DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

Have a startup, a small business- running on AWS, have security concerns, you need to read this!

Whether you are working to launch a startup, or are running a small business, you need to make security part of your planning and strategy, dont leave it as an afterthought it's too important.

I will mostly discuss AWS aspects, but whether its AWS or another public cloud service provider, dont make the assumption the cloud provider will handle all of your security needs. The cloud service providers have some fantastic tools/services, especially around cloud security to help detect, prevent and defend your users, data and systems, but it's not everything.

Remember this, Amazon is responsible for securing the infrastructure which among many things includes the compute, storage, networking, and various database services. You or your small business/startup are ultimately responsible the security of whats running on/in the cloud. It sounds very basic, but remember you or your teams need to know what systems/software you have running, where it is running, and who has what access/permissions to those systems/data and for what purpose.

Identity and Access Management or (IAM) what allows us to easily create new identities/users and groups and to ultimately assign various roles/permissions to control what they are able to do and access.

Circling back on another very important topic that I touched on a bit above is around knowing what you have deploy and where is its geographically located. We cant protect or defend what we dont know anything about. The reality today, is that anyone with a credit card or bank account can sign up with a cloud service provider and just start spinning up resources or uploading data into AWS. Shadow IT is, and continues to be a serious problem for all businesses, big and small, as it creates unnecessary risk. This is exactly why we need to know what we have running in AWS, who put it there, and what is it doing or providing, both from a security, risk and financial perspective. Regular reviews/audits need to be done so that any service/instance/data thats not approved/authorized needs to be shutdown, reviewed and either terminated or archived.

AWS makes the encryption of data fairly easy through services such as AWS KMS. Often times a business may not be sure when ,where or what data to encrypt when it comes to data store or data in motion. Today many laws and regulations require certain data to be encrypted, so when in doubt, just encrypt the data.

Within Amazon guardrails can be setup to prevent the storage of unencrypted data, and alert teams or individuals when AWS simple storage buckets are created to store unencrypted data.

I wrote an article ( https://voice.michaelwahl.org/incident-response-on-aws-7896564b0c4c ) a while back regarding incident response and whats available from AWS in terms of the various security offerings. When it comes to services, more specifically security services, AWS delivers many. With an incident response (IR) plan or strategy, you may be considering many AWS services, but maybe aren't sure which services provide what benefit or help you or your organization with your own security journey.

Top comments (0)

🌚 Browsing with dark mode makes you a better developer.

It's a scientific fact.