Infrastructure as a service (IAAS) has become an invaluable solution for many companies. Startups today don’t need to deal with the headache of buying servers, server racks, HVAC systems and everything else associated with hosting your own IT infrastructure. The convenience IAAS provides is a key reason why so many companies chose to adopt this model.
However, the phrase “out of sight, out of mind” holds very true in this situation. When companies don’t physically see the infrastructure it makes it easy for them to become careless. Many people have the attitude of “The provider will take care of it” but that is simply not true, while your provider is responsible for some elements of your infrastructure, many providers such as Amazon clearly state that it is a shared responsibility.
Amazon Shared Responsibility Model
It’s important that companies do their part in securing their infrastructure. Here are some of the key things to consider when securing your AWS infrastructure:
Before getting into architecture, I want to start with some of the most important tools that AWS provides for you. AWS inspector is a security assessment tool that can perform vulnerability assessments for your resources. It is very well maintained and kept up to date by Amazon.
This tool is great for ensuring compliance, it is a service that lets you assess, audit and monitor that your AWS resource configurations are in line with your desired configurations.
Cloudwatch is the AWS monitoring tool for everything in AWS. It takes in logs, events and metrics from across your environment and gives you good insight into what is going on. It can also be made to listen for specific events and send out notifications via email or text when combined with AWS’s SNS service. Lastly, you can combine Cloudwatch with lambda functions to perform remediation actions automatically when certain events occur, such as auto-scaling of an EC2 instance in the event of high utilization.
Guard Duty is a managed threat detection service that leverages machine learning to analyze logs across all of your infrastructure to proactively detect signs of attack. Things it looks for include reconnaissance, compromised instances, compromised accounts, port scanning, exfiltration, malware and all manner of malicious activities.
Amazon Simple Notification Service is a managed messaging service for both system-to-system and app-to-person communication. It can be combined with Amazon Cloudwatch events to automatically send notifications by email when specified events occur.
Lambda is an event driven serverless computing platform provided by AWS. What this simply means is that it allows you to run code without spinning up a server (EC2 instance) and it can be triggered to automatically run in response to certain events. For security this means that you can trigger automated remediation in your AWS environment in response to events that you predefine.
An example would be if you want to check if an S3 bucket’s configuration is in compliance. First you have AWS config monitor that bucket and when it’s out of compliance it will trigger an Amazon Cloudwatch event. That event can activate a lambda function that corrects the bucket and sends an email notification to your administrator through SNS. See the diagram below:
AWS Security Architecture
The first thing you want to do is ensure that all unrelated segments are placed in their own VPC. This ensures that if there is some type of outbreak, it will not affect all your systems only those in that VPC.
A security group is a set of logical rules applied at the subnet level. These rules allow you to restrict access to instances within a VPC depending on this like IP address, protocol and destination port. Security groups are stateful and will allow return traffic without explicit rules.
Access Control List (ACL)
An access control list is a set of logical rules applied at the VPC level. These rules also restrict access to your resources. ACL’s are not stateful and will not automatically allow return traffic.
Routing Tables is a centralized means of allowing resources within a VPC to connect to other resources. A resource connects to the routing table, which serves an address book by pointing the resource to other IPs that have been added to the address book. By only adding the minimum amount of IPs that a resource needs to connect to in the routing table you prevent unauthorized connections.
Resource policies are rules added to AWS resources like an S3 bucket for example, that restrict access to the elements of that resource. In order for some someone to access something on that resource they will need to be allowed to access it by the applied resource policy. The common best practice is to restrict all access and only allow access as it is needed.
Identity and Access Management
This refers to rules applied to user accounts, you can restrict users from performing any action of AWS. By default you should disable all optional privileges from a user account and then enable access only to the resources that the user needs.
Additionally, if you want to use AWS lambda functions, there is a special IAM item called a role, which is a user account that is given to a computer program so that it can run with the access it needs. For that the best practice is to only give the required access and to restrict the time that the role can be assumed so that it is only active for the minimum amount of time required to complete the action.
There are two types of load balancers in AWS Application Load Balancers (ALB) and Network Load Balancers (NLB). Load balancers place an important part in helping to prevent denial of service (DOS/DDOS) situations, which is when your infrastructure becomes overwhelmed by traffic and becomes available to your customers. Load balancers help by distributing traffic to different resources more evenly and prevents one from being overwhelmed. Also, AWS comes with a service called Amazon Shield which is designed specifically to prevent DDOS attacks against your infrastructure. The premium version also comes with a 24/7 helpline that you can call for support if you are experiencing this.
AWS comes with many features that allow you to encrypt your data both at rest and in transit. This mostly will apply to your S3 buckets when you are hosting something that you want other people to be able to access. It’s important to enable the correct settings so that encryption is used by default, people are required to encrypt data to upload and that encryption in transit is enabled.
Defense in Depth
These technologies when used together are a great example of defence in depth. When designing a secure cloud architecture it’s important that you have multiple defences in place so that if one fails you’re not exposed. You want to protect every resource you have with multiple layers of security so that there is not a single point of failure.
In the event that you do fail you want to ensure that you have fail safes in place. Firstly, you want automated remediation as outlined with lambda, where even if something goes wrong it is corrected without you having to do anything.
Second, you want to have proper monitoring, logging and notifications as outlined through CloudWatch and SNS, so that if something does go wrong you are notified right away and you have a good trail of information from which you can trace back to the root cause of the problem and correct it in a timely manner.