Waf Charm

Blog

AWS for beginners

AWS security best practice

【Table of contents】

  1. 1. Introduction
  2. 2. Best practices for opening an account
  3. 3. Best practices during service design and construction
  4. 4. Best practices after the service is released
  5. 5. Conclusion
  • 1. Introduction

    We're going to describe AWS security best practices, which can be found in the following white paper.

    AWS Security Best Practices
    https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf

    However, since this PDF is 100 pages long, this article will describe what you need to be aware of in terms of security in the following three phases.
    ・Opening an account
    ・Service design to construction
    ・After the release of the service
    Let's take a look at AWS security best practices.
     

  • 2. Best practices for opening an account

    Here are some best practices for opening an account.

    • a) Things to understand before opening an account

      Before you open an account, understand AWS's shared responsibility model. The shared responsibility model defines the scope of responsibility between AWS and the user. For example, data centers and other facilities are managed by AWS, so users don't have to be responsible for them. Conversely, for IaaS such as EC2, the layer above the OS is the responsibility of the user, and it is necessary to take security measures such as periodic patching.

       ※The shared responsibility model is described in detail below.
       https://aws.amazon.com/compliance/shared-responsibility-model/
       

    • b) Account design

      Let's design your account so that you can open an account. Account design is hard to change once the service is published, so you need to do the design first. It is recommended that the account be divided into accounts such as an audit account that collects logs and a payment account that collects charges, and the authority be distributed. You can implement your account design using a service called Organizations.
       

    • c) Configure the root account and CloudTrail

      After opening the account, the root account will be paid out. After being paid off, let's carry out the following four things.

      • ・Set the MFA (Multi-Factor Authentication)
        External dictionary attacks can be largely prevented by setting this up.
         
      • ・Deleting or disabling access keys and secret keys
        In order to operate AWS with commands, access keys and secret keys are required, but if these keys are leaked, they can cause a lot of damage. AWS recommends deleting or deactivating them, so please delete them as soon as possible after creating an account.
         
      • ・Create an IAM user for administrators
        It is not recommended to use the root user to manipulate the account; once you have configured the MFA and removed the access key, create an IAM user to manipulate it and log back in as an IAM user.
         
      • ・Configuration of CloudTrail
        Please enable CloudTrail after logging back in as an administrative IAM user. CloudTrail has a function to log operations performed in AWS. For example, if your account is hijacked by unauthorized external access and any operations are performed, it will all be documented in CloudTrail.
         
  • 3. Best practices during service design and construction

    We will describe best practices during service design and construction. Here are two basics to watch out for:
    ・Minimize "permission".
    ・Encrypt the data.

    • a) Design of the network

      This section describes network design. Consider the following three points.

      • ・Basically, let's use one service and one VPC.
      • ・Please minimize the communication that is allowed in the security group.
      • ・The servers you place on public and private subnets should be scrutinized. For example, servers running critical applications should be placed in a private subnet.
         
    • b) IAM

      This section describes IAM. Consider the following four points.

      • ・Disable the access key and secret key for IAM users after creating them.
      • ・Minimize the permissions given to IAM roles and IAM users.
      • ・When you want to give permissions to services such as EC2, attach the IAM role.
      • ・When linking with an external account, please pass the authority to the IAM role’s AssumeRole, and do not link with the account by IAM user or access key unless there is a very serious problem.
         
    • c) Encryption of the data

      The data to be placed should be encrypted. For example, if you are storing critical data in EBS, RDS, or S3, you should enable encryption, as AWS automatically rotates the encryption key to ensure a secure implementation. You may also want to consider using KMS.
       

    • d) Protection of services

      Prepare for application attacks and DDos with AWS WAF and AWS Shield. It is inexpensive and can be implemented. In addition, AWS does not currently provide anti-malware services. We recommend that you use a third party product that can scan for malware if necessary.
       

    • e) Use of SystemsManager

      With SystemsManager, you can achieve the following security measures. It's a good idea to consider using it from the construction.
       ・You can access without using SSH. You can configure the security group to not allow SSH from the Internet.
       ・You can use the function to automatically apply patches to the server.
       ・The user IDs and passwords for accessing RDS can be kept private, so there is no need to write them in plain text on the application.
       

    • f) Use of TrustedAdvisor

      Trusted Advisor allows you to check the security group to see if any unwanted ports are open. It's a good idea to use it as a final check before releasing the service.
       

  • 4. Best practices after the service is released

    We will explain security best practices after the service is released. It is important to continuously improve your security measures.

    • a) Reporting

      Delete unnecessary privileges such as reporting the account usage history of IAM users and deleting users who are not using the account. You should also consider periodically analyzing the VPC flow log and blocking any suspicious IP addresses with the network ACL.
       

  • 5. Conclusion

    Learn about AWS security best practices and what you need to do in each phase, from account design to post-service release, to keep your AWS secure. Depending on your requirements, you should also use third party products to implement stronger security measures.