Four Considerations for Securing Your Workloads on AWS

As I.T. professionals, security needs to be at the forefront of everything that we do. Even in mature organizations with robust cloud deployments we must always believe there is room for improvement. Here are four considerations to make when evaluating the security of your AWS workloads.  

How will you utilize your logging data?

AWS resources generate constant logging events. Does your organization have a plan for those logs? Logs can be used to detect anomalies, monitor usage patterns, and identify opportunities for cost optimizations. Having a plan for your logging data is an important piece of being able to detect and respond to threats in a timely manner before a breach has occurred.

AWS has several tools which together enable you to act on your logging data. Cloudwatch Logs provides a central repository of all your log files from various AWS services. AWS CloudTrail provides event API logging, giving you a history of the API calls that have been used in your account. VPC Flowlogs allow you to capture information about traffic flowing to and from network interfaces within a VPC. 

Together, your organization has several options for how to analyze these logs. For instance, an organization could aggregate all of their logs from various AWS Services in Cloudwatch Logs, then use Amazon Kinesis move those logs over to a SIEM (Security Information and Event Management) tool such as Splunk, LogRythm or Rapid7 which provide a correlation engine that allows your organization to detect anomalies and stop threats before they happen. Consider if your team can make better use of logging data which is already being collected.

Are you applying a defense-in-depth strategy?

When it comes to security, our goal is to architect systems with tools, features, and controls that empower our people to carry out the organization’s mission while keeping the bad guys out. However, we don’t apply these controls to stop a single type of attack. We apply several different types of controls in such a way that if one control were to get circumvented, another would be there to provide redundancy. Defense in Depth (DiD) a crucial part of designing secure systems in the face of increasingly varied and complex cyber-attacks. 

Previously, to apply the principles of Defense in Depth, organizations had to purchase physical hardware from various manufacturers, each with their own operational intricacies, features, and separate support contracts. Such systems were difficult to operate at scale, and quickly became obsolete once newer hardware was introduced, and older hardware fell out of support. 

AWS cloud infrastructure simplifies applying the principle of defense in depth and empowers organizations to apply controls that make sense for themselves and their own organizational structure. Each control builds on the previous one, improving the overall security posture of the organization. 

The account provides the strictest administrative boundary within AWS. By segmenting workloads, teams, or business units into their own accounts, you can limit the impacts of a data breach to that account. Within these accounts, Service Control Policies (SCPs) provide a means to limit what services can be provisioned. By implementing SCPs, you are free to decide what teams can provision what services, and in what region(s) they can do so. This reduces the attack surface of your organization. 

The AWS networking features of VPCs, ACLs, Security Groups, Subnets, and Route tables give your organization granular control of the traffic flows within a network and to or from the internet. Additionally, AWS WAF, and AWS Shield provide Layer 7 and DDOS protection respectively for your workloads. Each of these controls together combine to form a robust mesh of security layers that make it harder for bad actors to gain access to your valuable data. Consider how many security controls would an attacker have to bypass to gain access to your data.
Are you implementing role separation in your environment?

Consider the damage a single rouge administrator or bad actor within your organization can cause if their privileges are unrestricted. If different individuals have accounts, and separate responsibilities, the impact of a single compromised account, or a single disgruntled user take are greatly reduced. The insider threat can be just as dangerous as the external threat, and accounting for that leads to more secure architectures.

AWS IAM allows a very fine-grained controls to be configured and applied to users and groups. Applying the principle of least privilege, while also separating roles gets greater awareness on potentially malicious actions against the organization. Consider designing processes that require the approval of another authorized user before the action can take place. 
Role separation and least-privilege are simpler to implement when the organization has a strong identity foundation in place. AWS allows identity federation enabling users to be authenticated against your existing Active Directory infrastructure. These identities can also be hosted in AWS itself through managed Active Directory.  Centralized identity stores allow for easier management of user privileges and revocation of credentials, reducing the likelihood of stale accounts that pose security risk. Consider how much damage a compromised user account, or rouge individual can pose to your organization and seek to not allow one administrator to have too many privileges. 

How will you test your incident response plan? 

How confident are you in your organization’s incident response plan? Are you confident they will meet contracted RTOs an RPOs? To take the guess work out of incident response, frequent gamedays should become ingrained in your organization’s culture. These gamedays will not only make your organization more secure but build the confidence of your I.T. staff. AWS enables test environments that mimic your production environment to be created in minutes, and these exercises can be run repetitively, ingraining security “muscle memory” into your security team. 

The Colonial Pipeline ransomware breach goes to show a data breach can have wide reaching consequences. Training for incidents such as these so you can have confidence in your organization’s response is a necessary piece of designing secure infrastructure. Think “when,“ not “if,” and never believe that it cannot happen to your organization. 

When conducting security game days it is necessary to make sure that the proper operations personnel are the ones participating. Conducting a successful gameday involves the following:

  • Define the scenario you want to practice – make sure you are selecting the correct workload and personnel who are responsible for that workload.
  • Identify and create the CloudFormation temples that are required to setup the gameday environment. 
  • Announce the start and end of the game day at their respective times and run the simulated events over the course of that day.
  • Analyze the day – document where your tolls, processes, procedures, and personnel did not meet your needs and expectations during the game day. Use this information to improve your incident response plan. 
  • Consider your preparedness if you were to get breached. What would your plan be? How quickly could you get back online and how much data would you lose? Who would be responsible for getting your infrastructure back up and running again? These are all questions to consider when evaluating your organization’s security posture. 

DLT + AWS = The Path Forward 

No matter where you are in your cloud journey, whether just starting or born in the cloud, DLT has the knowledge and insights to guide public sector organizations to success. DLT and its industry partners aid customers in designing, implementing, securing, and managing cloud environments that specifically meet mission needs — no matter how small or large the project. DLT offerings are built to complement AWS’ proven framework, increasing customer benefit, satisfaction, and productivity. DLT’s team of AWS-certified technical experts bring unmatched industry experience with more than 5,000+ cases a year and sport a 98% customer satisfaction rating. Their premier technical services deliver a cloud environment that fits the unique needs of any customer with the ability to rapidly procure IT services, scale up/ down as needed, and release when finished.