A glance always comes in handy
A sneak peek of AWS Security services
Security is one of the fundamental pillars of a company’s operations. It is a cross-cutting aspect, and in the broad sense of the word, security protects against threats and incidents through prevention, risk detection and, if necessary, remediation.
Change of situation
However, it is worth noting several changes resulting from the emergence of the public cloud, digital transformation and the proliferation of distributed work environments. Many security frameworks place the physical access barrier as the first level; however, in the current context, a large part of work communications are carried out outside the physical office, completely negating this first level. Mobile devices or the IoT places terminals, sometimes physically accessible.
Shared responsibility model
In the case in question, public cloud providers have been converging to a “Shared Responsibility Model” model, in which responsibilities are partitioned depending on the degree of management of the underlying infrastructure and software by each party.
The following graph shows this relationship:
This graph reminds us that by agreeing with a supplier, we cannot completely disengage from security, but it also indicates which technologies are better managed by each party.
Zero Trust Model
It is a security model centred on the idea that access to data should not be exclusively based on the network location. It requires users and systems to prove their identities and trustworthiness strongly and enforces fine-grained identity-based authorization rules before allowing them to access applications, data, and other systems. With Zero Trust, these identities often operate within highly flexible identity-aware networks that reduce surface area, eliminate unneeded pathways to data, and provide clear outer security guardrails.
Less Privileged Role principle
When you set permissions, grant only the permissions required to perform a task. You do this by defining the actions that personas or services can take on specific resources under specific conditions, also known as least-privilege permissions.
Standards and certifications
Several global organizations are dedicated to ensuring security in the cloud and digital systems (cloudsecurityalliance.org or cisecurity.org), and mandatory regulations (GDPR, cookie privacy act,…) show the concern of governments and institutions in this direction. AWS ensures that its services comply with the guidelines of these standards and provides documentation so that by correctly applying its technologies, our solutions can meet the same quality and security criteria.
Tools in AWS
Amazon Web Services has a wide range of security-oriented services grouped into security, Identity and Compliance. Let’s briefly describe their functional purpose to see the scope and know those that can facilitate our work when migrating workloads to the cloud in secure conditions.
Identity and Role Management Related Services
Provide a way to manage users and their access to resources. These services can create and manage user accounts and assign and manage roles and permissions. Identity services can also use them to track and audit user activity.
- AWS Identity and Access Management (IAM):
This service aggregates the groups, users, roles and policies that mediate access to resources and other services. It is the foundation of identity management in Amazon Web Services. - AWS IAM Identity Center (Successor to AWS Single Sign-On):
This service allows us to establish a single sign-on (SSO) access portal to several AWS accounts in the same organization. - Amazon Cognito:
Through Cognito, we can abstract and delegate security access to our applications simply and cost-effectively. It includes functionalities such as MFA, validation by email or SMS, and user management. - AWS Directory Service:
If we need an active directory service, we can get it through this service managed by Amazon. It is also a requirement for the use of AWS Workspaces.
Services related to network security
There are many services related to network security, including firewall services, intrusion detection and prevention systems, virtual private networks, and more.
- AWS Shield:
Protection against Denial of Service (DDoS) attacks, enabled on the AWS CDN (Cloudfront) and on-demand on public surfaces of our infrastructure, such as load balancers or EC2 instances that have public exposure. - AWS WAF:
Rule-based software firewall that filters malicious attacks over the network, such as SQL injection, … can be easily configured to protect our app with the usual OWASP 10 rules. - AWS Network Firewall:
This service allows us to configure a network firewall in our VPC, a service managed by Amazon, which is responsible for its scalability and operation. - AWS Firewall Manager:
This more advanced service allows us to have a centralized firewall whose rules apply to all our applications and integration with the leading security software providers, allowing the integration of rules from security servers such as Fortinet.
SIEM Services (Security Information and Event Management)
Security information and event management (SIEM) is a sub-branch that deals with collecting, analyzing and reporting security data. Security data can include but is not limited to firewall logs, intrusion detection system (IDS) and intrusion prevention system (IPS) logs, application logs, and system event logs.
- Amazon Detective:
This service allows us to investigate the origin of various security flaws in our accounts. The potential of this service is the ability to collect data from Amazon’s infrastructure and make it available along with the tools to perform ETL and thus achieve heuristics that lead us to the origin of security incidents. - Amazon GuardDuty:
This monitoring service scans our infrastructure for threats, allowing us to centralize through cloudwatch events from different accounts and workflows. - Amazon Inspector:
This service scans for vulnerabilities in our instances and the software of our applications deployed on AWS. - AWS Audit Manager:
This service informs and completes the view we get about the outcome of our internal policies on AWS account usage. This way, we avoid reviewing multiple services and can audit account usage. - AWS Resource Access Manager:
Via this service, we can regulate how to share AWS resources between accounts with secured and controlled access.
Data security and cryptography-related services
Data security is the practice of protecting electronic information by mitigating information risks and vulnerabilities. Information risks can include unauthorized access, use, disclosure, interception, or data destruction. Data vulnerabilities include weak passwords, poor data encryption, and a lack of data backup.
- AWS Key Management Service:
This service allows us to manage keys in encrypting data across Amazon services, from encrypting hard drives to database content and mediating access to keys with permissions. - AWS Secrets Manager:
This service allows us to manage and make secrets available for our applications, from rotation to secure access with roles. - AWS Certificate Manager:
This service is oriented to the provisioning, creating and managing of SSL/TLS certificates such as those used in load balancers or HTTP servers. - AWS CloudHSM:
Using specific hardware, we can store keys according to the strictest security standards. - Amazon Macie:
This service uses Machine Learning techniques to crawl the information in our buckets in search of personal data. As it is a fully managed system, a set of objectives and a periodicity are chosen, and a report with the criticality of the existing data is issued regularly.
Compliance-related services
A company can provide several compliance-related services. These services can include things like compliance audits, compliance training, and compliance consulting.
- AWS Security Hub:
In this section of the AWS console, we have a centralized visualization of security and the degree of compliance with standards. From here, we can see the results of the services above at a glance. - AWS Artifact:
This repository keeps the compliance documents accessible and those signed or made available by AWS. - AWS Cloud Trail:
Service allows us to trace all actions performed on an AWS account by identities. - AWS Config:
AWS Config continually assesses, audits, and evaluates the configurations and relationships of your resources.
Perhaps we could discuss this classification at length, reorganize it according to other criteria, and even add some more services related to the platform’s governance, which is still an aspect of security. Still, the idea is to functionally group the services that AWS catalogues in the security, identity and compliance field and help disseminate and raise awareness of them.
Realistic Uses and Best Practices
We will be using Security Hub for everything related to permissions and have configured and perhaps reviewed Security Hub. We may even have several applications with Cognito and access to our Landing Zone accounts mediated through their roles and groups, but what will give us more peace of mind is to automate responses with lambdas that respond to Security Hub security events, apply the Less Privileged Role principle, save passwords in Secret Manager and use delegated roles as much as possible.
A crucial ally for this task can be to perform a Well-Architected Review that forces us to go point by point through an audit with security as one of its pillars.
Future of security and Machine Learning
As we mentioned at the beginning, security is experiencing a significant boom; information leaks/thefts and security incidents fill the media and damage companies’ image and credibility.
A more distributed society has larger attack surfaces that must be constantly reviewed. And as with any constant and automatic task, we find in it Machine Learning techniques an ideal complement. In the particular case of AWS, we can see how AWS Macie applies Artificial Intelligence techniques to detect data sensitivity. Still, some cognitive models help detect non-legitimate traffic patterns and preparations.
“It’s not worth doing something unless someone, somewhere, would much rather you weren’t doing it.”
Sir Terry Pratchett
🎭 Subscribe to read without limitations
📚 Read other related material
⭐ See my recomendations
📨 sign up to my listMore content at PlainEnglish.io. Sign up for our free weekly newsletter. Follow us on Twitter, LinkedIn, YouTube, and Discord. Interested in Growth Hacking? Check out Circuit.
