Best practices in security and compliance on a base of AWS Cloud

Position of a cloud leader for Amazon Web Services is bound with constant creating and developing news solutions, as well as keeping eye on procedures and audits, which must ensure compliance with restrictive criteria, in many demanding industries.

Where shall we begin? Maybe from the most obvious thing that we all need to remember — a Shared Responsibility. We can use the diagram prepared by AWS. It shows who is responsible for particular areas when using cloud solutions. AWS takes responsibility for basic services such as: compute, data services, network connectivity or data storage. And we e.g. as a client need to take care of data protection, access management and lastly network and firewall supervision. What is worth to mention AWS is also responsible for such things as availability of regions and the operation of accessibility zones (AZ) including edge locations.

Source: Introduction to Auditing the Use of AWS

Next step should be identifying our (client’s) assets which we are going to place in AWS. We also need to be aware of the security foundations in the cloud. So, depending on our needs our assets can be EC2 instances, apps, whole data warehouses or simply data.

As you can see there’s no significant difference in the categorization of resources between those stored in the public cloud or those which we are going to store in our own data centres. But there’s something else which we get from AWS after putting resource in their cloud — 2 unique identification numbers. The first one is AWS account number and second is ARN, which stands for Amazon Resources Number. Tt’s necessary when you need to clearly specify a given resource in services such as Amazon RDS, API Gateway, or IAM. In addition, each of the AWS services creates its internal identifier, which can be helpful in cataloguing the environment’s resources.

AWS mentions that it is crucial to determine who in the organization manages the AWS account and who is the owner of the resources maintained under the account, and lastly who manages the services that are used. This will provide a proper management of resources. And what’s more important let us to set the aim and direction of security implementation. It is important to check exactly what policies, procedures and plans can be used for specific AWS services.

Configuration and proper management of resources must be preceded by an in-depth analysis of the categories of used resources. It means that it’s important to safely configure the system and applications (especially taking care of safe configuration settings and protection against malware) and controlling changes taking place in the resources. It’s crucial to properly manage the risks resulting from emerging security gaps to protect the stability and integrity of the resources.

Security recording and monitoring. This primarily is about logs, in which all behaviours and events appearing in user’s systems and networks are registered.

Determining who or what can have access to a specific resource, as well as the type of actions that can be performed on a given resource is a part of logical access control. As part of the audit, users should confirm the authorization to perform specific functions or access to resources.

Both the AWS client and the AWS itself are obliged to respond to incidents related to threats. The next aspect is related to the previously mentioned monitoring. Referring also to the issue of shared responsibility in the cloud — The main area of the audit is the assessment of the effectiveness of the existing incident management control.

Next is data encryption. It is necessary if they are confidential. Currently, Amazon S3 provides an automated encryption service. It is worth paying attention to data encryption at rest as well as in transport. This is just as important as protecting data stored locally on disks. Many security policies question the Internet as a secured communication medium.

Disaster Recovery becomes a big issue when it comes to unsecured data and their loss or failure. AWS provides solutions that allow designing resistant and quickly responding systems to incidents of applications. We need to be sure that systems are configured to use multiple regions and Availability Zones during the design process. This will ensure high availability and fast recovery time.

Last but not least, network management. Managing it both in the cloud and in an on-premise model is very alike. The only change is the components such as a firewall that is virtual in the cloud. It is the customer’s responsibility to ensure that the network architecture complies with the security requirements of his organization. Improper configuration of external security may cause many threats. In order to verify the correctness, it is worth using the AWS Trusted Advisor.

Besides all those tips we need to remember, we can mention security features, that AWS uses in the case of its Data Centers. Physical access is strictly controlled both on the outskirts of the land on which the building is located and also at the entry points to the facility. They are controlled by professional security guards using video surveillance, intrusion detection systems and other electronic tools. Both authorized AWS employees and outsiders must undergo a two-step control to access individual floors of the data centre. All visitors and contractors who gain access to zones are required to provide proof of identity. Their data is placed in registers, and moving around the building takes place in the escort of security guards.

Specially designed AWS tools were created to help maximize the protection of AWS cloud users’ data and applications. In addition, through the systematic conduct of audit activities, an unbiased and objective opinion can be obtained regarding the actual state of the audited areas. They will also confirm the compliance of organizations and elements with the provisions of legal or normative regulations. They will also allow optimizing financial outlays incurred to secure systems. They will also strengthen awareness of AWS security solutions.

Cloud Enthusiast & Engineer, AWS APN Ambassador, 2 x Professional Certified Expert of AWS (8+ years as Solution Architect), CEO&CTO at LCloud (www.lcloud.pl)