Many companies have found infrastructure as a service (IAAS),to be a valuable solution. Today’s startups don’t have to worry about buying servers, racks, HVAC systems, and all the other hassles associated with hosting their own IT infrastructure. Many companies have chosen to adopt IAAS because of its ease-of-use.
In this instance, however, the expression “out of sight, not of mind” is very applicable. It is easy for companies to neglect infrastructure if they don’t see it. Many people have the attitude of “The provider will take care of it” but that is simply not true, while your provider is responsible for some elements of your infrastructure, many providers such as Amazon clearly state that it is a shared responsibility.
Amazon Shared Responsibility Model
Companies must play a part in protecting their infrastructure. These are the most important things to remember when you secure your AWS infrastructure.
AWS Inspector
Before I get into architecture, let me start by highlighting some of the most valuable tools AWS offers. AWS inspector can be used to perform vulnerability assessments on your resources. It is well-maintained and updated by Amazon.
AWS Configuration
This tool is excellent for ensuring compliance. It allows you to assess, audit, and monitor whether your AWS resource configurations match your desired configurations.
CloudWatch
Cloudwatch is an AWS monitoring tool that monitors everything in AWS. It collects logs, events, and metrics from your environment to give you a good overview of what’s happening. When combined with AWS’s SNS, it can be set up to listen for specific events and send notifications via email or SMS. Cloudwatch can be combined with Lambda functions to automatically perform remediation actions when certain events occur. For example, auto-scaling an EC2 instance in high usage.
Guard Duty
Guard Duty, a managed threat detection system that uses machine learning to analyze logs across your infrastructure in order to detect potential signs of attack, is called Guard Duty. It looks for compromised accounts, reconnaissance, compromised instances, and compromised ports.
Amazon Simple Notification Service provides managed messaging services for system-to–system and person-to–person communication. You can combine it with Amazon Cloudwatch Events to send emails when certain events occur.
AWS Lambda
AWS offers Lambda, an event-driven serverless computing platform. This simply means that you can run code without having to spin up an instance of EC2 server. It can also be set to trigger to run automatically in response to certain events. This allows you to trigger automatic remediation in your AWS environment based on events you have predefined.
For example, if you need to verify that an S3 bucket’s configuration meets compliance. AWS config will monitor the bucket. If it isn’t in compliance, it will trigger an Amazon Cloudwatch Event. This event can trigger a lambda function to correct the bucket and send an email notification through SNS to your administrator. The diagram below shows how it works:
Amazon has a great article here if you need more information.
AWS Security Architecture
Network Segmentation
You should ensure that every segment is placed in its own VPC. This will ensure that, if an outbreak occurs, it won’t affect other systems than those within the VPC.
Security Groups
A security group is a collection of logical rules that are applied at subnet level. These rules can be used to limit access to instances within a VPC based on IP address, protocol, and destination port. Security groups are stateful, and allow return traffic even if there are no explicit rules.
Access Control List
An access control list is a collection of logical rules that are applied at the VPC-level. These rules restrict your access to your resources. ACL’s do not allow for return traffic and are not considered stateful.
Routing tables
Routing tables are a central way to allow resources in a VPCs to connect with other resources. The routing table connects a resource to the resource. This serves the address book by pointing it to other IPs that have been added. You can prevent unauthorized connections by adding only the minimum number of IPs to which a resource must connect in the routing table.
Resource Policies
AWS resource policies, which are rules that are added to AWS resources such as an S3 bucket, restrict access to certain elements of the resource. The applied resource policy will allow someone to access the resource. It is best to limit access and allow only the necessary access.
Identity and Access Management
These are rules that you apply to user accounts. You can limit the ability of users to perform any action in AWS. You should remove all other privileges from user accounts and only allow access to those resources.
AWS Lambda functions can also be used by you. A role is an IAM item that allows you to give access to computer programs. It is best to limit access to the roles and to limit the time they can be assumed to ensure that the role is only used for the necessary actions.
Load Balancing
AWS has two types of load balancers: Network Load Balancers and Application Load Balancers. The role of load balancers is crucial in helping to prevent denial-of-service (DOS/DDOS), situations where your infrastructure becomes overwhelmed and is not available to your customers. Load balancers distribute traffic more evenly to prevent overloading. AWS also includes Amazon Shield, which is specifically designed to protect your infrastructure from DDOS attacks. You can also call the premium version 24/7 to get support if you have any issues.
Encryption
AWS offers many features that enable you to encrypt data in transit and at rest. This will mostly apply to S3 buckets if you host something you wish other people to have access to. You must ensure that encryption is enabled by default. Uploaders are required to encrypt their data and that encryption is enabled in transit.
Defense in Depth
When combined, these technologies are a great example for defense in depth. It is important to have multiple defenses when designing secure cloud architectures. This will ensure that no one can fail. Multiple layers of security are necessary to ensure that you protect all resources with no single point of failure.
You want failsafes in place in the event you fail. First, you need automated remediation, such as lambda. This will ensure that even if things go wrong, it can be corrected without your having to do anything.
You want proper monitoring, logging, and notifications, as described through CloudWatch or SNS. This will ensure that you are notified immediately if anything goes wrong and you have a trail of information to help you trace the source of the problem and fix it quickly.
