Amazon Web Services (AWS) provides several ways for organizations to securely adopt, develop and manage their AWS environments, including the security perspective of the AWS Cloud Adoption Framework (AWS CAF), the security pillar of the AWS Well-Architected Framework and numerous security services provided by AWS. These tools provide many options to implement a secured foundation in their AWS environments, but also raise a few common questions:
- Where do we start?
- What are the foundational security services in AWS we must consider?
- What are ‘must-have’ vs. ‘nice-to-have’?
Prerequisites to a secured AWS foundation
Before we describe the components of the secured AWS foundation, it is important to call out the three prerequisites to implement the foundation:
- A business-enabling mindset and strategy. In today’s world, we all understand the importance of security, but at no time should security be in the way of business growth. Instead, security should be the enabler of strong business growth. Therefore, a business-enabling mindset, as well as a strategy, are prerequisites to developing a sound foundation.
- A governance framework with supporting processes. Governance has long been discussed as an important contributing factor to deteriorating cloud security. An organization can develop the best security foundation but without governance, the foundation will fall apart over time. A common mistake is to keep governance on paper only. Proper governance processes help maintain the relevance of the security foundation to the organization’s business and risk profile. It also helps enforce the security foundation and maximize its effectiveness. A good governance program should not just have a well-defined framework, but also a list of defined and enforced processes, which could include:
- AWS service review and approval
- AWS control exception
- AWS security incident management, including escalation
- AWS security remediation
- A set of business-validated and development-friendly AWS security requirements, reference architecture and blueprints. A common theme we have observed when organizations are rapidly adopting AWS is the struggle to introduce security at the scale and speed of business. For example, security is often behind the curve of new AWS service adoption. Additionally, the adoption of DevOps methodology and the “shift left” mindset, in which testing and quality control processes including security testing, are moved towards earlier stages of development, push security responsibility towards the developer. This means developers must be empowered to integrate secure solutions into their applications by following defined security requirements. And this presents another challenge – how to seamlessly translate security requirements into design languages that are easily understood by developers. Developers don’t dislike security, but they tell us they hate security that is hard to implement and difficult to maintain. Often, we observe that application teams embrace secure design as a business enablement to allow them to focus on innovation without worrying about the security risks. As a result, we see an increased demand for secure AWS reference architecture and blueprints. The development of such assets may seem to be overhead at the beginning, but it effectively changes the view of security (from being an organizational burden to a competitive advantage that enables innovation), minimizes business disruption and reduces costs of remediation efforts.
Components of the secured AWS foundation
Below, we detail the utilization of native AWS security services, and suggest how to configure them to meet baseline security requirements defined by each organization. Based on the organization’s use cases, consider the use of third-party security technologies. Assess them against native AWS services based on integration, cost and ease of use (including the need to manage security in a multi-cloud environment).
- Identity and Access Management (IAM) foundations:
- Solid AWS IAM policies with least privilege permissions built-in; consideration of IAM Access Analyzer to identify overprovisioned access
- Secrets Manager to store and manage application secrets. Consider a third-party solution (e.g., CyberArk) when centralizing the secrets management function.
- Implementation of single sign-on/federation capabilities, including but not limited to the use of AWS single sign-on and AWS directory services. Consider a third-party solution (e.g., Okta) to implement single sign-on across different cloud environments.
- Data protection foundations:
- Choose wisely between the various AWS encryption and key management capabilities. Be mindful of the limitations that exist within each service; for example, certain server-side encryption options might not be available for specific AWS services. Also be mindful of cost implications.
- Configure AWS Certificate Manager to centrally provision, manage and deploy TLS certificates.
- Consider the use of AWS Macie for DLP use cases. Carefully compare its capabilities against third-party DLP solutions, focusing on service integration and cost.
- Threat and vulnerability management foundations:
- Deploy AWS Inspector to identify and monitor host-level vulnerabilities. Consider third-party vulnerability management solutions to centrally manage vulnerabilities across different environments (cloud and on-premises).
- Consider GuardDuty for a simple and fast way to jump start threat intelligence capabilities in AWS. Keep in mind that customization, additional automation and the use of third-party threat intelligence solutions might be required for a sophisticated threat landscape.
- Network security foundations:
- Leverage the various services within AWS Virtual Private Cloud (VPC) to design and build a scalable and secure environment, beginning with a solid security group, subnet and routing configurations that are in line with industry-leading practices (e.g., CIS benchmark). Consider the Network Access Analyzer to identify potential gaps and prevent unintended network access.
- For externally facing applications, begin building perimeter security with AWS Web Application Firewall (WAF). Consider the use of third-party WAF solutions if sophisticated rules are already in place within the existing WAF solution.
- Design and deploy other perimeter services (e.g., CloudFront, Elastic Load Balancer, API Gateway, etc.) in line with leading practices and scalable secure pattern.
- Enable AWS Shield if applications are susceptible to DDoS attacks. Consider Shield Advanced for extra protection and a way to transfer some DDoS risks.
- Centralized security governance and control foundations:
- Utilize AWS Control Tower to jump start a secure multi-account setup.
- Use AWS Organization and Config to monitor and enforce good security hygiene within AWS accounts. AWS Service Control Policies (SCP) can help enforce governance of AWS service usage.
- Use AWS Security Hub to centrally manage and monitor the posture of the AWS environment. This is especially effective if there is not a third-party solution in place to provide such capabilities.
- Develop a tagging strategy early in the AWS journey or as soon as possible as proper tagging provides the flexibility needed to apply foundational security without blocking business initiatives.
- Enablement of security automation: Developers want to automate security when possible or teach themselves how to harness security tools to reduce external limitations to their innovation potential. To enable this, a library of security automation assets must be developed. They include but are not limited to:
- Secure infrastructure as code: Embedding security from the get-go is the most effective and cost-effective way to enforce security.
- Hardened images: Like secure infrastructure as code, hardened VM and container images build security into the environment being developed from the very beginning.
- Policy as code: Identify security issues before code is deployed to reduce remediation after the fact.
Adoption of these foundational components will help build a secure AWS foundation that will allow organizations to securely develop and manage their AWS environments as they continue to grow. Protiviti can help guide organizations with how to implement these components based on their needs and further develop implemented solutions to improve AWS security.