Best Practices For AWS Security
Best Practices For AWS Security
Version 1.2
Released: January 12, 2015
Securosis, L.L.C. 515 E. Carefree Highway Suite #766 Phoenix, AZ 85085 T 602-412-3051
info@securosis.com www.securosis.com
This report is licensed by AlienVault.
whose support allows us to release it for free.
All content was developed independently.
AlienVault is the champion of mid-size organizations
that lack sufficient staff, security expertise,
technology or budget to defend against modern
threats. Our Unified Security Management (USM)
platform provides all of the essential security
controls required for complete security visibility, and
is designed to enable any IT or security practitioner
to benefit from results on day one. Powered by the
latest AlienVault Labs Threat Intelligence and the
Open Threat Exchangethe worlds largest crowd-
sourced threat intelligence exchangeAlienVault
USM delivers a unified, simple and affordable
solution for threat detection and compliance
www.alienvault.com management. For more information
visitwww.AlienVault.comor follow us onTwitter.
Table of Contents
Building on a Secure Foundation 3
Defend the Management Plane 3
Implement Built-in AWS Infrastructure Security Features 5
Finish with Additional Security Tools 6
Where to Go from Here 6
Who We Are 7
About the Author 7
About Securosis 7
Authors Note
The content in this report was developed independently of any sponsors. It is based on material originally posted on the
Securosis blog but has been enhanced and professionally edited.
Copyright
This report is licensed under the Creative Commons Attribution-Noncommercial-
No Derivative Works 3.0 license.
http://creativecommons.org/licenses/by-nc-nd/3.0/us/
Amazon Web Services is one of the most secure public cloud platforms available, with deep datacenter security and
many user-accessible security features. Building your own secure services on AWS requires properly using what AWS
offers, and adding additional controls to fill the gaps.
Amazons datacenter security is extensive better than many organizations achieve within their internal datacenters. Do
your homework, but unless you have special requirements you can feel comfortable with AWSs physical, network,
server, and services security. AWS data centers currently hold over a dozen security and compliance certifications,
including SOC 1/2/3, PCI-DSS, HIPAA, FedRAMP, ISO 27001, and ISO 9001.
Never forget that you are still responsible for everything you deploy on top of AWS, and for properly configuring AWS
security features. AWS is fundamentally different from a virtual datacenter (private cloud), and understanding these
differences is key for effective cloud security. This paper covers the foundational best practices to get you started and
help focus your efforts, but these are just the beginning of a comprehensive cloud security strategy.
Fortunately Amazon provides an extensive suite of capabilities to protect the management plane at multiple levels,
including both preventative and monitoring controls. Unfortunately the best way to integrate these into existing security
operations isnt always clear; it can also be difficult to identify any gaps. Here are our start-to-finish recommendations.
Use the concept of least privilege and assign different credentials based on job role or function. Even if someone
needs full administrative access sometimes, they should have entitlements based on what they do day to day.
Use IAM Roles when connecting instances and other AWS components together. This establishes temporary
credentials which AWS rotates automatically.
Also use roles for cross account access. This allows a user or service in one AWS account to access resources in
another, without having to create another account, and ties access to those policies.
Apply object-level restrictions using IAM policies with tags. Tag objects properly and the assigned IAM policies for
those tags are automatically enforced.
Use different accounts and credentials for administrative functions within each AWS region and service.
Integrate your internal directory service with AWS using SAML 2.0 for single sign-on, if possible. But be careful; this
is most suitable for environments that dont need deep access to AWS resources, as this eliminates the ability to
compartmentalize access using different accounts and credentials.
Never embed Access Keys and Secret Keys in application code. Use IAM Roles, the Security Token Service, and
other tools to eliminate static credentials. Many attackers are now scanning the Internet for credentials embedded in
applications, virtual images, and even posted on code-sharing sites.
These are only a starting point, focused on root and key administrator accounts. Using MFA on these accounts is your
best defense against most management plane attacks.
Monitor activity
Amazon provides three tools to monitor management activity within AWS. Enable all of them:
CloudTrail logs all management (API) activity on AWS services, including Amazons own connections to your
assets. Where available it provides complete transparency for both your organizations and Amazons access.
CloudWatch monitors the performance and utilization of your AWS assets, and ties tightly into billing. Set billing
alarms to detect unusually high levels of activity. You can also send system logs to CloudWatch but this isnt
recommended as a security control.
Config is a new service that discovers services and configurations within running instances, and tracks changes
over time. It is a much cleaner way to track configuration activity than CloudTrail.
CloudTrail and Config dont cover all regions and services, so understand where the gaps are at this point in time. As of
this writing (January 2015) Config is still in preview, with minimal coverage, but both services will be extended both from a
As a next step, many organizations use a management portal (open source or commercial) to lock down the
management console, instead of allowing direct access to AWS. This gives much tighter control over access and
monitoring. This allows you to proxy administrator access with Privileged User Management, jump boxes or similar
tools to ensure that only authorized parties have access to the console and activity is monitored.
By default, instances in the same security group cant talk to each other. This prevents attackers from moving
laterally within your cloud environment.
Separate application components across security groups, with only required ports open between them.
External administrative access (ssh or RDP) should be restricted to the IP addresses and subnets used by your
administrators.
Minimize the number of public subnets, and use NAT gateways to connect private subnets to the Internet as
needed, just like you do in existing enterprise networks.
Establish Access Control Lists to isolate subnets. ACLs are not a substitute for security groups, but a
complementary tool.
Require administrators to connect through a VPN or SSH jump box before connecting to instances. This can be
implemented using an existing Privileged User Management tool.
Amazons monitoring tools (CloudTrail, CloudWatch, and Config) offer incomplete coverage, and no correlation or
analysis. Integrate their feeds into existing log management, SIEM, monitoring, and alerting tools that natively
support and correlate AWS logs and feeds, so they can fill gaps by tracking activity AWS currently misses.
Use a host configuration management tool designed to work in the cloud to automatically configure and update
instances.
Embed agents into approved AMIs or bootstrap through installation scripts to ensure full coverage.
Insert baseline security policies so all instances meet security configuration requirements. This is also a
good way to insert other security agents.
Enhance host security using tools and packages designed to work in highly dynamic cloud deployments:
Agents should be lightweight, communicate with the AWS metadata service for important information, and
configure themselves on installation.
Host Integrity Monitoring can detect unauthorized changes to instances.
Logging to collect local audit activity for each instance and setting alerts on policy violations.
Host firewalls fill gaps left by security group limitations, such as rule set sizes.
Some tools can additionally secure administrator access to hosts without relying solely on ssh keys.
For web applications use a cloud-based Web Application Firewall.
Some services also provide DDoS protection. Although AWS can support high levels of traffic, DDoS protection
stops traffic before it hits your instances and your AWS bill.
Choose security assessments and scanning tools that tie directly into AWS APIs and comply with Amazons
scanning requirements.
Look for tools that not only scan instances, but can assess the AWS environment.
Rich has twenty years of experience in information security, physical security, and risk management. He specializes in
data security, application security, emerging security technologies, and security management. Prior to founding
Securosis, Rich was a Research Vice President at Gartner on the security team where he also served as research co-
chair for the Gartner Security Summit. Prior to his seven years at Gartner, Rich worked as an independent consultant,
web application developer, software development manager at the University of Colorado, and systems and network
administrator. Rich is the Security Editor of TidBITS, a monthly columnist for Dark Reading, and a frequent contributor to
publications ranging from Information Security Magazine to Macworld. He is a frequent industry speaker at events
including the RSA Security Conference and DefCon, and has spoken on every continent except Antarctica (where hes
happy to speak for free assuming travel is covered).
About Securosis
Securosis, LLC is an independent research and analysis firm dedicated to thought leadership, objectivity, and
transparency. Our analysts have all held executive level positions and are dedicated to providing high-value, pragmatic
advisory services.
Publishing and speaking: Including independent objective white papers, webcasts, and in-person presentations.
Strategic consulting for end users: Including product selection assistance, technology and architecture strategy,
education, security management evaluations, and risk assessments.
Strategic advisory for vendors: Including market and product analysis and strategy, technology guidance, product
evaluations, and merger and acquisition assessments.
Investor due diligence: Technical due diligence including product and market evaluations, available in conjunction
with deep product assessments with our research partners.
Our clients range from stealth startups to some of the best known technology vendors and end users. Clients include
large financial institutions, institutional investors, mid-sized enterprises, and major security vendors.
Securosis has partnered with security testing labs to provide unique product evaluations that combine in-depth technical
analysis with high-level product, architecture, and market analysis.