To understand the challenge on how to address issues and incidents is not easy peasy. Not in an on premise IT infrastructure neither in the cloud. AWS has a clear roadmap to prioritize what it´s important and what not so important.
As in any approach related to technology on the cloud there are some native tools to be use and leverage to protect, monitor and reduce IT services exposures and vulnerabilities. Even some quite powerful thirty party security solutions well integrated in each cloud workload.
But before all of this, let start with the foundations on security posture.
AWS consider there is a shared responsibility model between the customers and their cloud. Maybe you know, but for those who think that the cloud native security solutions and the cloud provider will do all the work end-to-end full stack, we need to clarify this point.
AWS will be responsable for the security of their foundation services and global infrastructure. Customers will be responsable for all related to their workloads and IT solutions on the cloud as well as all related to business logic and processes deployed on AWS data centers.
Security should evolve with your landing zone on the cloud in parallel. Many companies struggle with this area trying to reduce the exposure to hackers after some real time services are already deployed.
Added to this, AWS has seven security principles to follow:
Least Privilege – Reduce as much as possible the permissions or credentials you are using on AWS for each IT Service you deployed.
Monitor and troubleshoot your logs and metrics. – Collect the logs and critical metrics from our IT services with AWS native tools or from other vendors. Design and configure alerts and messages to be on time to react on security issues.
Secure all Layers. From storage and networking to the applications. Moreover, to achieve the right security level you need to combine a security posture layer by layer. For example, storage data at rest and in transit, filter network traffic from origin to destination or how to authorize an API to get information from your applications would be part of you global full stack hardening strategy. To achieve that just combine the right AWS Services.
Automate as much as possible. Standardize blue prints for your infrastructure using IaC is part of this goal as well as repetitive tasks to access applications or databases. Remember a previous post about this. Take care with Automation silos or workarounds, it should be a holistic approach on your Hybrid cloud model or public cloud scenario.
Protect data in transit and at rest. This is part of the Secure all layers principle. But AWS find it so crucial that wants to remark that it´s important. But to be able to achieve this goal you need to identify, classify and tag the appropriate item or data in the most suitable way.
Security events as a solid pillar. To react against a hacker attack and provide a feasible reliability you need to design a repository to gather logs and metadata. Collect the events, prepare tracking strategy and granular alarms.
Reduce attack surface. Therefore, if you have the right guardrails, the right desire state configuration based on automation. If you have an approach with a layer by layer combining native AWS security tools as well as thirty party providers, you can minimize attacks and be ready to react.
So what kind of native security tools can i use to achieve those principals?
We can use tools such as Amazon Guard Duty to detect threats, Cloud Watch events to monitor and track your logs as well as Security Hub to consolidate security automation and compliance or regulations. Even Amazon Macie to review your protection at rest or leverage AWS control tower when starting with the journey to the AWS cloud.
In the next post we will see how use these tools and what kind of dependences and relations exist between them to bring the best in class hardening of your cloud IT Services.
Enjoy the journey to the cloud with me…see you soon.