You are on page 1of 58

Definitive Guide to Securing

Workloads on Amazon Web Services


Introduction 2 AWS Security Best Practices 22
AWS Security Challenges 11 SECURE AUTHENTICATION 27
AWS’s responsibility 18 ACCESS RESTRICTIONS 37
Customer’s responsibility 18 Custom Applications Security Best Practices 41
Data breach fallout 21 How a Cloud Access Security Broker Helps
Secure Workloads Running on AWS 46
How a Cloud Access Security Broker Helps Secure
Applications Deployed on AWS 52


Chapter 1:


While popular out-of-the-box SaaS products like
Salesforce, Box, Dropbox, and Office 365 are becoming
Application Workloads ubiquitous in the workplace, many enterprises have
PERCENTAGE DEPLOYED BY INFRASTRUCTURE TYPE business needs that require tailor-made applications

In the past, they relied on is accelerating at the expense
60.9% custom, in-house developed of enterprise datacenters.
applications hosted in their own Not only are enterprises
data centers. Having recognized increasingly developing
the advantages of cloud new custom applications
computing, over the last 10 on infrastructure-as-a-
years these applications have service (IaaS) platforms like
slowly migrated to the public Amazon Web Services (AWS),
cloud, private cloud, or a hybrid but enterprises are also
of both. Today, more than half of migrating their existing custom
(60.9%) all custom applications applications to the public
12.4% 13.9%
are still being hosted in private cloud. Collectively, these two
5.7% datacenters, according to a trends are expected to drive
recent Cloud Security Alliance the percentage of custom
Datacenter Private cloud Public cloud Hybrid public /
report1. However, cloud applications running in the
private cloud usage has reached a tipping datacenter to an all-time low
point, and deployment of test of 46.2% in the next twelve
and production application months, plunging fourteen
In 12 months
workloads in the public cloud percentage points.

Custom Applications and IaaS Trends 2017, CSA Report


While the number of custom applications at Number of Custom Applications
an enterprise varies, the average enterprise BY COMPANY SIZE

has 465 custom applications deployed.
Larger enterprises tend to have more 788

applications—organizations with more
than 50,000 employees have an average
of 788 custom applications. Enterprises
increasingly rely on these applications to
handle business-critical functions. Most
organizations today have at least one
custom application that, if it experienced
several hours of downtime, could have
a significant impact on its business.
As a result, these applications and the 208

infrastructure they run on are targets of
cyber attacks. 85

1-1,000 1,000-5,000 5,000-10,000 10,000-30,000 30,000-50,000 50,000+
employees employees employees employees employees employees


The attacker gained access to their control panel and demanded money. When the company refused. We ’re rry So S E D LO C f Bus i n e ss o Out INTRODUCTION 5 . some EBS instances. including all EBS snapshots. While Code Spaces maintained backups of their resources. In 2014. a cybercriminal launched an attack against the AWS account Code Spaces used to deploy their commercial code-hosting service. the attacker began to systematically delete Code Spaces’ resources hosted on AWS. and a number of machine instances. S3 buckets. those too were controlled from the same panel and were permanently erased. a thriving company. to shut down for good. The attack was so devastating it forced Code Spaces.The worst-case scenario can be far worse than downtime. AMIs.

The threat landscape is evolving rapidly. we will discuss the current state of AWS adoption. INTRODUCTION 6 . Lastly. and AWS infrastructure security best practices as well as security best practices for applications built on AWS. we will explore how a cloud access security broker (CASB) can help enterprises secure their AWS environments and the custom applications deployed in them. In this eBook. but with the right preparation any company can implement security practices that significantly reduce the potential impact of a cyber attack. Amazon’s model for AWS security. security challenges and threats to applications and data in AWS.

Chapter 2: AWS Adoption Trends .

IaaS was a $16. with AWS leading the pack at nearly $10 billion in sales.2 billion market in 2015. 2 Gartner Says Worldwide Cloud Infrastructure-as-a-Service Spending to Grow 32. As it stands today. Microsoft. and Google.8 Percent in 2015 3 Market Share Report: Massive Scale Cloud. A report by Structure Research3 showed that the vast majority of the $22. Structure Research AWS ADOPTION TRENDS 8 .4 billion in 2016. making it the fastest-growing segment in the public cloud market.4 billion market will be dominated by a handful of IaaS providers. and is estimated to grow 38% to reach $22. According to Gartner2. the IaaS market consists of three dominant players: Amazon.

9% Rackspace providers combined. Gartner AWS ADOPTION TRENDS 9 . Worldwide 2016. according to the most recent 20.7% Other 41. IBM Softlayer.5% Amazon Web Services IaaS Magic Quadrant report4 released by Gartner. and Rackspace combined. ON EACH IAAS PLATFORM 3.6% IBM SoftLayer to the rapidly growing demand for cloud APPLICATION WORKLOADS computing infrastructure. an impressive 41.5% of custom IaaS Platform Adoption applications in the public cloud are PERCENT OF APPLICATIONS DEPLOYED deployed in AWS. AWS’s massive scale has positioned the company to respond 2. Today.4% Microsoft Azure 4 Magic Quadrant for Cloud Infrastructure as a Service. AWS’s computing capacity is ten times larger than the next 14 IaaS 2. What’s even more remarkable is that. Google Cloud Platform.0% Google Cloud Platform 29. giving it a larger market share than Microsoft Azure.

9% public cloud.2% in the next twelve months and it’s likely many of these applications will be deployed in AWS. test/QA workloads will migrate to the public cloud at an even faster rate. in the next 12 months. Production workloads are migrating at a slightly slower pace.2% of workloads.6% to 34.3% is slightly higher than the percentage of production workloads. with 32. enterprises have more widely deployed test and QA workloads in the 32. Today In 12 months AWS ADOPTION TRENDS 10 .6% 22. which 23.The overall percentage of custom Application Workload application workloads deployed in the PERCENTAGE OF WORKLOADS DEPLOYED IN THE PUBLIC CLOUD public cloud is expected to surge from 22.2% numbers. Today. However. Underneath these 38.9% expected to be in the public cloud 12 Production Workloads Test/QA Workloads months from now.6% of the test/QA workloads are in the public cloud. 23. to 38.

Chapter 3: AWS Security Challenges .

an DOES YOUR ENTERPRISE airline cannot operate if their flight path RUN A BUSINESS-CRITICAL CUSTOM APPLICATION THAT application goes down. and other data in custom applications.2%) have business critical applications—defined as an 21.7% Yes center application goes down.2% No application that. Social Security numbers. if it experienced downtime. would greatly impact the organization’s ability to operate. enterprises store sensitive data such as payment card numbers. THREATS TO Business Critical Applications APPLICATIONS PERCENT OF ENTERPRISES WITH AT LEAST ONE AND DATA ON AWS 6. As an example. Moreover. much the same WOULD IMPACT YOUR as a rental car company cannot take OPERATIONS IF IT WENT DOWN? reservations over the phone if their call 72.1% Unsure Enterprises can’t afford to have their AWS environment—or the custom applications running on AWS—compromised because a sizable majority (72. AWS SECURITY CHALLENGES 12 .

3 application development. data can be safely 5 2016 Data Breach Investigations Report. However.9 insider threats each month and 3. IT security is privileged user threats each month. were due to a input – Unfortunately. 10. default. password. making the task of incidents can include both malicious and regulation – Many organizations have securing these applications more difficult. but only in certain developed sophisticated DoS prevention According to the Verizon Data Breach geographic locations (e. it’s possible a large breaches. 63% of data Ireland but not in the United States). that prohibit certain to risk. actions that unintentionally expose data or internal policies. These • Sensitive data uploaded against policy/ often circumvented. permissions can increase the potential – The average enterprise experiences This means when it comes to custom damage.g. to employees stealing data before types of data from being uploaded to the quitting to join a competitor. datacenter in capabilities delivered in AWS Shield for all Investigations Report5. Threats to applications running on AWS and the data stored within them can take many forms: • DoS attack on application – AWS has • Third-party account compromise – stored in the cloud. including the breach that • Software development lacks security attack could overwhelm AWS’s defenses sunk Code Spaces.6% of the custom apps. IT security isn’t and take an application running on the compromised account where the hacker always involved in the development platform offline for a period of time until exploited a weak. or stolen or security of custom applications. customers. cloud. negligent behavior – ranging from taking industry-specific or regional regulations. Verizon AWS SECURITY CHALLENGES 13 . the attack is remediated. Misconfigured security settings IT security professionals are only or accounts that have excessive IAM • Insider threats and privileged user threats aware of 38. In some cases.

Awareness of Custom Applications by Job Role as a Percent of Total Custom Applications QA 2.8% AWS SECURITY CHALLENGES 14 .3% IT Security 38.6% Operations 4.6% DevOps 50.2% Developer 27.

While the move to the cloud transfers some responsibility for security from the enterprise to the cloud provider. preventing many of these threats falls on the shoulders of the AWS customer.According to Gartner. not the cloud provider. from now through 2020. As enterprises continue to migrate to or build their custom applications in AWS. AWS SECURITY CHALLENGES 15 . as we will see in the next section. 95% of security incidents in the cloud will be the fault of the customer. the threats they face will no longer be isolated to on-premises applications and endpoint devices.

“Through 2020. 95% of cloud security failures will be the customer’s fault. GARTNER .” TOP PREDICTIONS FOR IT ORGANIZATIONS AND USERS FOR 2016 AND BEYOND.

AWS SECURITY CHALLENGES 17 . data is not shared with someone it shouldn’t be shared with inside or outside the company. AWS operates under a shared responsibility model. and enforcing compliance and governance policies. identifying when a user misuses AWS. However. and has made platform security a priority in order to protect customers’ critical information and applications. and responds to incidents by notifying customers. AWS takes responsibility for the security of its infrastructure. the customer is responsible for ensuring their AWS environment is configured securely.SHARED RESPONSIBILITY MODEL Like most cloud providers. AWS detects fraud and abuse.

etc. particularly for those with security configuration of its managed services such as Amazon the most extensive IAM permissions in AWS. Elastic MapReduce. security of the software. AWS also takes responsibility for the authentication is turned on for users. and the physical facilities it is the responsibility of the customer to make sure multifactor that host AWS services. AWS SECURITY CHALLENGES 18 . networking.AWS’s responsibility Customer’s responsibility Since it has little control over how AWS is used by its customers. Redshift. hardware. AWS is responsible for the unauthorized access to AWS including multifactor authentication. AWS customers are responsible for secure usage of AWS Amazon has focused on the security of AWS infrastructure. and AWS has built several layers of security features to prevent database services against intrusions. For example. storage. RDS. WorkSpaces. DynamoDB. while including protecting its computing. services that are considered unmanaged.

NETWORK & FIREWALL CONFIGURATION CLIENT-SIDE DATA SERVER-SIDE ENCRYPTION NETWORK TRAFFIC PROTECTION ENCRYPTION & DATA (FILE SYSTEM AND/OR DATA) (ENCRYPTION/INTEGRITY/IDENTITY) INTEGRITY AUTHENTICATION COMPUTE STORAGE DATABASE NETWORKING RESPONSIBLE FOR AWS SECURITY REGIONS “OF” THE CLOUD AWS GLOBAL EDGE INFRASTRUCTURE LOCATIONS AVAILABILITY ZONES AWS SECURITY CHALLENGES 19 . APPLICATIONS. CUSTOMER DATA CUSTOMER PLATFORM. The customer is also responsible for configuring the security groups (Amazon’s firewall). and Amazon S3. for example. and enabling activity logging with AWS CloudTrail.While there are a number of services in AWS. The customer is fully responsible for configuring the security controls of these services. Updating or applying security patches to guest operating systems for EC2. Amazon’s primary IaaS services consist of Elastic Compute Cloud (EC2). IDENTITY & ACCESS MANAGEMENT RESPONSIBLE FOR SECURITY “IN” THE CLOUD OPERATING SYSTEM. ensuring that individual user accounts are set up with Amazon Identity and Access Management (IAM). falls under the customer’s responsibility as well. Amazon Virtual Private Cloud (VPC).

floods. and other natural disasters Database patching • Protecting against AWS zero day exploits and other vulnerabilities • Business continuity management (availability. • earthquakes. port scanning) • • Configuring AWS Managed Services in a secure manner • Providing physical access control to hardware/software • Providing environmental security assurance against things like mass power outages. MITM. Shared responsibility model at a glance Customer AWS Preventing or detecting when an AWS account has been compromised • Preventing or detecting a privileged or regular AWS user behaving in an insecure manner • Preventing sensitive data from being uploaded to or shared from applications in an • inappropriate manner Configuring AWS services (except AWS Managed Services) in a secure manner • Restricting access to AWS services or custom applications to only those users who require it • Updating Guest Operating Systems and applying security patches • Ensuring AWS and custom applications are being used in a manner compliant with internal • • and external policies Ensuring network security (DoS. incident response) • AWS SECURITY CHALLENGES 20 .

However.5% CEO and CIO of Target were fired after a breach of 2014 that compromised payment THE DEVELOPER(S) WHO BUILT THE APPLICATION card numbers for upwards of 40 million customers.3% of respondents said the IT security personnel responsible for securing AWS would likely get fired in the case of a breach. Both the 31. Data breach fallout Who is Fired After a Breach While Code Spaces is perhaps the worst- PERCENTAGE OF RESPONDENTS case scenario of what could happen when a hacker successfully attacks an organization’s AWS environment. in August 2016. In a 2017 survey of IT security 21. responsibility extended all the way to the CIO – 29. an THE CIO incident that results in downtime of even 29. For example.1% a few hours could have a sizable impact.1% said the top IT leader would be let go following a damaging and costly data breach. THE OPERATIONS PERSON(S) RESPONSIBLE FOR THE IAAS PLATFORM With stakes this high.8% leaders.3% passengers and is estimated to have cost the company tens of millions of dollars. a data breach will likely lead to people getting fired. a six-hour application outage at Delta Airlines delayed THE IT SECURITY PERSON(S) RESPONSIBLE FOR IAAS SECURITY flights for hundreds of thousands of 50. 50. AWS SECURITY CHALLENGES 21 .

Chapter 4: AWS Security Best Practices .

customers can monitor and 2. AWS customers need to consider the best practices AWS has invested heavily in building a within 5 key areas in securing their AWS environment: powerful set of security controls for its customers to use across all AWS services. Access Restrictions It is therefore incumbent on the AWS customers to configure AWS’s security controls appropriately to tighten their security posture. AWS SECURITY BEST PRACTICES 23 . Secure Authentication track both the health and security of their AWS resources. Inactive Entities customers granular control over managing users and enforcing access control policies. for 1. Secure Configuration Management (IAM) service gives AWS 4. Identity and Access 3. With CloudTrail and CloudWatch. Security Monitoring example. 5.

organizations will be able to detect unexpected activity in otherwise unused regions. and ensure security best practices are followed. When log file validation is turned on.SECURITY MONITORING 1. audit compliance. 2. AWS SECURITY BEST PRACTICES 24 . investigate incidents. any changes made to the log file itself after it has been delivered to the S3 bucket will be identifiable. The AWS API call history provided by CloudTrail allows security analysts to track resource changes. This capability provides an additional layer of protection for the integrity of the log files. CloudFront. etc. such as IAM. Ensure CloudTrail is enabled across all AWS. By having CloudTrail enabled in all regions. Enable CloudTrail multi-region logging. Turn on CloudTrail log file validation. By enabling global CloudTrail logging. it will be able to generate logs for all AWS services including those that are not region specific. 3.

CloudTrail S3 buckets contain the log data that is captured by CloudTrail. It also supports setting up alarms and notifications for anomalous or sensitive account activity. store. The access logging data can be extremely useful for security audits and troubleshooting sessions. supporting activity monitoring and forensic investigations. real-time and historic activity logging based on user. API. your ELB logging data can be used to analyze traffic patterns that may be indicative of different types of attacks. Enabling ELB access logging will allow the ELB to record and save information about each TCP and HTTP request made. Enable access logging for CloudTrail S3 buckets. Integrate CloudTrail with CloudWatch. Enable access logging for Elastic Load Balancer (ELB). AWS SECURITY BEST PRACTICES 25 . customers can track access requests and identify potentially unauthorized or unwarranted access attempts. 5. resource. CloudWatch can be used to monitor. 4. and access log files from EC2 instances. and IP address is facilitated. which can then inform custom protection plans that should be implemented. With this integration. By enabling access logging for CloudTrail S3 buckets. 6. and other sources. CloudTrail.SECURITY MONITORING CONT. For example.

and alert on anomalous activities such as rejected connection requests or unusual levels of data transfer. VPC flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic and provide insight during security workflows. AWS SECURITY BEST PRACTICES 26 . Enable Virtual Private Cloud (VPC) flow logging. Amazon Redshift is an AWS service that logs details about user activities such as queries and connections made in the database. It is one of AWS’s network monitoring service and enabling it will allow you to detect security and access issues such as overly permissive security groups. 7.SECURITY MONITORING CONT. By enabling it. 8. you can perform audits and support post-incident forensic investigations for a given database. network ACLs. Enable Redshift audit logging.

This adds an additional layer of security and ensures the root account is accessible even if a personal device is lost or the individual owning the device is no longer at the company. SECURE AUTHENTICATION 1. It’s the most privileged user type in an AWS environment. 123456 2. There should exist a dedicated mobile device that is secured independent of a user’s personal device. MFA should be turned on as early as possible. When signing up for AWS for the first time. For this reason. the hacker will find it more difficult to remove the logs and stay hidden. Once an AWS account has been compromised. root account MFA shouldn’t be tied to a personal device. By requiring multifactor authentication in order for a user to delete an S3 bucket containing CloudTrail logs. Turn on multifactor authentication for the “root” account. AWS SECURITY BEST PRACTICES 27 . the user account that is generated is known as the root account. As an additional measure. with access to every AWS resource. one of the first steps the hacker will likely take is to delete CloudTrail logs to cover his 123456 tracks and delay detection. Require multifactor authentication (MFA) to delete CloudTrail buckets.

provision permissions to users at the group and role level. Instead of assigning policies and permissions to users directly. IAM users must be enabled for multi-mode access. AWS SECURITY BEST PRACTICES 28 . Doing so makes managing permissions more efficient. and administrators who need console access should only use passwords to manage AWS resources. MFA is often the last line of defense against a compromised account. All IAM users with a console password should have it enabled. and minimizes the risk of an individual user getting excessive and unnecessary permissions or privileges by accident. Turn on multifactor authentication for IAM users. Ensure IAM policies are attached to groups or roles. 5. 4. is simpler to remove or reassign permissions based on change in responsibilities. Application users should use only access keys to programmatically access data in AWS. IAM users must be enabled for both API access and for console access to reduce the risk of unauthorized access in case IAM user credentials (access keys or passwords) are compromised. 3.SECURE AUTHENTICATION CONT.

Set up a strict password policy. passw0rd 7. Sending requests from the AWS Command Line Interface (CLI) to AWS APIs requires an access key. Rotating access keys regularly ENTER PASSWORD ensures that data cannot be accessed with a potential lost or stolen key. AWS SECURITY BEST PRACTICES 29 . while easy to remember. one lower case letter. users often create passwords that. but it also protects an account from brute force login attempts. Configuring a strict password policy not only ensures that users can’t get around it. and minimum length of 14 characters. require passwords to have at least one upper case letter. When left to their own volition. SECURE AUTHENTICATION CONT. are also easy to guess. one number. one symbol. Rotate IAM access keys regularly and standardize on the selected number of days. 6. The actual policy may vary. which is comprised of an access key ID and secret access key. but at a minimum.

Don’t use expired SSL/TLS certificates. Using expired SSL/TLS certificates with AWS services may lead to errors on services such as ELB or custom applications hosted on AWS. As a best practice. preventing password reuse. Prompt users to change their passwords no sooner than every 90 days. AWS SECURITY BEST PRACTICES 30 . 9. which would impact business productivity. 8. configure the IAM password policy to record at least the past 24 passwords for each user.SECURE AUTHENTICATION CONT. Employees tend to use the same password across multiple services despite the inherent security risks of doing so. Set the password expiration period to 90 days and ensure the IAM password policy prevents reuse. as setting this too high exposes the organization to account compromise from credentials that are phished or stolen. and too low encourages users to employ easy to remember (and therefore easy to guess) passwords.

they are still susceptible to phishing attacks that could expose their account credentials and lead to an account compromise. While most AWS users and administrators will not have any malicious intent to cause harm. When using CloudFront. a user must have decryption permission by the customer created key management (CMK) policy along with permission for accessing the S3 buckets containing the logs. This means only users whose job duties require it should have both decryption permission and access permission to S3 buckets containing CloudTrail logs. AWS SECURITY BEST PRACTICES 31 . 3. Unrestricted access to CloudTrail logs should never be enabled for any user or administrator account.SECURE CONFIGURATION 1. Restrict access to CloudTrail bucket. 2. Restricting access to CloudTrail logs will decrease the risk of unauthorized access to the logs. In order to decrypt encrypted CloudTrail log files. Enabling SSL/TLS ensures all traffic to and from CloudFront is encrypted and minimizes the risk of a man-in-the-middle attack. ensure CloudFront distributions use HTTPS. Encrypt CloudTrail log files at rest.

SECURE CONFIGURATION CONT. Keep in mind that this can only be done at the time when you create the EBS volume. Ensure EC2 security groups don’t have large ranges of ports open. An attacker can scan the ports and identify vulnerabilities of hosted applications without easy traceability due to large port ranges being open. With large port ranges open. 6. 5. As an added layer of data security. you must create a new encrypted EBS volume and transfer the data from the unencrypted volume to the encrypted one. This ensures that credentials are not lost or misplaced accidentally. vulnerabilities could be exposed. leading to account compromise. 4. ensure that the EBS database is being encrypted. Provisioning access to resources using IAM roles is recommended versus providing an individual set of credentials for access. Provision access to resources using IAM roles. In order to encrypt EBS volumes that weren’t encrypted at creation. AWS SECURITY BEST PRACTICES 32 . Encrypt Elastic Block Store (EBS) database.

Instead of whitelisting large IP ranges to access EC2 instances. This user has access to all services and resource in the AWS account. or ciphers with known vulnerabilities could lead to an insecure connection between the client and ELB load balancer. the root user account should only be used AIR FLOW in the instance of creating the first IAM user. 7. 8. Using stale. root user credentials should be securely locked away and access to it forbidden. As such. Avoid using root user accounts. insecure. The root user is created automatically when creating an AWS account for the first time. making it the most privileged user account. be specific and only whitelist individual private IP addresses for EC2 instance access. 9. Use secure SSL ciphers when connecting between the client and ELB. AWS SECURITY BEST PRACTICES 33 . Excessive permission to access EC2 instances should not be allowed. Configure EC2 Security Groups to restrict inbound access to EC2. Beyond that. SECURE CONFIGURATION CONT.

Anyone who gets access to the key has Elastic Load Balancing access to all the services in the AWS account. U  se secure SSL versions when connecting between the client and ELB. Using stale. 10. 11. As an added layer of security and to ensure you’re compliant with possible data security policies. you can use ec2-RegionCode-AvailabilityZoneCode-EnvironmentCode- ApplicationCode. or SSL versions with known vulnerabilities could lead to an insecure connection or man-in- the-middle attack between the client and the ELB load balancer. which could turn into ec2-us-west-1-2b-p- nodejs. U  se standard naming (tagging) convention for EC2. SECURE CONFIGURATION CONT. Creating role based accounts with appropriate privileges and access keys is the recommended best practice. 12. For example. E  ncrypt Amazon’s Relational Database Service (RDS). 13. ensure that your database is being encrypted. EC2 instances must use a standard/custom convention to reduce the risk of misconfiguration. AWS SECURITY BEST PRACTICES 34 . deprecated. Using access keys with the root account is a direct vector for account compromise. E  nsure access keys are not being used with root accounts.

M  inimize the number of discrete security groups. AWS SECURITY BEST PRACTICES 35 . ******* SSL To encrypt all Redshift traffic on the wire and minimize the risk of a man-in-the-middle attack. 14. U  se secure CloudFront SSL versions. 15. R  otate SSH keys periodically. 17. Using stale. E  nable require_ssl parameter in all Redshift clusters. 16. Enterprises must consciously minimize the number of discrete security groups to decrease the risk of misconfiguration leading to account compromise. all Redshift clusters must have the require_ssl parameter enabled. SECURE CONFIGURATION CONT. Rotating SSH keys periodically will significantly reduce the risk of account compromise due to developers accidently sharing SSH keys inappropriately. deprecated or SSL versions with known vulnerabilities could lead to an unsecure connection or man-in-the-middle attack in your CloudFront traffic.

Delete unused SSH Public Keys. Deleting unused SSH Public Keys lowers the risk of unauthorized access to data using SSH from unrestricted locations. unused IAM user accounts or users who haven’t logged into their AWS accounts in over 90 days should have their OK accounts disabled. This reduces the likelihood of an abandoned account being compromised and leading to a data breach. As a best practice. 3. Unused access keys increase the threat surface of an enterprise to a compromised account or insider threat. Reducing unused or stale IAM groups also reduces the risk of accidentally provisioning entities with older security configurations. INACTIVE ENTITIES 1. AWS SECURITY BEST PRACTICES 36 . Remove unused IAM access keys. The user’s account has expired. 4. Disable access for inactive or unused IAM users. Terminate unused access keys. Reduce the number of IAM groups. 2. Access must not be enabled to resources for IAM users who have left the organization or applications tools that are no longer using these resources. It is highly recommended Tom that any access keys unused for over 30 days be terminated. Removing unused AWS IAM credentials can significantly reduce the risk of unauthorized access to your AWS resources. 5.

Restrict access to EC2 security groups. etc. Disallow unrestricted ingress access on uncommon ports. or man-in-the-middle attacks. Unrestricted access to EC2 security groups opens an enterprise to malicious attacks such as brute-force attacks. DoS attacks. Allowing unrestricted inbound access to uncommon ports can increase opportunities for malicious activity such as hacking. unrestricted access to AMIs is not recommended. Hence. 3. Most of the time. AWS SECURITY BEST PRACTICES 37 . 2. Unrestricted access to AMIs makes these AMIs available in the Community AMIs where everyone with an AWS account can use them to launch EC2 instances.ACCESS RESTRICTIONS 1. data loss. DoS attacks. Restrict access to Amazon Machine Images (AMIs). AMIs will contain snapshots of enterprise-specific applications (including configuration and application data). brute-force attacks.

AWS SECURITY BEST PRACTICES 38 . 5. entities on the Internet can establish a connection to your databases. Restrict access to Redshift clusters. Outbound access from ports must be restricted to required entities only. or DoS attacks. This increases the risk for malicious activities such as brute force attacks.ACCESS RESTRICTIONS CONT. 4. When the redshift clusters are publicly accessible. such as specific ports or specific destinations. This increases the risk of malicious activities such as brute force attacks. SQL injections or DoS attacks. SQL injections. 6.0/0).0.e. source set to 0. Restrict access to RDS instances. When the VPC security group associated with an RDS instance allows unrestricted access (i. entities on the internet can establish a connection to your database.0. Restrict outbound access.

CIFS .Ensure that access through port 27017 is restricted to required entities only. Unrestricted access could potentially lead to unauthorized access to data. b. ICMP . 7. AWS SECURITY BEST PRACTICES 39 . FTP is a commonly used protocol for sharing data.Ensure that access through port 20/21 is restricted to required entities only. c. MongoDB . CIFS is a commonly used protocol for communication and sharing data.Ensure that access for ICMP is restricted to required entities only.Ensure that access through port 1433 is restricted to required entities only. Restrict access to well-known ports such as: a. d.Ensure that access through port 445 is restricted to required entities only. could lead to unauthorized access to data or an accidental breach. e. MSSQL . Unrestricted access could lead to unauthorized access to data as attackers could use ICMP to test for network vulnerabilities or employ DoS against the infrastructure.ACCESS RESTRICTIONS CONT. FTP . and if left unrestricted.

h. m. SSH .Ensure that access through port 3389 is restricted to required entities only.Ensure that access through port 22 is restricted to required entities only. RPC . PostgreSQL .Ensure that access through port 5432 is restricted to required entities only. launch DoS attacks.ACCESS RESTRICTIONS CONT. g. n. Remote desktop . l. j. etc.Ensure that access through port 135 is restricted to required entities only k.Ensure that access through port 25 is restricted to required entities only. MySQL . SMTP . Oracle DB .Ensure that access through port 3306 is restricted to required entities only.Ensure that access through port 1521 is restricted to required entities only. f. Telnet . AWS SECURITY BEST PRACTICES 40 .Ensure that access through port 23 is restricted to required entities only. Unrestricted SMTP access can be misused to spam your enterprise. i.Ensure that access through port 53 is restricted to required entities only. DNS .

Chapter 5: Custom Applications Security Best Practices .

instead of bringing in the security team after an application has been developed. and not just between AWS and its customers.Information security is a shared responsibility. Experience has demonstrated that application security is improved when the IT security team is involved from the beginning. auditing. Whether you follow a waterfall or agile methodology. What follows are recommendations for creating a successful DevOps workflow that integrates security. there is a role for IT security in the architecture planning. and testing of applications. CUSTOM APPLICATIONS SECURITY BEST PRACTICES 42 . IT security needs to be part of the software development process. While developers may prioritize speed above all.

Security should team up with the QA team to define test cases and The first step in securing custom application development qualifying parameters that should be met before code can be and usage is to inventory all existing applications and the data promoted.1. IT SECURITY SHOULD CATEGORIZE ALL EXISTING BE INVOLVED IN TESTING CUSTOM APPLICATIONS BY THROUGHOUT THE THE TYPES OF DATA STORED DEVELOPMENT PROCESS AND THEIR COMPLIANCE REQUIREMENTS AND POSSIBLE DevOps should invite the IT security team to bring their own THREATS THEY FACE application testing tools and methodologies when pushing production code without slowing down the process. kind of security controls must be in place to protect it. INVENTORY AND 2. IT security should also on whether sensitive data is being uploaded. IT security and audit teams should have visibility not only in the number of these apps running on AWS but Developing a secure application isn’t enough. CUSTOM APPLICATIONS SECURITY BEST PRACTICES 43 . With that in mind. Visibility into also ensure that end users are using the application in a secure sensitive data enables the security team to identify which internal manner. there are a few steps the security and external regulations apply to an app and its data and what team can take to ensure appropriate use of these applications. uploaded to them.

a hacker who compromises an account with too many DLP policies for all cloud services. and identifying the policies that would apply to custom administrators should limit a user’s permission to a level where applications. Enterprises also need to understand how a custom they can only do what’s necessary to accomplish their job duties. including the number of files containing sensitive data. application endpoints.3. Some of the types of sensitive data that should be protected are: • Credit card numbers • IP addresses • Social Security numbers • Account credentials • Account numbers • Intellectual property • Salaries CUSTOM APPLICATIONS SECURITY BEST PRACTICES 44 . GRANT FEWEST PRIVILEGES 4. The first step in enforcing DLP policies is inventorying existing Externally. ENFORCE A SINGLE SET POSSIBLE FOR APPLICATION OF DATA LOSS PREVENTION USERS POLICIES ACROSS CUSTOM APPLICATIONS AND ALL Unrestricted or overly permissive user accounts increase the risk OTHER CLOUD SERVICES and damage of an external or internal threat. a user with too many permissions might inadvertently cause data loss. Internally. on-premises applications. and anomalous usage events indicative of threats. the number of files being shared. and permissions can easily wreak havoc. For this reason. application is being used.

5. policies may be put in place that would block users from uploading files containing sensitive data that may not be encrypted. CUSTOM APPLICATIONS SECURITY BEST PRACTICES 45 . ENCRYPT HIGHLY SENSITIVE DATA SUCH AS PROTECTED HEALTH INFORMATION (PHI) OR PERSONALLY IDENTIFIABLE INFORMATION (PII) It is important to encrypt files containing sensitive information such as Social Security numbers or protected health information. In some cases.

Chapter 6: How a Cloud Access Security Broker Helps Secure Workloads Running on AWS .

and governance policies. In sprawling AWS environments. HOW A CLOUD ACCESS SECURITY BROKER HELPS SECURE WORKLOADS RUNNING ON AWS 47 . a mature CASB can provide comprehensive threat protection. What follows are some of the things a CASB enables you to do. and next to impossible to sift through the events provided by AWS CloudTrail to uncover potential threats. auditing. AWS settings can be very deep. monitoring. it can be prohibitive from a resource standpoint to manually check security configurations and user permissions for potential risks. and remediation to secure all your AWS accounts. giving enterprises the ability to enforce a wide range of security. On the infrastructure side.Administrators Infrastructure API AWS offers many built-in security capabilities. However. A cloud access security broker (CASB) helps automate the process of securing AWS—both the AWS platform and services as well as the custom applications you deploy in AWS. compliance.

China in a time frame so short it any rules or policies. AND PRIVILEGED ACCESS MISUSE ACROSS AWS. wider net. a CASB can the ability to tune the sensitivity of detection highlight this event and flag it for further to narrow in on certain threats or cast a investigation. brute-force attacks. INSIDER THREATS. heuristics. and one day they log in from to detect these threats without configuring Beijing. For example. CASBs also support would be impossible to travel.1. etc. Machine learning makes it possible Austin. Texas. HOW A CLOUD ACCESS SECURITY BROKER HELPS SECURE WORKLOADS RUNNING ON AWS 48 . This allows a CASB to develop a login attempts from untrusted or disparate model for typical user behavior and detect locations. CASBs combine machine learning and CASBs detect compromised accounts based user and entity behavior analytics (UEBA) on impossible travel as well as excessive to analyze cloud activity across multiple failed login attempts. DETECT COMPROMISED ACCOUNTS. of privileges or repeated authorization if a user generally logs into AWS from failures. CASBs can also detect anomalous activity patterns across AWS potential insider or privileged user threats accounts and other cloud services that by monitoring inappropriate escalation may be indicative of a threat.

“By 2020. 85% of large enterprises will use a cloud access security broker product for their cloud services. which is up from fewer than 5% today. GARTNER .” MARKET GUIDE FOR CLOUD ACCESS SECURITY BROKERS.

including root. A CASB can highlight dormant user accounts that have a CASBs provide complete and granular visibility into how users heightened risk of being compromised. CASBs user. Security has been disabled. requiring any further action by the AWS administrator. IDENTIFY EXCESSIVE INVESTIGATIONS WITH A IAM PERMISSIONS AND COMPLETE AUDIT TRAIL OF DORMANT ACCOUNTS. has unrestricted access incident response time. Using IAM user has been inactive for 90 days. the alert will be resolved automatically without analysts can view the entire audit trail and filter by activity type. triggered by the CASB for further investigation. geography. a CASB can can also identify excessive IAM permissions such as when an dramatically accelerate post-incident investigations and decrease account has access to the AWS console. In doing so.2. to CloudTrail S3 bucket. For example. or when excessive IAM permissions and policies are associated to a user account instead of IAM groups or roles. and federated users. and other dimensions. IAM. if an are using AWS. PERFORM FORENSIC 3. USER ACTIVITY. a security alert can be a CASB. HOW A CLOUD ACCESS SECURITY BROKER HELPS SECURE WORKLOADS RUNNING ON AWS 50 . Once the IAM user modification. or removal of AWS resources by any user. an enterprise can readily detect (in real-time) creation.

While AWS has provided a set of configurable controls to help protect an AWS account. and any misconfiguration or change in configuration is identified and remediated in real-time. To that end. CASBs provide enterprises with the necessary security auditing that can automatically flag any security misconfiguration across all AWS accounts.4. including: • CloudTrail not enabled • Access logging not enabled for CloudTrail S3 bucket • Unrestricted access to a CloudTrail S3 bucket • MFA not enabled for root accounts • Multifactor authentication (MFA) not required to delete • MFA not enabled for a CloudTrail S3 bucket IAM users with console password HOW A CLOUD ACCESS SECURITY BROKER HELPS SECURE WORKLOADS RUNNING ON AWS 51 . it is entirely up to the customer to ensure these settings are configured appropriately. ANALYZE AND AUDIT AWS SECURITY CONFIGURATION TO ENSURE COMPLIANCE AND LOWER RISK.

Chapter 7: How a Cloud Access Security Broker Helps Secure Custom Applications Deployed on AWS .

threat protection. CASBs have focused on securing SaaS applications such as Salesforce. enabling organizations to secure their existing applications without any development resources. and encryption. One of the challenges today is that IT security is often not involved in the development process for new custom applications. a mature CASB can extend these same controls to all custom applications an enterprise deploys on AWS. What follows are some of the things a CASB enables you to do.Unmanaged devices Managed devices Proxy App App App On-network users Off-network users Traditionally. activity monitoring. Box. Today. access control. A CASB makes it possible to extend these security controls to custom apps without any code changes to the application. and Office 365 by providing DLP. HOW A CLOUD ACCESS SECURITY BROKER HELPS SECURE CUSTOM APPLICATIONS DEPLOYED ON AWS 53 .

access policies for custom applications based on whether the device is managed or unmanaged. LIMIT ACCESS TO DATA AUDIT TRAIL OF USER ON BYOD DEVICES. using any device. accelerate post-incident forensic investigation while decreasing CASBs provide contextual access controls that enforce distinct incident response time. and by whom. CASBs can also force additional authentication steps if predefined risk conditions are met. or whether the traffic originates from a trusted or untrusted location. at any time. it also downloaded with what kind of device. CASBs reveal who is accessing fundamental benefit of letting employees access critical which applications. CASBs provide complete and granular visibility into user and administrator activity within custom applications and across While deploying custom applications on AWS provides the all other cloud services. what types of data are being uploaded or resources from anywhere. if the IP is blacklisted or safe. CONTROL POLICIES AS NEEDED. This level of introduces security risks because sensitive data could be exposed visibility into activity supports compliance requirements and helps after downloading to an unmanaged or unsecure BYOD device. CAPTURE A COMPLETE 2. AND ACTIVITY WITHIN THE ENFORCE OTHER ACCESS APPLICATION. HOW A CLOUD ACCESS SECURITY BROKER HELPS SECURE CUSTOM APPLICATIONS DEPLOYED ON AWS 54 .1.

an internal employee downloads a the same policies that protect data in SaaS and on-premises large amount of data onto a personal device right before taking applications can be used to protect data in custom applications a position at a competitor company. who want to custom applications hosted in the cloud. for example. CASBs not only analyze take advantage of the benefits of cloud computing while staying anomalous activities within a custom application. CASBs provide threat protection to as financial services. CASBs provide multiple remediation options performs unwarranted permissions escalation. ENFORCE DATA LOSS EXTERNAL THREATS AND PREVENTION. Highly regulated industries such and privileged user threats. healthcare. DETECT INSIDER/ 4. CASBs can also when a policy violation occurs. including blocking the upload.3. and government. COMPROMISED ACCOUNTS. or when a privileged user hosted on AWS. in to an account using compromised credentials. sift through the noise and identify true threats. HOW A CLOUD ACCESS SECURITY BROKER HELPS SECURE CUSTOM APPLICATIONS DEPLOYED ON AWS 55 . Controlling the upload and sharing of sensitive data is one of the Given the ubiquity of compromised accounts. detect external threats such as when a third party attempts to log coaching the user. but also compliant with internal and external policies turn to CASBs for correlate activities across all custom and SaaS applications to their cloud data loss prevention requirements. or notifying an administrator. insider threats. CASBs can create The recommended platform approach to cloud DLP ensures that an alert when. common use cases for a CASB.

including HIPAA-HITECH. require organizations to notify customers whose data has been compromised in a breach. Numerous regional and industry-specific laws. HOW A CLOUD ACCESS SECURITY BROKER HELPS SECURE CUSTOM APPLICATIONS DEPLOYED ON AWS 56 . storing data encrypted has another benefit. Using enterprise-owned encryption keys ensures that the IaaS provider cannot decrypt and view the data.5. organizations are exempt from the breach notification requirement. ENCRYPT DATA UPLOADED TO CUSTOM APPLICATIONS. Aside from strengthening the security of the custom application. if that data has been made indecipherable with encryption. However. Enterprises looking for an additional layer of security can use a CASB to encrypt data in custom applications using their own encryption keys.

Skyhigh for AWS Skyhigh for Custom Apps Download a datasheet for a complete list of product Skyhigh for Amazon Web Services Skyhigh for Custom Applications capabilities. or containerized service WITH SKYHIGH FOR AWS YOU CAN WITH SKYHIGH FOR CUSTOM APPLICATIONS YOU CAN Capture a complete audit trail of Detect compromised accounts. Chief Information Officer David Smoley. and privileged be deleted to minimize the attack of all user activity for forensic data to unmanaged BYOD compromised account and insider in real time access misuse surface investigations devices threats Audit the configuration of AWS Extend activity monitoring and Enforce data loss prevention Enforce data loss prevention Encrypt data bound for the Extend security controls to to identify settings that are not threat protection to custom apps policies for custom apps deployed policies to prevent violations in application using enterprise. auditing. custom applications with no secure or compliant deployed on AWS with no coding on AWS real time controlled encryption keys coding or development “Skyhigh continues to expand its security controls beyond SaaS to help companies cover their custom-built “Skyhigh continues to expand its security controls beyond SaaS to help companies cover their custom-built applications running in IaaS including the IaaS platforms themselves. 57 . Chief Information Officer DOWNLOAD NOW DOWNLOAD NOW http://bit. Identify inactive accounts that can Capture a complete audit trail Limit the download of sensitive Detect activity indicative of all user activity for investigations insider threats. policies across their internally developed web applications deployed on IaaS platforms.” applications running in IaaS including the IaaS platforms themselves.LEARN MORE ABOUT SKYHIGH’S AWS SECURITY SOLUTION Skyhigh for Amazon Web Services (AWS) is a comprehensive monitoring. IaaS virtual machine. Skyhigh for Amazon Web Services (AWS) is a comprehensive http://bit.” David Smoley. and remediation solution for your AWS environment and custom applications. and Skyhigh for Custom Applications enables organizations to enforce security and compliance remediation solution for your AWS environment. Unmanaged devices Users Proxy App App App Applications Managed devices API Proxy App App App Infrastructure On-network users Administrators Off-network users Skyhigh Cloud Connector delivers an API deployment mode for AWS infrastructure and Skyhigh Gateway delivers an inline proxy for custom applications deployed on AWS Skyhigh Gateway is a proxy that can be delivered via SaaS.