Amazon Web Services (AWS) allow organizations to take advantage of numerous services and capabilities. As the number of available options under the cloud infrastructure of the company grows, so too do the security risks and the possible weaknesses. AWS Project owners need to take extra precautions by following some platform-specific advice. Amazon is constantly working on adding new features and implementing new changes in its current offering, as well.
Amazon Web Services (AWS) In Its Current Form: A Versatile Cloud Platform
Amazon offers one of the most widely used and most developer-friendly cloud hosting services on its Amazon Web Services (AWS) platform. AWS is a platform that includes numerous modules and services that are designed to be capable of being used both independently and interconnected with one another.
One of the advantages of using the Amazon services is that they are developed with a shared common convention and authentication mechanism. This gives customers the ability to access practically all optioned services from a web-based dashboard. Different AWS commands can be issued by making the so-called “web service calls” to carry out various functions such as setting up a load balancing server, changing IP addresses or editing a configuration value.
Amazon is a powerful alternative to Google App Engine hosting services, another popular cloud platform used to host web projects. It is impossible to say which one is ‘better’; the dynamics of these projects change all the time, and a user’s needs vary. Amazon at the moment offers a multitude of infrastructure services that have proven to be reliable across all typical use cases, scaling from small personal projects up to large enterprise portals hosted on whole decentralized networks.
One of the distinct capabilities available with Amazon’s cloud services is that they can be used in a hybrid configuration – the resources and assets, along with the required services, can be hosted on Amazon’s cloud, and other parts can be offloaded to customer machines as required. This allows AWS project owners to balance between their own servers and the ones offered by Amazon. Having this configuration versatility makes sense in complex enterprise projects where custom applications could be required to run on the client’s own machines and not on Amazon’s services, for example.
Amazon AWS uses specific calls that make use of two popular protocols: SOAP (Simple Object Access Protocol) and REST (Representational State Transfer), which are compatible with the three interactive parts of a cloud asset:
- The AWS-powered application itself
- The AWS command-line tools
- The AWS Visual Tools
Amazon AWS Specific Security Tips: Protect Your Projects
There is an extensive Amazon Cloud security portal page that gives project owners a lot of possibilities to educate themselves on the cloud hosting infrastructure setup. This includes specialized training, e-books and tips for use-case specific deployed sites. Amazon provides an in-depth overview of the way security is ensured in a white paper called “AWS: Overview of Security Processes.” Some of the best security practices are summarized below to provide an outline of how projects can be protected.
Security begins by securing the accounts owned by Amazon customers. To keep accounts safe from hackers, malware and unauthorized access, having strong account security is a must. Large and complex projects are usually configured to have several different types of accounts: for administrators, content creators, database operators, etc. This is particularly important as Amazon AWS services allow for detailed monitoring. Amazon AWS allows multiple credential access and setup. Beyond the basic username and password pairs, two-factor (and multi-factor) authentication, digitally signed key pairs and certificates are also available.
A status overview of the account can always be retrieved by downloading a Credential Report. It will contain information about the active credentials and their expiration date. From the dashboard, specific rules can be applied, old and forgotten users can be disabled and individual credentials can be reset. Amazon’s security guidelines state that access keys and certificates are to be changed at regular intervals. To prevent this from impacting the running services and deployed projects, AWS supports multiple concurrent access keys and certificates.
When this feature is enabled, credential sets can be changed without any downtime. A good option to enable is the AWS Multi-Factor Authentication mechanism, which brings an additional layer of security. This feature requests a secondary six-digit, single-use code along with the standard username and password combination. Access will be given to the AWS project only when the correct pair is entered. Multi-factor authentication can also be done via hardware tokens, which can be safer to use in certain environments.
Secure access to the login pages is also highly recommended, and administrators are to use the HTTPS (HTTP with SSL Encryption) version of their AWS resources. This protects against potential malicious activity such as eavesdropping and tampering with the network stream. Depending on the service used, additional encryption may also be offered.
The AWS Trusted Advisor is a popular support service for cloud security. When used, it inspects the cloud environment and makes recommendations to improve the overall security and fix potential security issues. Another useful web service is the AWS Config, which will continuously monitor the configuration files associated with the used resources.
Implementing A Secure Amazon AWS Model of Operations
Amazon EC2 (Amazon Elastic Compute Cloud) is the main component designed to resize the provided computing capacities with minimum downtime. Its security is ensured on multiple levels: the chosen operating system, virtual machines, active firewalls with their configured rules, and signed API calls.
A security principle that is applied to Amazon AWS is found within the way the hypervisor and virtual machines are presented to customers. This is done by not giving them direct RAW access to the disks but rather to virtual copies of them. An additional layer of VM encryption is also available.
Firewalls are appropriately configured in deny-all mode as default. This means that the web project owners will need to enable inbound traffic to the services which they intend to use. The advanced configuration allows for a very thorough setup: restrictions can be applied by protocol, port and source IP address. Group rules, which are essential in large-scale projects, may also be created.
Amazon AWS Projects Security: A Never-Ending Saga
As Amazon is always expanding the features and modules offered to customers, there can be no single security guideline. The best practices are continuously developed and tested by experts and companies. The best recommendation is to always stay alert. Existing Amazon customers should frequently consult the company’s support page, as revisions to the manuals are often made. Every security guideline should be aligned with the current capabilities as implemented by Amazon.
About the Author: Martin Beltov graduated with a degree in Publishing from Sofia University. As a cybersecurity enthusiast, he enjoys writing about the latest threats and mechanisms of intrusion.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.