AWS – like other major cloud providers – has a ‘shared responsibility’ security model for its customers. This means that AWS takes full responsibility for the security of its platform – but customers are ultimately responsible for the security of the applications and datasets they host on the platform.
This doesn’t mean, however, that AWS washes its hands of customer security concerns. Far from it. To support customers in meeting their mission critical cloud security requirements, AWS has developed a portfolio of cloud security tools and features that help keep AWS applications and accounts secure. Some are offered free, some on a subscription basis. Below, we’ve compiled some key points about the top eight of these tools and features:
Amazon’s GuardDuty threat detection service analyzes your network activity, API calls, workloads, and data access patterns across all your AWS accounts. It uses AI to check and analyze multiple sources – from Amazon CloudTrail event logs, DNS logs, Amazon VPC Flow Logs, and more. GuardDuty looks for anomalies that could indicate infiltration, credentials theft, API calls from malicious IPs, unauthorized data access, cryptocurrency mining, and other serious cyberthreats. The subscription-based tool also draws updated threat intel from feeds like Proofpoint and Crowdstrike, to ensure workloads are fully protected from emerging threats.
Identity is an increasingly serious attack surface in the cloud. And this makes visibility over AWS user account activity crucial to maintaining uptime and even business continuity. AWS CloudTrail enables you to monitor and record account activity - fully controlling storage, analysis and remediation - across all your AWS accounts. In addition to improving overall security posture through recording user activity and events, CloudTrail offers important audit functionality for proof of compliance with emerging and existing regulatory regimes like HIPAA, SOC and PCI. CloudTrail is an invaluable addition to any AWS security war chest, empowering admins to capture and monitor API usage and user activity across all AWS regions and accounts.
Web applications are attractive targets for threat actors, who can easily exploit known web layer vulnerabilities to gain entry to your network. AWS Web Application Firewall (WAF) guards web applications and APIs from bots and web exploits that can compromise security and availability, or unnecessarily consume valuable processing resources. AWS WAF addresses these threats by enabling control over which traffic reaches applications, and how it reaches them. The tool lets you create fully-customizable security rules to block known attack patterns like cross-site scripting and SQL injection. It also helps you control traffic from automated bots, which can cause downtime or throw off metrics owing to excessive resource consumption.
Distributed Denial of Service (DDoS) attacks continue to plague companies, organizations, governments, and even individuals. AWS Shield is the platform’s built-in DDoS protection service. Shield ensures the safety of AWS-based web applications – minimizing both downtime and latency. Happily, the standard tier of this particular AWS service is free of charge and protects against most common transport and network layer DDoS attacks. The advanced version of AWS Shield, which does carry an additional cost, adds resource-specific detection and mitigation techniques to the mix - protecting against large-scale DDoS attacks that target Amazon ELB instances, AWS Global Accelerator, Amazon CloudFront, Amazon Route 53, and EC2 instances.
With the rise in adoption of cloud hosting for storage and computing, it’s crucial for organizations to protect themselves from attacks exploiting cloud vulnerabilities. A recent study found that the average cost of recovery from a breach caused by cloud security vulnerabilities was nearly $5 million. Amazon Inspector enables automated vulnerability management for AWS workloads. It automatically scans for software vulnerabilities, as well as network vulnerabilities like remote root login access, exposed EC2 instances, and unsecured ports – all of which could be exploited by threat actors. What’s more, Inspector’s integral rules package is kept up to date with both compliance standards and AWS best practices.
Supporting Amazon Simple Storage Service (S3), Amazon’s Macie data privacy and security service leverages pattern matching and machine learning to discover and protect sensitive data. Recognizing PII or PHI (Protected Health Information) in S3 buckets, Macie is also able to monitor the access and security of the buckets themselves. Macie makes compliance with regulations like HIPAA and GDPR simpler, since it clarifies what data there is in S3 buckets and exactly how that data is shared and stored publicly and privately.
AWS Identity and Access Management (IAM) enables secure management of identities and access to AWS services and resources. IAM works on the principle of least privilege – meaning that each user should only be able to access information and resources necessary for their role. But achieving least privilege is a constantly-evolving process – which is why IAM works continuously to ensure that fine-grained permissions change as your needs change. IAM also allows AWS customers to manage identities per-account or offer multi-account access and application assignments across AWS accounts. Essentially, IAM streamlines AWS streamlines permissions management – helping you set, verify, and refine policies toward achieving least privilege.
AWS aptly calls their secrets management service Secrets Manager. It’s designed to help protect access to IT resources, services and applications – enabling simpler rotation, management and retrieval of API keys, database credentials and other secrets at any point in the secret lifecycle. And Secrets Manager allows access control based on AWS Identity and Access Management (IAM) and resource-based policies. This means you can leverage the least privilege policies you defined in IAM to help control access to secrets, too. Finally, Secrets Manager handles replication of secrets – facilitating both disaster recovery and work across multiple regions.
There are many more important utilities we couldn’t cover in this blog, which are equally important in their own rights. Yet the key takeaway is this: even though AWS customers are responsible for their own data and app security, AWS makes a real effort to help meet and exceed security standards and expectations.