Security services in AWS
Amazon Web Services (AWS) provides several security services to help its customers protect their cloud-based data assets from loss, corruption or exfiltration. These services are the basic building
blocks of any data protection strategy, such as role-based access control, user authentication, event and traffic monitoring, logs and alerts, and so on.
With app architectures becoming more complex and the sheer volume of data continuing to skyrocket, security building blocks are often inadequate to gain actionable insights into a system’s performance
and security status. The velocity and diversity of alerts and data streams from monitoring and logging services can make it difficult for IT teams to understand root causes of failures or vulnerabilities in real time. This makes it difficult to quickly remediate—or even preempt—them.
This article describes AWS’s advanced security services and how it provides a level of security for data and apps when used strategically with the AWS security building blocks.
What are types of security services in AWS?
Identity and access management
AWS Identity Services enable you to securely manage identities, resources, and permissions at scale.
AWS Identity Services enable you to securely manage identities, resources, and permissions at scale.
With AWS, you have identity services for your workforce and customer-facing applications to get started quickly and manage access to your workloads and applications.
AWS gives you the freedom to choose where to manage the identities and credentials of your employees, and the fine-grained permissions to grant the right access, to the right people, at the right time. With AWS, you have flexible administration capabilities and easy-to-use controls over multi-account environments. AWS helps you implement and enforce the principle of least privilege access with analytic tools that help identify unused permissions across all AWS accounts so that you can remove unnecessary access quickly and confidently.
Workforce identity services
Detection
Detection enables you to identify a potential security misconfiguration, threat, or unexpected behavior. It’s an essential part of the security lifecycle and can be used to support a quality
process, a legal or compliance obligation, and for threat identification and response efforts. There are different types of detection mechanisms. For example, logs from your workload can be
analyzed for exploits that are being used. You should regularly review the detection mechanisms related to your workload to ensure that you are meeting internal and external policies and requirements. Automated alerting and notifications should be based on defined conditions to enable your teams or tools to investigate. These mechanisms are important reactive factors that can help your organization identify and understand the scope of anomalous activity.
In AWS, there are a number of approaches you can use when addressing detective mechanisms. The following sections describe how to use these approaches:
• Configure
Configure service and application logging: A foundational practice is to establish a set of detection mechanisms at the account level. This base set of mechanisms is aimed at recording and detecting a wide range of actions on all resources in your account. They allow
you to build out a comprehensive detective capability with options that include automated remediation, and partner integrations to add functionality. In AWS, services that can implement this base set include:
• Investigate
Network and application protection
Network and Application Protection services on AWS enable you to enforce fine-grained security policy at every network control point across your organization. As you build your network using Networking services on AWS, you have flexible options for where and how you build your network architecture, from defining private subnets to public, Internet-facing networks. AWS Network and Application Protection services then provide equally flexible solutions that inspect and filter traffic to prevent unauthorized resource access. For example, for your web applications, you can easily setup always-on detection and automatic inline threat mitigations to maximize availability and application responsiveness.
Why Use AWS Network and Application Protection Services?
• Host Level Protection and Organization-Wide Visibility and Control
• Application Level Protection
• Network Level Protection
Data protection
One of the most common areas of interest from customer executives regarding their move to AWS is data protection. Data protection can take many forms (e.g., backups, high availability, long-term storage), but the focus for this blog post will be encryption.
With AWS, customers have several options for encrypting their data and managing keys on the platform:
o AWS Key Management Service : AWS Key Management Service (KMS) provides customers with centralized control of their encryption keys. Customers can easily create, import, and rotate keys as well as define usage policies and audit that usage from the AWS Management Console or by using the AWS SDK or CLI. The master keys in KMS, whether imported by the customer or created on the customer’s behalf by KMS, are stored in highly durable storage in an encrypted format to ensure that they are protected and can be retrieved when needed.
o AWS CloudHSM AWS CloudHSM : is a cloud-based hardware security module (HSM) that enables customers to easily generate and use their own encryption keys with AWS services. With CloudHSM, customers can manage their own encryption keys using FIPS 140-2 Level 3 validated HSMs. It is a fully managed service that automates time-consuming administrative tasks, such as hardware provisioning, software patching, high availability, and backups.
o AWS Market Place Solutions : AWS offers a wide variety
of third-party vendor solutions in the AWS Marketplace, which gives customers the choice to use a third party key management solution that they may already be familiar with.
o Bring your own/roll your own encryption solution: Customers with existing on-premise encryption solutions may be able to extend these solutions for use within AWS. Common examples include Thales/SafeNet or open-source solutions like dm_crypt + LUKS.
Compliance
AWS Compliance empowers customers to understand the robust controls in place at AWS to maintain security and data protection in the AWS Cloud. When systems are built in the AWS Cloud, AWS and customers share compliance responsibilities.
Compliance is a Shared Responsibility
Security and Compliance is a shared responsibility between AWS and the customer. This shared model can help relieve the customer’s operational burden as AWS operates, manages and controls the
components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall.
Which AWS service can be used to meet the compliance requirements?
AWS Artifact : AWS Artifact is the go-to, central resource for compliance-related information that matters. It provides on-demand access to AWS's security and compliance reports and select online agreements.
AWS Config : works with data that requires frequent audits to ensure compliance with internal policies and best practices.
It also provides a detailed view of the AWS resource configuration in your AWS account. This includes how the resources relate to each other and how they were configured in the past so you can see how configurations and relationships change over time.
References:
https://aws.amazon.com/products/security/
https://cloud.netapp.com/blog/aws-blg-types-of-aws-security-services-how-to-choose
Latest comments (0)