The AWS cloud provides a shared responsibility model. AWS manages cloud security for its own infrastructure, while your organization is responsible for securing your own data and workloads. Amazon provides a range of security services and features, including encryption, key management and identity, and access management (IAM), to help you implement your organization’s security policies.
Another important aspect of security is compliance standards and regulations, since a misstep here can be costly for your organization. Amazon’s infrastructure is certified for almost every compliance standard in the world. However, this doesn’t mean the workloads you deploy on Amazon will be compliant as well. You must be mindful of your compliance obligations, and use the tools provided by Amazon to enforce the required security and privacy controls.
In this article, you will learn:
Amazon’s security responsibilities
Ensuring an organization fully secures its usage of the AWS cloud requires protecting data, accounts, and workloads from cyber threats. Amazon is responsible for security “of” the cloud, which includes:
The cloud customer’s security responsibilities
You, as a cloud customer, are responsible for security “in” the cloud. This involves configuring and maintaining Amazon cloud security features, including:
Related content: read our guide to cloud security solutions ›
Here are some of the key reasons you should take measures to secure your use of the Amazon cloud:
AWS provides System and Organization Control (SOC) reports that are prepared by independent third parties for the use of customers and auditors. These are generated for customers by AWS Artifact and include:
Because there is no specific HIPAA certification for cloud service providers, AWS aligns HIPAA risk management requirements with FedRAMP and NIST 800-53 standards. NIST has issued document SP 800-66, which specifies how to align NIST 800-53 with HIPAA Security Rules.
Amazon Web Services (AWS) adheres to PCI DSS Level 1 Service Provider certification—the most stringent available. It has been assessed by Coalfire Systems Inc., an independent Qualified Security Assessor (QSA). You can access the PCI DSS Attestation of Compliance (AOC) and Responsibility Summary through the AWS Artifact portal.
AWS services are in compliance with the European Union’s General Data Protection Regulation (GDPR). However, since clouds use shared responsibility, a GDPR-compliant infrastructure does not guarantee compliance. Users can use tools provided by AWS to ensure compliance across their ecosystems.
Specific features provided by AWS to meet GDPR requirements include:
Additional compliance standards and certifications covered by AWS include:
Here are best practices you can use to enhance security for AWS workloads.
AWS built-in encryption features use AES-256 bit encryption. AWS service-managed keys are provided free, but provide server-side encryption only. The AWS Key Management Service (KWS) is a paid-for option that allows customers to create their own independent infrastructure for encryption or employ an AWS defined Customer Master Key (CMK), which AWS exchanges on a yearly basis.
Backup your cloud systems and data in accordance with the 3-2-1 rule (3 copies, 2 locations, 1 of them on a separate physical location—different service or region). Ensure that one of the two backups is on a non-AWS cloud service.
Network managers should provide access through security groups, and only required ports should remain open. Use AWS Config and AWS Firewall Manager to automate configuration of Virtual Private Cloud (VPC) security groups. The Network Reachability rules package, provided as part of Amazon Inspector, lets you determine which networks your VPC networks are currently allowed to access.
Amazon IAM lets you grant different users varying levels of access to cloud resources and APIs. You should create policies per role and not per user, using the principle of least privilege. Define password policies that prevent the use of weak and recycled passwords.
AWS CloudTrail logs should be written and encrypted to an S3 bucket to prevent deletion. Integrate your logs with Security Information and Event Management (SIEM) solutions or other AWS services that can allow centralized analysis. The same log archive can centralize logs from your entire Amazon deployment.
Here are common security mistakes teams should be aware of.
At a minimum, ensure that all sensitive AWS resources are authenticated—there should be procedures to ensure nobody forgets to protect resources. Preferably, use multi-factor authentication (MFA) coupled with robust password policies for all accounts or service roles that have access to sensitive resources or the Amazon console.
Outbound access should be restricted, to prevent data exfiltration during a security breach or in case of accidental loss. Enter specific IP addresses or address ranges rather than 0.0.0.0/0, to prevent your resources from connecting to IPv4 addresses outside your control.
AWS IAM roles are often used to provide temporary AWS credentials. For longer-lived credentials, use ASW Secrets Manager to rotate, manage and retrieve database credentials, API keys and other secrets. These can then be retrieved using the Secrets Manager API, which eliminates the need to hard-code sensitive information.
Cloud Security Posture Management (CSPM) solutions ensure proper configuration of cloud services, including the myriad of EC2 security configurations. You can leverage CSPM tools to ensure the health of cloud configurations on a continuous basis, identifying misconfigurations and other security issues, and automatically remediating them.
Aqua provides the most complete security solutions to protect workloads running on Amazon ECS, EKS, AWS Fargate, and AWS Lambda. As an Advanced APN member and Container Competency technology partner, Aqua provides highly-integrated security controls for cloud native applications on AWS.
Aqua supports managed container services, such as Amazon ECS for container orchestration, Amazon EKS for Kubernetes-based deployments, AWS Fargate for on-demand container scaling, AWS Lambda for serverless functions, and Amazon ECR for storing and managing container images.
Protect workloads running on Amazon EKS – Prevent unauthorized images from running in your EKS cluster, enforce container immutability, network segmentation, and segregation of duties.
Secure Applications running on AWS Fargate containers – Embed Aqua MicroEnforcer into your containers to ensure that workloads running on AWS Fargate are only performing their intended function, detect vulnerable or compromised containers.
Extend security from Amazon ECR to Amazon ECS – Manage image vulnerabilities, ensure only trusted images can be deployed, automatically whitelist legitimate container behavior, and detect and block suspicious activities.
Protect AWS Lambda Functions – Control the risk of AWS Lambda functions by discovering over-provisioned permissions and roles, embedded credentials and keys, and vulnerabilities. Monitor functions at runtime, preventing code injection and malicious activity.
Cloud Security Posture Management (CSPM) – Ensure that your AWS accounts and services are configured according to best practices, including the CIS Foundation Benchmarks for AWS. Continuously scan hundreds of settings for risks and monitor CloudTrail events for anomalies. Automatically create and retain compliance reports for PCI, HIPAA, and more.
Cloud VM Security and Compliance – Protect workloads running on Amazon EC2 instances and ensure they are properly hardened. Scan for vulnerabilities and malware, apply File Integrity Monitoring (FIM), check configuration against the CIS Benchmark for Linux, and monitor user access and activity. Create command-level audit trail for compliance and forensics.
Image Vulnerability Scanning & Assurance – Prevent unauthorized images from running in your AWS environment. Continuously scan images stored in Amazon ECR to ensure that DevOps teams do not introduce vulnerabilities, bad configurations, or secrets into container images. Get actionable recommendations for remediation of security issues.
Serverless Function Risk assessment and Mitigation – Continuously scan Lambda functions in AWS accounts to ensure that developers don’t introduce vulnerabilities into function code, leave access keys in environment variables, or create overly permissive roles. Define security policies for AWS Lambda functions and alert or prevent the execution of functions that violate the policies.
Protect Applications in Runtime – Prevent unvetted containers from running in your Amazon ECS, EKS, and Fargate environments. Automatically create security policies based on container behavior and ensure that containers only do what they are supposed to do in the application context. Detect and prevent activities that violate policy, and defend against container-specific attack vectors.
Container-Level RBAC – Apply highly granular access control policies into containers at runtime via integration with AWS IAM roles. Define user access privileges according to role, allowing or preventing specific Docker actions, such as view, run, stop, view logs, and more.
Secrets Management – Leverage AWS KMS (key management store) to securely deploy secrets – such as passwords, keys, and tokens – into containers at runtime. Aqua makes it easy to manage, rotate, and revoke secrets in containers with no downtime, running only in memory without persistence on disk.
Amit is the Director of Technical Product Marketing at Aqua. With an illustrious career spanning renowned companies such as CyberX (acquired by Microsoft) and F5, he has played an instrumental role in fortifying manufacturing floors and telecom networks. Focused on product management and marketing, Amit's expertise lies in the art of transforming applications into cloud-native powerhouses. Amit is an avid runner who relishes the tranquility of early morning runs. You may very well spot him traversing the urban landscape, reveling in the quietude of the city streets before the world awakes.