Six best practices for increasing AWS security in a Zero Trust world

  • Amazon Web Services (AWS) reported $6.6B in revenue for Q3, 2018 and $18.2B for the first three fiscal quarters of 2018.
  • AWS revenue achieved an impressive 46% year-over-year net sales growth between Q3, 2017 and Q3, 2018 and 49% year-over-year growth for the first three quarters of the year.
  • AWS’ 34% market share is bigger than its next four competitors combined with the majority of customers taken from small-to-medium sized cloud operators according to Synergy Research.
  • The many announcements made at AWS Re:Invent this year reflect a growing focus on hybrid cloud computing, security, and compliance.

Enterprises are rapidly accelerating the pace at which they’re moving workloads to Amazon Web Services (AWS) for greater cost, scale and speed advantages. And while AWS leads all others as the enterprise public cloud platform of choice, they and all Infrastructure-as-a-Service (IaaS) providers rely on a shared responsibility model where customers are responsible for securing operating systems, platforms and data.  

In the case of AWS, they take responsibility for the security of the cloud itself including the infrastructure, hardware, software, and facilities. The AWS version of the shared responsibility model shown below illustrates how Amazon has defined securing the data itself, management of the platform, applications and how they’re accessed, and various configurations  as the customers’ responsibility:

Included in the list of items where the customer is responsible for security “in” the cloud is identity and access management, including Privileged Access Management (PAM) to secure the most critical infrastructure and data.

Increasing security for IaaS in a Zero Trust world

Stolen privileged access credentials are the leading cause of breaches today. Forrester found that 80% of data breaches are initiated using privileged credentials, and 66% of organisations still rely on manual methods to manage privileged accounts. And while they are the leading cause of breaches, they’re often overlooked — not only to protect the traditional enterprise infrastructure — but especially when transitioning to the cloud.

Both for on-premise and infrastructure as a service (IaaS), it’s not enough to rely on password vaults alone anymore. Organisations need to augment their legacy Privileged Access Management strategies to include brokering of identities, multi-factor authentication enforcement and “just enough, just-in-time” privilege, all while securing remote access and monitoring of all privileged sessions. They also need to verify who is requesting access, the context of the request, and the risk of the access environment. These are all essential elements of a Zero Trust Privilege strategy, with Centrify being an early leader in this space.

Six ways to increase security in AWS

The following are six best practices for increasing security in AWS and are based on the Zero Trust Privilege model:

Vault AWS root accounts and federate access for AWS Console

Given how powerful the AWS root user account is, it’s highly recommended that the password for the AWS root account be vaulted and only used in emergencies. Instead of local AWS IAM accounts and access keys, use centralised identities (e.g., Active Directory) and enable federated login. By doing so, you obviate the need for long-lived access keys.

Apply a common security model and consolidate identities

When it comes to IaaS adoption, one of the inhibitors for organisations is the myth that the IaaS requires a unique security model, as it resides outside the traditional network perimeter. However, conventional security and compliance concepts still apply in the cloud. Why would you need to treat an IaaS environment any different than your own data center? Roles and responsibilities are still the same for your privileged users. Thus, leverage what you’ve already got for a common security infrastructure spanning on-premises and cloud resources. For example, extend your Active Directory into the cloud to control AWS role assignment and grant the right amount of privilege.

Ensure accountability

Shared privileged accounts (e.g., AWS EC2 administrator) are anonymous. Ensure 100% accountability by having users log in with their individual accounts and elevate privilege as required. Manage entitlements centrally from Active Directory, mapping roles, and groups to AWS roles.

Enforce least privilege access

Grant users just enough privilege to complete the task at hand in the AWS Management Console, AWS services, and on the AWS instances. Implement cross-platform privilege management for AWS Management Console, Windows and Linux instances.

Audit everything

Log and monitor both authorised and unauthorised user sessions to AWS instances. Associate all activity to an individual, and report on both privileged activity and access rights. It’s also a good idea to use AWS CloudTrail and Amazon CloudWatch to monitor all API activity across all AWS instances and your AWS account.

Apply multi-factor authentication everywhere

Thwart in-progress attacks and get higher levels of user assurance. Consistently implement multi-factor authentication (MFA) for AWS service management, on login and privilege elevation for AWS instances, or when checking out vaulted passwords.

Conclusion

One of the most common reasons AWS deployments are being breached is a result of privileged access credentials being compromised. The six best practices mentioned in this post are just the beginning; there are many more strategies for increasing the security in AWS.  Leveraging a solid Zero Trust Privilege platform, organisations can eliminate shared Amazon EC2 key pairs, using auditing to define accountability to the individual user account level, execute on least privilege access across every login, AWS console, and AWS instance in use, enforce MFA and enable a common security model.

https://www.cybersecuritycloudexpo.com/wp-content/uploads/2018/09/cyber-security-world-series-1.pngInterested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.