In the recent post on “Establishing an Amazon Web Services (AWS) Cloud Security Strategy,” I introduced some of the adoption challenges Cloud Service Customers looking to strengthen their cloud security posture are facing. While designing and maturing a Cloud Security Program can be complicated and challenging, I can recommend a baseline for beginning. The following high-level infrastructure and operations capabilities serve as 7 core requirements when designing a cloud security strategy.
1) Account Management
All organizations using AWS should evaluate whether their monthly AWS spend can be identified and described. The inability to do so may be indicative of loose provisioning controls within AWS account(s) and/or poor governance around IT infrastructure expenditures. AWS has simplified cost controls through CloudWatch billing alerts, a price list API, daily usage reports, consolidated billing and the support of cost allocation tags which allow for full programmatic integration with other SaaS technologies.
How many AWS accounts does an organization need?
With the support of Consolidated Billing and AWS’ decision to include the AWS account number as an identifying factor within the Amazon Resource Name (ARN), an organization can simplify security controls and policies and gain greater flexibility by using several distinct AWS accounts. However, owning multiple AWS accounts is not a security requirement and a strong security posture can be established through a single AWS account.
Takeaway: Identify the number of AWS accounts needed and their owners, and integrate using consolidated billing. Create CloudWatch Billing Alerts.
2) Identity Federation
Any organization using AWS is guaranteed to have multiple services in use. For example, GitHub, Google Apps, Office 365, Salesforce, Asana, Mavenlink, etc. Managing user accounts in every service is not only an administrative challenge, but also presents a vulnerability as users are added and removed from the organization. AWS supports centralized user administration through authentication using a SAML 2.0 compliant identity provider.
For smaller organizations, such as early adopters, services such as OneLogin and Okta provide online identity management services that provide centralized user administration capabilities. For the enterprise organization running Microsoft Active Directory, AWS supports AD FS as an identity provider using SAML 2.0. Additionally, AWS supports multiple options such as synchronization with an on-premise Active Directory, an Active Directory compatible instance hosted in AWS, and most recently, a managed Active Directory service.
Takeaway: Identify an identity provider and configure identity federation.
3) Tagging Strategy
Tagging in AWS is critical to cloud security because it provides resource identification in an agile environment where resources can be scaled automatically at any time. Additionally, tagging supports asset classification and can be leveraged within Identity and Access Management (IAM) policies to provide appropriate controls defined by organizational data classification policies. Tagging is also a critical component of auditing capabilities within AWS. As resources are provisioned, terminated and modified, tagging supplements the infrastructure inventory collection process.
Takeaway: Define an organizational Tagging Strategy to facilitate resource identification and inventory based on data classification policies and other data access controls defined by the organization.
4) Identity and Access Management Policies
At the root of AWS security are IAM policies. IAM policies enable organizations to control access to AWS services and resources using either AWS provided policies or custom policies written and owned by the organization. IAM policies will allow or deny access to users, groups and roles based on the requirements defined by the organization.
Takeaway: Define a least privilege and default-deny security model for the organization and create IAM policies to coincide with organization policies. Assign IAM policies to IAM users, groups and roles.
5) Event Logging and Alerting
Accountability and auditing is critical to a security strategy in that it provides visibility to the organization. One method that introduces visibility to the organization is event logging and alerting. AWS CloudWatch and CloudTrail are available for many AWS services and monitor various levels of the infrastructure in order to track changes and events occurring within the network stack, resource provisioning and de-provisioning and calls to the AWS API. The AWS Simple Notification Service (SNS) facilitates forwarding these events to responsible teams and integrates with other services such as Splunk. Enabling AWS Config also provides configuration history and relationships between AWS resources. Modifications to AWS resources such as changes to available ingress and egress controls are logged through AWS Config.
Takeaway: Enable CloudTrail, Config, VPC Flow Logs and CloudWatch Logs. Create and subscribe to notification topics to alert organization of changes within the AWS infrastructure. To go one step further, integrate logging with other services such as Splunk or SumoLogic.
6) Remote Access
Securing remote access into AWS may be one of the first controls identified by enterprise cloud service customers for communication between on-premise services and cloud resources. Additionally, this may be one of the first controls an enterprise is ready to implement by integrating with an on-premise VPN solution. However, smaller organizations may not have an on-premise solution. Nevertheless, there are cloud-ready VPN solutions available that are fully supported within AWS. Many of these services can be found in the AWS Marketplace.
Takeaway: Disallow direct access to VPC resources and require VPN technology to access AWS resources configured within a VPC.
7) Identify a Trusted Advisor
The cloud infrastructure will grow as the needs of the business evolve. Additionally, as AWS continues to add cloud services, organizations will need to ensure that cloud security strategies grow to cover the AWS footprint. AWS Trusted Advisor identifies (at a high-level) gaps against best practices in cost optimization, security, fault tolerance and performance improvement. AWS Trusted Advisor identifies over a dozen best practice security configurations and serves as a basic baseline recommendation tool; however, it cannot provide an in-depth analysis of a customer’s AWS environment. In order to strengthen the overall security posture, organizations should consider partnering with a Cloud Security company with proven expertise in the customer’s chosen CSP cloud infrastructure.
Note: AWS Trusted Advisor requires a premium support plan with AWS.
Takeaway: Identify a trusted advisor that understands your AWS environment and business goals.
There are many fundamentals to a Cloud Security Strategy that include encryption, compliance, risk management, application delivery, disaster recovery and more. Additionally, the core requirements identified in this Tip on Cloud Security will have a greater likelihood of success when they include existing organizational security strategies and input from their respective teams. Nevertheless, as organizations begin to deploy in the cloud (and specifically within AWS), having a core set of requirements to begin the discussion will help introduce cloud security early in the project’s lifecycle.
Stay tuned for an upcoming post where we’ll review and discuss “Cloud Security Platforms.”
About GuidePoint Security
GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.