Part 2: Infrastructure-level protection in AWS
This is the second in a five-part blog series that provides a checklist for proactive security and forensic readiness in the AWS cloud environment. This post relates to protecting your virtual infrastructure within AWS.
Protecting any computing infrastructure requires a layered or defence-in-depth approach. The layers are typically divided into physical, network (perimeter and internal), system (or host), application, and data. In an Infrastructure as a Service (IaaS) environment, AWS is responsible for security ‘of’ the cloud including the physical perimeter, hardware, compute, storage and networking, while customers are responsible for security ‘in’ the cloud, or on layers above the hypervisor. This includes the operating system, perimeter and internal network, application and data.
Infrastructure protection requires defining trust boundaries (e.g., network boundaries and packet filtering), system security configuration and maintenance (e.g., hardening and patching), operating system authentication and authorisations (e.g., users, keys, and access levels), and other appropriate policy enforcement points (e.g., web application firewalls and/or API gateways).
The key AWS service that supports service-level protection is AWS Identity and Access Management (IAM) while Virtual Private Cloud (VPC) is the fundamental service that contributes to securing infrastructure hosted on AWS. VPC is the virtual equivalent of a traditional network operating in a data centre, albeit with the scalability benefits of the AWS infrastructure. In addition, there are several other services or features provided by AWS that can be leveraged for infrastructure protection.
The following list mainly focuses on network and host-level boundary protection, protecting integrity of the operating system on EC2 instances and Amazon Machine Images (AMIs) and security of containers on AWS.
The checklist provides best practice for the following:
- How are you enforcing network and host-level boundary protection?
- How are you protecting against distributed denial of service (DDoS) attacks at network and application level?
- How are you managing the threat of malware?
- How are you identifying vulnerabilities or misconfigurations in the operating system of your Amazon EC2 instances?
- How are you protecting the integrity of the operating system on your Amazon EC2 instances?
- How are you ensuring security of containers on AWS?
- How are you ensuring only trusted Amazon Machine Images (AMIs) are launched?
- How are you creating secure custom (private or public) AMIs?
IMPORTANT NOTE: Identity and access management is an integral part of securing an infrastructure, however, you’ll notice that the following checklist does not focus on the AWS IAM service. I have covered this in a separate checklist on IAM best practices here.
|1. How are you enforcing network and host-level boundary protection?||
|2. How are you protecting against distributed denial of service (DDoS) attacks at network and application level?||
|3. How are you managing the threat of malware?||
|4. How are you identifying vulnerabilities or misconfigurations in the operating system of your Amazon EC2 instances?||
|5. How are you protecting the integrity of the operating system on your Amazon EC2 instances?||
|6. How are you ensuring security of containers on AWS?||
|7. How are you ensuring only trusted Amazon Machine Images (AMIs) are launched?||
|8. How are you creating secure custom (private or public) AMIs?||
Security at the infrastructure level, or any level for that matter, certainly requires more than just a checklist. For a comprehensive insight into infrastructure security within AWS, we suggest reading the following AWS whitepapers – AWS Security Pillar and AWS Security Best Practises.
For more details, refer to the following AWS resources:
- AWS Best Practices for DDoS Resiliency
- AWS re:Invent 2016: Securing Container-Based Applications (CON402)
- AWS Securing EC2 Instances
- Security in Amazon RDS
Next up in the blog series, is Part 3 – Data Protection in AWS – best practice checklist. Stay tuned.
Let us know in the comments below if we have missed anything in our checklist!
DISCLAIMER: Please be mindful that this is not an exhaustive list. Given the pace of innovation and development within AWS, there may be features being rolled out as these blogs were being written . Also, please note that this checklist is for guidance purposes only. For more information, or to request an in-depth security review of your cloud environment, please contact us.
Author: Neha Thethi
Editor: Gordon Smith
The post AWS Cloud: Proactive Security and Forensic Readiness – part 2 appeared first on BH Consulting.