Like all leading cloud service providers, AWS follows a shared responsibility model for security and compliance. While platform-level security is owned and managed by AWS, customers are responsible for securing the hosted application and data.
AWS provides several native tools and services to implement necessary cloud security controls but to ensure complete visibility and protection, consider a third party solution that offers capabilities not provided by the native security tools. In this blog, we’ll explore some of the AWS security tools that contribute towards security for applications in the cloud.
Organized DDoS attacks are one of the major reasons for downtimes in the public cloud. Attackers target applications in the cloud with a large volume of unreal traffic that the underlying systems cannot handle, rendering them unavailable.
AWS Shield provides managed DDoS attack protection for your applications hosted in AWS and protects them from such downtimes. While standard DDoS protection is enabled by default for all AWS services, the advanced tier of AWS Shield provides advanced protection and mitigation capabilities from large-scale, organized DDoS attacks. The service protects against attacks targeting:
- EC2 instances
- Amazon CloudFront
- Route 53 resources
- Amazon Elastic Load Balancing (ELB)
- AWS Global Accelerator
The advanced tier also gives you access to a dedicated AWS DDoS Response Team (DRT) to provide guidance in the mitigation process.
Web Application Firewall
Web applications in the cloud are always at risk of being attacked. Evolving threat vectors in the cloud can easily target known vulnerabilities and security loopholes at the web layer. You need to build a layer of defense for your web applications using services specialized to identify and mitigate such targeted attacks.
The Web Application Firewall (WAF) is used to protect web applications in AWS from common attacks, like SQL injection, cross-site scripting (xss), etc. WAF comes with built-in rules that help detect and protect from the OWASP top 10 security risks while providing the flexibility for customers to create their own rules. The service can be integrated with Amazon CloudFront, ELB, Amazon API Gateway, and others that receive Ingress HTTP traffic from the internet.
With an increase in cloud usage, it has become increasingly difficult for cloud administrators to ensure that all the applications are adhering to security and compliance best practices. Misses are bound to happen, leaving applications exposed for attacks. An automated way of detecting and reporting such issues will help you to take necessary remediations proactively.
AWS Inspector is handy in such situations. It’s used for automated vulnerability and best practice assessment of applications deployed in AWS. The AWS Inspector assessment baseline is always aligned with AWS best practices and compliance standards, and customers can leverage the reports to proactively mitigate security risks.
For example, Inspector comes with prebuilt rules, like exposed EC2 instances, vulnerable softwares and ports, remote root login access, and more. The service can also be integrated into your existing DevOps practices through API integration, providing visibility into the state of security of applications right from the development stage.
Account activity patterns and network traffic anomalies provide clear signals of a compromised environment. For instance, unusual internal traffic between cloud components could indicate that an attacker has already breached your perimeter security. The faster you identify and take remedial action for such incidents, the better your odds are of preventing long standing consequences.
Amazon GuardDuty is an agentless, continuous threat detection service that analyzes network traffic, resource access patterns, API calls, and more. It leverages machine learning to identify malicious activities like credential thefts, unauthorized data access, and cryptocurrency mining. GuardDuty can also be configured to auto-remediate security findings through Amazon CloudWatch Events and AWS Lambda integration.
Not all sophisticated attacks are identified as an anomaly, however. These attacks are designed to behave normally so that they go undetected by traditional threat detection tools. For detecting advanced threats, it is recommended to monitor every change in memory at the code level for the execution of unauthorized or malicious code.
Amazon GuardDuty doesn’t provide runtime security and visibility into workloads but Intezer Protect is one tool that can help. It provides complete runtime visibility and protection for your workloads hosted on AWS and across multiple cloud providers. Intezer Protect is engineered to detect even the slightest amount of malicious code reuse, an approach that has been proven to be the fastest to detect threats in Linux and containerized environments. This will complement the pattern based threat detection capabilities of GuardDuty to deliver end to end protection for your workloads.
Monitoring logs provide a treasure trove of information when it comes to identifying anomalies in cloud environments. The granularity at which you can derive insights from the data will provide you an edge in identifying and remediating security threats. When your application consists of numerous components, the complexity of the process increases—unless there is an automated way of doing it.
Amazon CloudWatch is a native monitoring tool that ingests monitoring data from multiple AWS services and provides visibility into your AWS infrastructure. The CloudWatch Log Insights service can be used to query the data collected by CloudWatch to derive intelligence about security threats and operational issues.
In the cloud, identity is a crucial security perimeter. The only way to protect your applications from rogue users or compromised accounts is continuous monitoring of user account activities through the control plane.
AWS CloudTrail helps with control plane monitoring by enabling governance, compliance and operational audits for your AWS accounts. All account-related activities can be continuously monitored with CloudTrail for unusual operations or access patterns that could indicate a compromised account. It also provides visibility into AWS management console activities or related API calls.
AWS Security Hub
With security-related information flowing in from multiple services, administrators can become overwhelmed by jumping between multiple tools to address issues. To aggregate all this information and see the overall security posture of your cloud environment manually would be a near-impossible task.
AWS Security Hub simplifies this process by providing single-pane visibility for security findings from multiple tools. It also helps with Cloud Security Posture Management (CSPM) through automated security and resource configuration checks aligned with leading industry compliance standards. Security scores from these checks help customers identify gaps and address them for better compliance.
The AWS security tools discussed here will help you implement the recommended security controls for your cloud-hosted applications. In addition to built-in security tools offered by the cloud provider, you need to onboard a third party security solution for runtime protection to detect and respond to attacks as they occur, including for Linux, which powers most of the cloud.
Just remember, AWS doesn’t provide a native Cloud Workload Protection Platform (CWPP) for runtime protection of workloads, meaning it can’t prevent in-memory exploits or any unauthorized or malicious code execution. Leverage specialized CWPP solutions like Intezer Protect for real-time protection of your AWS-hosted workloads.