Tools and Technology: AWS cloud
Key words: AWS, Security, Cloud, WAF, Shield, GuardDuty, Inspector, KMS
In today’s world, the security of data & information is of paramount importance for all organizations. There is a severe threat from hackers at any time. When we implement cloud services, security plays a vital role as it’s essential to make sure that data that is stored on the cloud remains secure and restricted to the outside world. The data must be monitored and maintained and complete security to the appropriate level. A data breach happens very frequently, and businesses are facing many challenges related to security like:
- Privacy of data getting compromised
- Integrity, Non-authentication, and Non-Repudiation
- Online attacks like DDoS, SQL Injection, phishing, etc.
Hence, businesses must protect their Cloud infrastructure before it gets hacked. There should be proper control of where data is stored and who can access their data. To save and protect from various threats coming from undesirable exposures and vulnerabilities, several security services and management tools will safeguard the environment and data. But largely, it’s down to customers to ensure these AWS security services implemented effectively. Some leading AWS security services mentioned below.
AWS WAF is a web application firewall that helps safeguard web applications running on web servers. It is a protective shield from various web exploits that could affect the application availability, compromise security, or consume excessive resources. WAF provides a robust control or a method for allowing or blocking the traffic to the web applications and achieves some definitions to give for customizable web security rules.
When to opt for WAF?
When web servers are being used and need to block the particular web request, WAF is the right choice to implement. There is a need to create web ACLs. At least one rule needs to define in web ACL where conditions will be specified to either block or allow incoming requests.
e.g., If CloudFront or load balancer uses to serve content for public requests, and at the same time, there is a need to block the requests from attackers, WAF is the best fit here. If any request with one particular IP continuously hits the website, this can indicate an online attack, and in such case, WAF can be used to block this IP.
GuardDuty is a threat detection service whose job is to monitor the activity constantly in the AWS network for unusual or abnormal behavior, which indicates any cyber-attacks or any other use that is considered unauthorized. As GuardDuty is built right into AWS already, it is considered an effective and robust service. GuardDuty works and analyses data taken from CloudTrail, Amazon VPC Flow Logs, and DNS Logs.
When to opt for GuardDuty?
As a threat detection service, Amazon GuardDuty helps issues like escalations of privileges, exposed credentials, or communication with malicious IPs, URLs, or domains. Amazon GuardDuty plays a significant role when there is a requirement to detect the EC2 instances serving malware. In case of unauthorized infrastructure deployments like password policy change, unusual API calls, and instances deployed in a region that has never been used.
AWS Shield is a service used to protect applications from Distributed Denial of Service (DDoS) running on AWS. To mitigate and minimize the risk of application downtime and latency in some cases, AWS shield delivers detection and protection, which is always on. Standard and Advanced are the two tiers of AWS Shield. To achieve extensive and comprehensive protection against all known infrastructure (Layer 3 and 4) attacks, AWS Shield Standard needs to use Amazon CloudFront and Amazon Route 53.
When to opt for AWS shield?
Various frequently occurring network and transport layer DDoS attacks target the web servers and applications running on the cloud. AWS standard tier does not charge anything additional to protect and safeguard the data automatically. To achieve broad and higher level of defense for the applications running on Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 resources, AWS Shield’s second tier i.e., Advanced tier subscription is required. The specific reason to opt for the Advanced tier is that it not only mitigates the risk of sophisticated DDoS attacks, but it provides near real-time visibility into attacks. Hence, it gives a broader level of protection. It can also integrate with WAF to make cloud applications even more secure. Another advanced benefit tier can offer is that it provides access to the AWS DDoS Response Team (DRT) and protection against DDoS related spikes in your Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB)etc., all the time and can be referred to it at any point of time.
One question arises here: how do we determine which tier is suitable for the customer as per his environment and requirement? The standard tier is suitable when there is a customer need to control the monitoring completely so that layer 7 attacks can be mitigated. To go for the standard tier, one more thing also needs to be considered: technical expertise in-house to handle technical glitches. On the other hand, if the business or industry wants AWS to handle most of the DDoS protection and mitigation responsibilities for layer 3, layer 4, and layer seven attacks, it is suggested to go with the advanced tier.
One of the vital services of AWS is Amazon Inspector. It is an automated security assessment service that provides superior security and compliance of applications running on the AWS cloud. Inspector automates identifying the vulnerabilities and can detect the flaws or any deviations for best practices. Its job is to provide a list of issues where a security breach has happened. Inspector is a security assessment service that is tag and agent based. Assessment carries out on each EC2 instance to verify the security best practices. The Assessment template searches for EC2 instances with tags to identify Assessment targets.
When to opt for AWS Inspector?
AWS inspector is an IDS (Intrusion Detection System), and its job is to detect the vulnerabilities in the applications running on the cloud. Its responsibility is to detect and generate and provide the assessment report—the preventive action to be taken by the customer based on the report provided. The report’s main motto is to warn and inform the customer that how vulnerable the application is. Suppose it is observed that no encryption happens when data in transit; Inspector can provide the cause. If there is any threat of some memory leakage in the application, AWS Inspector can help you find out.
AWS Key Management Service (KMS) is a powerful AWS service whose function is to allow administrators to create, delete and control keys. These keys encrypt data stored in various AWS products. Cloud trail uses to integrate with KMS so that all API requests can record. These API requests include key management actions and usage of your keys.
When to opt for AWS KMS?
It is easy to create and control encryption keys in AWS as KMS service is an AWS-managed service. The same key uses for encryption and decryption, which indicates that KMS utilizes symmetric encryption. While data at Rest, KMS can act as the best fit if there is an extra layer of security. Along with protecting the data, it is vital to protect the encryption key as well. AWS KMS also provides a concept of Envelope Encryption, where it helps to encrypt your plain text data with a data key and encrypt the data key with another key.
References / Sources of the information referred: AWS Official documentation
Which MOURI Tech service, this article relates to- (please refer website service section)
Sr. Technical Architect, Cloud & Engineering – Infrastructure Services