My co-workers can attest to the fact that I’m trying – really, really trying – to get fit. No carbs or sugars for four whole days, and I’ve promised to get back to 2000 yards in the pool tomorrow. Or next week. Or maybe just 1000 yards. Whatever; the point is, I’m trying to get fit. Getting into shape doesn’t just happen by just eliminating donuts and taking the stairs. You’ve got to make a commitment and it has to be embedded into the way you live your life.
Is it too corny to relate this to cloud security? Well, cloud security and my hope for a beach body (and NOT a breach body) may seem to be unrelated, but to achieve either, you need a plan, a mindset, and the right tools. You also need to recognize that neither is a zero-sum game. Both are about maintenance and identifying issues before they explode into catastrophic problems.
In that spirit, we’ve created a series of 11 steps that are critical to your organization being secure as an Amazon Web Services (AWS) customer. As you likely know, AWS makes very clear that they adhere to a shared responsibility model for handling security; they handle THE cloud, which you as the customer are responsible for security IN the cloud.
That model works great when everything goes according to plan. But nothing works perfectly, and recent security vulnerabilities with AWS S3 buckets highlight that fact. In the cases of a Verizon vendor and Dow Jones, the issues were attributable to human error.
To help you understand the need for continuous security and compliance monitoring, and in an effort to adequately prepare your cloud environment to be as secure as possible, our 11-steps will guide you towards being a fitter cloud user. These steps are meant to prevent against human error and encourage a more defensive mindset within your organization; by doing these things, you will create the necessary security that can ward off hacking attempts before bad actors can find the hole.
Here’s a quick rundown of the steps we propose in your effort to get lean and mean. Put on your headband, stretch out the hamstrings, set your playlist to “80’s Pump-Up Jams”, and let’s get cloud-fit:
Exercise #1 – Disable Root Account API Access Key: Because of the change in root user use recommendations and the addition of IAM in AWS, it is recommended that you disable, or even better, delete the AWS root API access keys. Here’s how.
Exercise #2 – Enable MFA Tokens Everywhere: AWS recommends multi-factor authentication, and as a fairly simple thing to implement, it should be required of all users, both inside and outside your organization.
Exercise #3 – Reduce IAM Users with Admin Rights: How much access does a user or application need in order to perform the task? What is the risk if the key is lost or compromised? Here’s how to limit access just to those who need it.
Exercise #4 – Use Roles for EC2: We see a lot of instances of IAM credentials being compromised, and we know this can be avoided when IAM roles are created for EC2.
Exercise #5 – Least Privilege: Here’s how to get a handle on management of access to applications, buckets, services, and other aspects of your cloud infrastructure so access is given only to those who absolutely need it.
Exercise #6 – Rotate all the Keys Regularly: Per AWS best practices, credentials, passwords and API Access Keys should all be rotated on a regular basis. If a credential is compromised, this limits the amount of time that a key is valid.
Exercise #7: Use IAM Roles with STS AssumeRole: Here we look at how to ensure user adoption while enforcing strict IAM management and usage policies.
Exercise #8 – Use AutoScaling to Dampen DDoS Effects: A more effective solution for absorbing and managing DDoS attacks: AutoScaling.
Exercise #9 – Do Not Allow 0.0.0.0/0 Unless You Mean It: Here’s how to block unwanted traffic and manage the threat surface.
Exercise #10 – Watch World-Readable and Listable S3 Bucket Policies: This step will guide you through creating and managing your S3 policies, which is especially timely in light of these recent headline-gathering issues from Verizon, WWE, and Dow Jones.
Exercise #11 – CloudTrail and Encryption: Security recommendations for enabling AWS CloudTrail and how to enable logs.
There‘s a lot in here, and we don’t expect you to get shredded all in one workout. But if you follow our advice and perform each exercise, you’ll find that your enterprise and all the layers of your cloud will become stronger, more resilient, and less vulnerable. Besides, being cloud-fit just feels good, doesn’t it?