This article is the second post in our five-part series on security in the cloud today. In Part 1, we discussed what you need to focus on when developing your cloud security strategy, along with some controls you should consider and the best approach for implementing them. The rest of the series aims to explore the security tools and services delivered by the three leading cloud platforms—Azure, GCP and AWS.
Here in Part 2, we’ll focus on the features and limitations of the security solutions offered by Amazon Web Services (AWS). We’ll cover network security, cloud security posture management, cloud workload protection platforms, vulnerability management, container security, and SIEM, along with some additional tools AWS offers to ensure cloud security for your workloads.
So, let’s dive right in.
AWS uses a networking model that is very close to on-premises networks. It uses concepts, terminology, and a virtual network topology that resembles what is typically found in on-site server rooms, meaning network engineers will find themselves in a familiar environment and be able to get to work quickly.
AWS implements the Virtual Private Cloud (VPC), roughly equivalent to an entire on-premises network, as the highest order of its networking concepts. This is then followed by subnets, which are segments of a VPC that use non-overlapping CIDR blocks, and route tables, which are associated with the subnets and direct or deny the flow of network traffic. You are in control of the routing from subnet to subnet, and subnet to/from the internet. You can thus configure your routing tables to enforce strict segregation of workloads.
AWS also provides tools that are akin to network firewalls: Security Groups (SGs), which work at the level of network interfaces, and Network Access Control Lists (NACLs), which work at the subnet level. SGs can be used to further restrict traffic within a subnet and only allow traffic based on a destination port number and source (either IP address or another security group). Meanwhile, NACLs are stateless and can be used to explicitly deny traffic—not possible with SGs. However, aside from this additional feature, NACLs aren’t that useful if you already use SGs.
Note: The fact that you can specify an SG as an allowed source of traffic to another SG is very powerful and allows you to semantically build your authorized traffic paths, instead of painstakingly working out your various CIDR blocks.
Web Application Firewall
AWS offers its own Web Application Firewall (WAF). A web application firewall inspects the HTTP traffic between clients (usually on the internet) and web servers. It monitors and filters this traffic in order to protect a web application from certain attacks, such as SQL injection, cross-site scripting, and many others. AWS WAF integrates seamlessly with other AWS services that provide ingress from the internet, namely Elastic Load Balancing, Amazon API Gateway, and CloudFront. But remember, you can’t use AWS WAF directly in front of an EC2 instance.
AWS WAF allows you to create your own WAF rules, but it also provides some Managed Rules that let you simply and easily address common threats, such as the OWASP Top 10 security risks. Finally, Firewall Manager simplifies the management of AWS WAF and VPC security groups and can do so even across multiple AWS accounts.
AWS Shield in its Standard form is enabled by default and protects most of your AWS components from the most common DDoS attacks. AWS Shield Advanced offers more advanced DDoS attack protection and mitigation; for example, it automatically sets rules on NACLs and allows you to defend EC2 instances that are directly exposed to the internet.
Cloud Security Posture Management (CSPM)
Enforcement of Security Policies and Configuration
AWS Config is a very useful tool that should at least be evaluated as part of your CSPM strategy. It continuously scans the entirety of your AWS resources and records any change in the configuration of any of your AWS resources.
This tool can then compare the detected resource configurations against rules and send you an alert and/or take automated remedial actions. You can use pre-defined rules created by AWS (for example, no publicly exposed port 22 [SSH]), or you can define your own custom rules. AWS Config also helps you make sure that your AWS workload complies with certain standards (such as HIPAA or PCI).
AWS Audit Manager is another useful tool to ensure compliance with leading industry standards and regulations like PCI DSS, GDPR and CIS. It provides prebuilt frameworks that can be used to map your AWS resources to the compliance controls. It automatically collects compliance evidence associated with each control to create audit-ready reports.
Runtime Security Assessments
AWS Inspector performs security assessments at runtime on EC2 instances. Such assessments are helpful from a CSPM perspective, detecting potential security issues and allowing developers and DevOps engineers to fix them quickly.
Additionally, AWS Security Hub can also help with CSPM. Indeed, it is able to automate continuous security checks and resource configuration checks. This is typically done as part of a compliance program to bring a certain workload into compliance with standards such as PCI and CIS, but such checks can be performed as part of a CSPM strategy as well.
The AWS Systems Manager Patch Manager allows you to define patches that must be present in Linux and Windows instances. Once configured, Patch Manager works in the background to ensure your selected instances have the correct patches. Configured properly, Patch Manager makes sure your instances’ operating systems are free from known vulnerabilities; having said this, Patch Manager can be quite cumbersome to work with because the patches and destination machines must be selected manually. It does offer pre-defined configurations, but they probably won’t cover your particular use case.
Cloud Workload Protection Platform (CWPP)
While you may apply numerous practices to make your environment more secure in an attempt to reduce your attack surface and the likelihood of getting attacked, what you need is the ability to detect attacks as they occur. CWPP provides you with this control, enabling you to make sure attacks don’t go undetected by alerting you to unauthorized, malicious code or any other malicious activity. Focusing on the compute-resource level, CWPP monitors numerous parameters related to your runtime environment to check for the execution of suspicious code, thus serving as a critical layer of protection for your software and data.
AWS doesn’t provide CWPP, so you need to look for a third-party solution that can fully integrate with AWS workloads. For proper CWPP-protection of your servers, there are outside providers, such as Intezer Protect. Intezer uses a workload-centric approach to deliver a single-pane, comprehensive overview of your security posture, across both hybrid and multi-cloud environments.
Elastic Container Registry (ECR) can scan your stored Docker images for known vulnerabilities using the Common Vulnerabilities and Exposures (CVEs) database, which comes from the open-source project Clair. Apart from that, AWS does not offer additional vulnerability management tools—at least, not as of this writing.
If you run your containers in Elastic Container Service (ECS), there are security aspects similar to EC2 instances, such as IAM roles and security groups. If you run your containers in Elastic Kubernetes Service (EKS), AWS provides the standard Kubernetes security elements, such as RBAC and network policies. You could also use integrations like OPA Gatekeeper and CNCF Falco for enhanced container security in AWS.
Security Information and Event Management (SIEM)
AWS connects with well-known third-party providers but doesn’t have any proper SIEM tools itself.
For a comprehensive overview of your security status across all of your AWS accounts, you can use Security Hub. It makes sure you receive all high-priority security alerts and also allows you to take remedial actions, whether automated or manual.
Security Hub is not a SIEM solution in itself, but it does provide some important SIEM-like features such as aggregation. In fact, it provides a comprehensive view of all findings from all of your AWS services and subscriptions in one single place.
Additional Threat Detection Capabilities
In order to monitor traffic and detect anomalies, Amazon GuardDuty is your tool of choice. It’s an agentless service that not only analyzes a wide range of data—network traffic, S3 accesses, and AWS API calls—but also uses machine learning and behavior models to identify malicious activities such as: cryptocurrency mining, credential compromises, unusual data access, and communications to/from known malicious entities.
GuardDuty even facilitates automated mitigation once any suspicious activity is detected. Although not part of a Cloud Workload Protection Platform on its own, Amazon GuardDuty is a useful complementary addition to an agent-based CWPP solution.
AWS also provides a service called Amazon Detective that can help with root cause analysis of security breaches or malicious activities. Root cause analysis is often a complex process that requires consolidating and correlating logs from various sources using custom scripts/ETL tools and in depth security analytics. Amazon detective is capable of analyzing events from multiple AWS resources and delivering them in a unified view for root cause analysis.
Available Security Logs and Monitoring
AWS obviously provides data plane logging and even has its own tool for this, as ingesting and processing logs is a foundational feature of a public cloud. CloudWatch Logs can ingest, process, and retain logs from your applications, services, and operating systems. The accompanying utility, CloudWatch Logs Insights, is also useful for filtering information from numerous logs to easily find that needle in the proverbial haystack.
Yet another tool provided for control plane logging is CloudTrail. This can log all AWS API calls, including who or what made the call, the date and time of the call, whether the entity was allowed or denied the call, etc. CloudTrail has several use cases:
- As a forensic tool
- To detect unusual activity
- For compliance purposes for any standard that requires auditability
Finally, AWS can help you log and monitor the network traffic in and out of your VPCs. You can even enable flow logs to log all network traffic related to these VPCs, including several fields from network packets’ IP headers to whether or not the packets were granted or denied access.
Note: Enabling VPC Flow Logs is necessary if you want to use GuardDuty, as the latter uses these logs to detect suspicious traffic. You can also use them for forensic analysis and to comply with certain standards (such as HIPAA).
In conclusion, Amazon Web Services has a wide range of security tools, which should definitely be considered first when assessing which solutions to use. Still, apart from a few exceptions, these tools can be quite challenging to understand and configure properly. For the few areas where AWS is lacking, using a third-party solution can be a smart move.
Importantly, when it comes to “security of the cloud,” AWS deserves praise for always putting security first: Amazon won’t do anything that could compromise the security of its cloud platform, even if that means not releasing an exciting new product or not caving to demands to make their products more user-friendly.
AWS security offerings are notably lacking on the CWPP front, although third-party software is available, either through AWS Marketplace or directly from vendors. Intezer Protect can help you secure your workloads in real time.
All in all, AWS has earned a well-deserved reputation for having a very tight grip on security within their own infrastructure, something they pass on to users via the security ensured in any product they offer.