Over the last few years, we've deployed a lot of environments into the AWS cloud. Provisioning a brand new IT environment requires a well planned out design, and each design is going to be different based on your business needs. But one aspect that has to always be present, from the original concept all the way to the execution, is security.
These days security cannot be an afterthought. There's too much data, money and power riding on our modern IT systems, where getting a virus or having a hacker breach those systems is no longer an incoveniance, it can be a career ending event. This is why we always make sure to follow industry best practices when it comes to security.
A lot of people believe security is a digital, black and white concept. Either you're secure or you're not. But in reality, you can never be truly fool proof. Security comes in layers, and the more layers you put in place, the more secure your environment is. In this post, I'll describe some of the features we commonly use in AWS, and why you may want to make use of them. Note that this isn't an exhaustive list, and you should always do your own research to know how you should approach your own use cases.
CouldTrail is a service that comes by default with your AWS account. There's no need for you to opt in. It's a logging service that logs all API calls going into your account. By default, you can go to the CloudTrail page and see a long list of every API call sent, whether it's you logging into the web console page, spinning up an EC2 instance, using the AWS CLI to run a script, and so on. Using filters, you can look for suspicious events, such as login failures, or people in your organization using services they shouldn't be using. Consider creating alerts for particularly important events.
CloudWatch is often confused with CloudTrail, but unlike the previous service, CloudWatch is a generic logging system. CloudWatch is used to store logs from all sorts of AWS services, such as Lambda functions, RDS databases, SES email delivery, and so on. It can also be used to store your own system logs, for example by installing the CloudWatch agent onto your EC2 instances, and sending all your system logs in this centralized location. It's a great way to have one central logging repository, and you can set a retention period so that logs get deleted after a certain period of time. If you don't already use a log aggregator like Splunk or ELK, consider using CloudWatch agents to make sure all your logs are sent to this one central location.
AWS S3 is the object storage system that a lot of companies use to store large amounts of data, everything from static content for web servers all the way to massive data lakes. So making sure that data is secure is important. S3 offers a lot of different security features which you can take advantage of. The first is to make sure your data is encrypted. By default, the objects will be encrypted using the Amazon AES key, but you can upload and use your own encryption key using the KMS service. Also, consider adding a bucket policy to your S3 buckets. This allows you to enforce a least privilege strategy, where you deny access to everyone and only grant access on a case by case basis.
Similarly, EBS volumes used by EC2 instances often contain sensitive data, so you should make sure they are encrypted. You can use either the default Amazon encryption key, or provide your own using KMS. But access to these instances is even more crucial. You should always consider having a proper delimitation between public and private instances. Your sensitive data should live in private subnets, with no public IP address assigned to these instances, whereas your application frontend would live in a public subnet, accessible to the Internet.
Web Application Firewall
Amazon provides WAF, or the Web Application Firewall, which is a low cost option to protect your web applications. Even though you may have proper firewalls, route policies, encryption and logging in place, this won't be of much use if your application has security holes in it, allowing hackers to get in and read all of your data. The WAF can protect those web apps from common vulnerabilities. Consider making use of it to scan your web apps for these potential issues.
Once you start having a lot of resources deployed in the cloud, you want to make sure nobody will modify these resources without your approval. AWS Config provides an inventory of your AWS resources and a history of configuration changes to these resources. You can use AWS Config to define rules that evaluate these configurations for compliance. This prevents the very common problem where someone in your organization notices that something isn't working, and the solution they come up with is to open up all the ports to the whole world, without taking security into consideration. At least with AWS Config, you can be notified if something similar happens.
At the end of the day, which security measures you use is up to you. There are many more things you should look into, such as making use of Multi-Factor Authentication (MFA), doing static code analysis on your apps, using VPN connections for administrators, and so on. Often security is at odds with convenience, and it's up to you to decide what you want to use and how secure you want your deployment to end up.