AWS Security Best Practices
Keeping Your Cloud Data Safe: A Simple Guide
Published Jan 29, 2024
I'm very excited to share my first write up on community.aws
Many thanks to AWS Community Builders program team and I have been enjoying my journey as Community builder for past 2 years.
Here I'll be sharing few important AWS security best practices for someone new to cloud computing, with definitions, real-world examples, and many more interesting to read.
In your daily life you are already using this MFA for some your apps. When we talk about cloud security this should be very important to keep your resources in very safe manner. An extra layer of security for user authentication that requires entering a unique code from a mobile app, along with the main login credentials.
Enable MFA for your AWS root user account and all IAM user accounts in order to prevent access from stolen passwords alone. You can manage your MFA devices in the IAM console. The following options are the MFA methods that IAM supports.
- FIDO security keys
- Virtual authenticator apps
- Hardware TOTP tokens
- Hardware TOTP tokens for the AWS GovCloud (US) Regions
Check out this link for more details : https://aws.amazon.com/iam/features/mfa/
No more wait, Let's go and Set up MFA for root and IAM users via AWS console. Install apps like Google Authenticator.
After creating your AWS account, this is the first place to create users/groups/roles/policies.
Securely manage identities and access to AWS services and resources
Use IAM to manage and scale workload and workforce access securely supporting your agility and innovation in AWS.
Creates individual user accounts and allows granular control of permissions and access to AWS resources. Have separate IAM users for developers, operations teams allowing access only to required services.
Create least privilege IAM accounts for each user role. Assign policies based on their needs. Define users needed. Provide access through groups/roles minimizing permissions.
Act as firewall controls to regulate traffic to EC2 instances in VPCs. Restrict SSH access only from office IP range. Allow web traffic only on ports 80/443
Mainly resolves the problem of Unrestricted network traffic exposure.
NACLs are stateless and do not track the state of a connection, while Security Groups are stateful and allow traffic based on the response to previous traffic.
Set up tight security groups & ACLs around what is allowed inbound/outbound to resources. Audit default groups. Define app network needs. Add/remove rules accordingly.
Audit default groups. Define app network needs. Add/remove rules accordingly and get more hands on with this great feature.
Encoding data using keys so only authorized parties can read or access the information. Mainly this is used to encrypt EBS volumes and S3 buckets that store sensitive customer data.
Resolves the problem of Data is exposed if storage is compromised.
AWS offers you the ability to add a layer of security to your data at rest in the cloud, providing scalable and efficient encryption features. These include:
- Data at rest encryption capabilities available in most AWS services, such as Amazon EBS, Amazon S3, Amazon RDS, Amazon Redshift, Amazon ElastiCache, AWS Lambda, and Amazon SageMaker
- Flexible key management options, including AWS Key Management Service, that allow you to choose whether to have AWS manage the encryption keys or enable you to keep complete control over your own keys
- Dedicated, hardware-based cryptographic key storage using AWS CloudHSM, allowing you to help satisfy your compliance requirements
- Encrypted message queues for the transmission of sensitive data using server-side encryption (SSE) for Amazon SQS
Leverage encryption mechanisms provided by AWS services to encode data. Enable encryption options for EBS, S3, RDS. Manage keys securely.
Provides event logs of all activity across AWS accounts for visibility, auditing and troubleshooting. Stream CloudTrail logs to CloudWatch Logs and set up metric alarms for anomalies or unauthorized activity
Track user activity and API usage on AWS and in hybrid and multi cloud environments
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and auditing of your AWS account.
CloudTrail Insights tracks unusual activity for write management API operations. Turn on CloudTrail across all regions. Stream logs to CloudWatch/S3 for analysis and alerts.
Enable CloudTrail on console. Configure log shipping to CloudWatch and monitoring.
Managing cloud infrastructure, configurations, services programmatically using declaration files rather than console/CLI. Use CloudFormation templates to manage test vs production environments.
Resolved the problem of manual configuration leads to environment inconsistencies.
Maintain version controlled Infrastructure as Code definition files that can recreate entire stacks. Explore using AWS CloudFormation/Terraform to programmatically create reusable infrastructure.
We reached the final stage of this article and there are lot more best security practices mentioned in some of the AWS official documentation pages and you may explore.
Let's connect on LinkedIn for grow together and learning never stops !!
Happy cloud journey !!!