More security for the cloud landing zone on AWS

How can companies make their AWS Cloud Landing Zone more secure? 10 measures that should be considered:

Security is one of the key issues that companies are dealing with - and not just at the moment. Of course, this applies to cloud services in the same way as it does to on-premise data centres. However, the advantage is that hyperscalers already offer many tools as services that can be used to significantly increase and maintain security. Unfortunately, these tools are often underutilised by companies. One reason for this is that security has historically been part of the network environment in most companies, while cloud services are often the responsibility of the infrastructure teams. It is therefore necessary to anchor cloud security in the organisation across the board.

In this article, we have compiled 10 measures to increase the security of your AWS Cloud Landing Zone. In another post, we look at how to make Microsoft Azure more secure.

1. implement strict IAM (Identity and Access Management) policies

• ‘Principle of least privilege”: Ensure that users, roles and services only have the permissions they need to perform their tasks. Check and refine the authorisations regularly to minimise the risk. To do this, establish a reliable process that ensures regular checks.
• MFA (multi-factor authentication): Enforce MFA for all IAM users, especially privileged accounts, to add an extra layer of security. MFA should be the standard - as it is in the private sector when using social media and payment services.

2. use AWS security groups and network ACLs effectively

• Restrict incoming and outgoing data traffic: Only allow necessary data traffic via security groups. Use network ACLs for an additional layer of control at the subnet level.
• Zero trust architecture: By default, all traffic is denied and only the important ports are opened, with all open ports closely monitored. Setting appropriate alarms for unusual activities on open ports enables a rapid response. You are even better protected by using a security information and event management (SIEM) solution. An example of this is Splunk, a widely used solution. If you also use Azure as a public cloud in addition to AWS, you can also use Azure Sentinel to collect, analyse and alert events in the AWS environment.

3. encrypt data at rest (in-Rest) and during transmission (in-Transit)

• Activate encryption: Use AWS Key Management Service (KMS) to encrypt data stored in S3, EBS volumes, RDS and other AWS services.
• TLS for data in transit: Ensure that all data transmitted over the network is encrypted with TLS (Transport Layer Security).
  You can use your own keys for encryption, but you can also create and manage them using the AWS Key Management Service.

4. activate logging and monitoring

• AWS CloudTrail: Enable CloudTrail in all regions to log all API activity and maintain a comprehensive audit trail.
• Amazon CloudWatch: Set up CloudWatch alerts and logs to monitor AWS resources and detect anomalous activity.
• VPC Flow Logs: Capture information about IP traffic going to and from network interfaces in your VPC.
  As described above, you can process the logs from Cloudtrail, Cloudwatch and VPC flow logs in a SIEM and trigger alerts in the event of unusual occurrences.

5. implement best practices for S3 bucket security

• Bucket policies: Ensure that S3 bucket policies follow the principle of least privilege and block public access to buckets unless absolutely necessary.
• Object lock and versioning: Enable S3 object lock and versioning to protect data from accidental or malicious deletion.

6. use AWS Web Application Firewall (WAF)

• WAF rules: Set up AWS WAF to protect web applications from common attacks such as SQL injection and cross-site scripting (XSS).
• Shield for DDoS protection: Use AWS Shield to protect against DDoS attacks and consider Shield Advanced for more comprehensive protection.

7. patch and update regularly

• Automated patching: Use AWS Systems Manager to automate patch management for EC2 instances and ensure all software is up to date.
• Amazon Inspector: Use Amazon Inspector to regularly scan for vulnerabilities in EC2 instances and other services.

The principle of ‘shared responsibility’ means that the hyperscaler takes care of the security of the cloud services - but the user takes care of the security IN the cloud. In other words, the infrastructure and applications that the company sets up in the cloud. This means that it is still necessary - as in on-premise operation - to actively manage the update process for instances on which an operating system and applications are installed.

8 Implement data backup and disaster recovery plans

• Automated backups:** Use AWS Backup to automate backup processes for AWS services and ensure data is regularly backed up and available for recovery.
• Cross-region replication:** Consider cross-region replication for critical data to improve disaster recovery capabilities. This is a possible measure for organisations that already use AWS services in multiple regions. This is because it creates network load between regions, which has an impact on costs. If only one region is used, replication in additional availability zones (AZs) is a sufficient measure.

9 Use AWS Config for compliance and security audits

• Configuration Management:** Set up AWS Config to monitor and analyse configurations in your AWS environment to ensure compliance with internal policies and regulatory standards.
• Conformance Packs: Use Conformance Packs to automatically check the compliance of your environment with best practices and security frameworks.

10. Implement automation of incident response

• Automated response:** Use AWS Lambda and CloudWatch Events to automate incident response, such as automatically isolating compromised instances or notifying security teams.
• Runbooks and Playbooks:** Develop and update runbooks and playbooks regularly to guide your team through security incidents and automate standard procedures.

By following these recommendations, you can significantly strengthen the security posture of your AWS environment and ensure that your cloud infrastructure is resilient to both internal and external threats. Implementing these measures is not always easy and can quickly become complex when combined. Our teams will help you define and implement the right measures for you and guide you in setting up sustainable processes to continuously improve security.