible.
For more IAM best practices, read the AWS documentation here.
2. S3 Security
Amazon’s Simple Storage Service, or S3, provides data storage with high durability and availability. Like other services, S3 denies access from most sources by default. Only bucket and object owners (the AWS account owner) have read/write access by default. Be sure to lock down your S3 buckets to prevent unauthorized users from viewing, uploading, or deleting your files. Unlike other services, there are multiple ways of adding permissions to S3, such as:
- Applying IAM roles to specific users within your AWS account. They can be used to specify what users have access to S3 buckets and what they’re allowed to do.
- Using Access Control Lists to control access for AWS accounts, not individual users. These are useful if your organization uses multiple AWS accounts or other organizations need access to your files.
- Using Bucket Policies to lock down a single bucket. Permissions can be added to individual users or entire AWS accounts. Bucket policies can be useful if some files in your application are private and some are public.
For more information on S3 security, see the S3 White Paper here.
3. Security Groups
Elastic Cloud Compute, or EC2, instances are the servers on which your application is run. Each server lives inside a Virtual Private Cloud, a virtual network you control. These VPCs have Security Groups associated with them which determine what traffic can and cannot enter your VPC.
In a security group, you specify the traffic that can both flow in and out of your VPC. However, security groups are stateful, so if a request was allowed in, its response is allowed out. Traffic is denied by default, so anything not explicitly allowed in will be rejected. It’s common for all traffic to be allowed for Outbound traffic (you’re the one sending it), but it’s important to narrow down the type of inbound traffic you allow. Security groups also let you specify the type of request (HTTP, SSH, etc.), the port range, and the source of traffic.
4. CloudTrail
CloudTrail isn’t a service directly affecting your application, but a tool used for tracking user activity, demonstrating compliance, and performing security analysis. CloudTrail creates logs that can be searched to review activity. It’s set up by default, so as long as you have an AWS account you can view the logs. CloudTrail is useful for determining if your security configuration is sufficient. From the CloudTrail logs you can view:
- The source IP address of API calls
- Updates to AWS services
- Which account created, modified, or destroyed different AWS resources
The built-in features AWS offers enables you to monitor and protect your organization’s digital assets. The power to determine which security features to employ and who has access to them is in your hands. While your data is stored securely on the cloud, your organization’s unique security requirements remain under your control.
