Securing Business Critical and Complex workloads in AWS Cloud

Before we delve into “how do we secure” the AWS workloads, let’s understand the complexities involved.

· Hybrid/Multi Accounts — In the Hybrid/Multi accounts scenario, hybrid architecture brings its own complexity dealing with on-premise and public cloud and managing different application components. Having multiple accounts brings in complexities as well as significant benefits.

· Delivery Pipeline — If you are managing AWS accounts, we probably have development, staging and product accounts which brings in some complexities.

· Internet Facing : From a security perspective, having public facing environment which has e-commerce application running has inherent complexity

· Compliance & Regulatory requirements: Scenarios where there are lot of compliance requirements, e.g. PCI-DSS, HIPAA

Let’s look at some of the survey responses which highlights on the Enterprise cloud strategy and challenges.

Source — Flexera 2021 State of the Cloud Report

Breaches happen quickly and usually go undiscovered for months. Some of the trends which underscores the importance of addressing the breaches.

Source IBM Security — Cost of a Data Breach Report

It is highly important to focus on both pre and post breach which is critical. If you focus on pre-breach and post-breach equally, then we can make sure we can reduce the likelihood of successful attacks and reduce the impact of successful attacks.

Image Credit — Alert Logic

Solution:

Before we delve into the secured architecture, let’s understand some of the fundamental elements in securing AWS workloads. There are two things which we really have to start with. Those are AWS Shared responsibility model and Well Architected Framework. AWS provides good information about the responsibilities between cloud service provider (CSP) and cloud service consumer(CSC). If you are building new system or migrating an on-premise system onto AWS cloud, then it is recommended to go through AWS well architected framework and implement the best practices.

a) AWS Shared Responsibility model:-

Security and Compliance is a shared responsibility between AWS and the customer. This shared model can help relieve customer’s operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall.

AWS Shared Responsibility Model

a) AWS Well Architected Framework:-

The AWS Well-Architected Framework helps you understand the pros and cons of decisions you make while building systems on AWS. By using the Framework you will learn architectural best practices for designing and operating reliable, secure, efficient, and cost-effective systems in the cloud.

Well Architected Framework

The AWS Well-Architected Framework is based on five pillars — operational excellence, security, reliability, performance efficiency, and cost optimization. For the current context of this topic, security pillar encompasses the ability to protect data, systems, and assets to take advantage of cloud technologies to improve your security.

Key elements of Well Architected Framework

Following are the seven design principles defined for security in the cloud.

1. Implement a strong identity foundation

2. Enable traceability

3. Apply security at all layers

4. Automate security best practices

5. Protect data in transit and at rest

6. Keep people away from data

7. Prepare for security events

While architecting the solution, from the security perspective, starting point would be to understand the security boundaries. This is for two reasons.

1) Understand the risk within the environment (based on RAG status)

2) Enables us to make the decision quickly

Run the Inventory and categorize the workloads, segmenting environments based on the organization and security of the data, then consider these parameters :

• Environment type
• Regulatory scope
• Change control requirements and application
• Infrastructure tiers.

Risk Classification

Environments can be deliberately classified as red to provide operational flexibility to the team while maintaining security. Following are the zone classifications.

Red Zone

i) Must not be connected directly to green environment

ii) Must not contain company or customer sensitive/confidential data

iii) If connecting to another environment must use rigorous security controls

Amber Zone

i) If connected to a green environment, only a limited set of connectivity controls can be used in a specific way

ii) Request robust change control procedures

Green Zone

i) Must not be connected directly to a red environment

ii) Requires rigorous change control procedures

How AWS Security Services can solve the security issue?

When we think about security boundaries or while designing or migrating the applications, it is highly recommended to consider these AWS Security services.

AWS Security Services

Below section covers broadly on the external standards and guidance which practitioners could leverage, such as NIST Framework and CIS Benchmarks for AWS. While AWS provides “security of the cloud” and consumers are responsible for “security in the cloud”

What is the NIST Cybersecurity Framework?

A voluntary framework composed of best practices to help organizations of any size and in any sector improve the cybersecurity, risk management, and resilience of their systems

• Common taxonomy to align an organization’s business drivers and security considerations specific to its use of technology
• Uses existing standards to scale across borders, evolve with technological advances and business requirements, and provide economies of scale
• Originally intended for critical infrastructure, but applicable across all organization types

How NIST Cybersecurity Framework can help to improve the cybersecurity and resilience of the AWS workloads.

The NIST cybersecurity framework is a powerful tool to organize and improve your cybersecurity program. The framework categorizes all cybersecurity capabilities, projects, processes, daily activities into these 5 core functions:

NIST Cybersecurity Framework

The below table summarizes how AWS Security Services are aligned to NIST Cybersecurity Framework.

Alignment of AWS Security Services with NIST Framework

What are CIS Benchmarks?

CIS Benchmarks, published by the Center for Internet Security (CIS), are documented industry best practices for securely configuring IT systems, software, and networks. Currently, there are more than 140 CIS Benchmarks in total, spanning across seven core technology categories. CIS Benchmarks are developed through a unique consensus-based process involving communities of cybersecurity professionals and subject matter experts around the world, each of which continuously identifies, refines, and validates security best practices within their areas of focus.

Aligning AWS IAM Access Management with CIS Benchmark:

One of the sections covered in AWS CIS Foundation Benchmark is related to Identify and Access Management. Following are the IAM recommendations.

• Avoid the use of the “root” account (Scored)
• Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a password (Scored)
• Ensure credentials unused for 90 days or greater are disabled (Scored)
• Ensure access keys are rotated every 90 days or less (Scored)
• Ensure IAM password policy requires at least one uppercase letter (Scored)
• Ensure IAM password policy require at least one lowercase letter (Scored)
• Ensure IAM password policy require at least one symbol (Scored)
• Ensure IAM password policy require at least one number (Scored)
• Ensure IAM password policy requires minimum length of 14 or greater (Scored)
• Ensure IAM password policy prevents password reuse (Scored)
• Ensure IAM password policy expires passwords within 90 days or less (Scored)
• Ensure no root account access key exists (Scored)
• Ensure MFA is enabled for the “root” account (Scored)
• Ensure hardware MFA is enabled for the “root” account (Scored)
• Ensure security questions are registered in the AWS account (Not Scored)
• Ensure IAM policies are attached only to groups or roles (Scored)
• Maintain Current contact details (Not Scored)
• Ensure Security contact information is registered (Not Scored)
• Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)
• Ensure a support role has been created to manage incidents with AWS Support (Scored)
• Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)
• Ensure IAM policies that allow full “*:*” administrative privileges are not created (Scored)

Free Learning Resources from AWS:

AWS Security Fundamentals

• https://www.aws.training/Details/eLearning?id=34259

AWS Security Hub Primer

• https://www.aws.training/Details/eLearning?id=66459

Deep Dive with Security: AWS Identity and Access Management (IAM)

• https://www.aws.training/Details/eLearning?id=53780

Cloud Audit Academy — Cloud Agnostic

• https://www.aws.training/Details/eLearning?id=41556

References

• https://d0.awsstatic.com/whitepapers/compliance/NIST_Cybersecurity_Framework_CSF.pdf
• https://aws.amazon.com/security/
• https://www.slideshare.net/AmazonWebServices/aligning-to-the-nist-cybersecurity-framework-in-the-aws-cloud-sec204-chicago-aws-summit
• https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
• https://www.ibm.com/downloads/cas/ZBZLY7KL

Please feel free to guruprakash@outlook.com for any comments or queries on this topic and stay tuned for my next write-up.

Thank You!