Amazon Web Services Security Guide
With the increasing capacity and wide variety of cloud services, Amazon Web Services has become the most popular choice for many enterprises and organizations, helping enterprises to provide scalability and economic storage in cloud computing.
AWS’s security is based on a shared responsibility model: Amazon provides the infrastructure and security, and users are responsible for maintaining the security of the applications they run on. This model allows users to gain greater control over their traffic and data, encouraging users to be more proactive. However, before moving on to the application migration process, it’s a good idea to take a look at the following tips to help users get the most out of security in AWS and the internal environment.
Understanding the security group concept
Amazon provides a virtual firewall function to filter the traffic flowing through your cloud segment; however, the AWS firewall is managed in a slightly different way than a traditional firewall. The central component of the AWS firewall is the ‘security group’, which is basically equivalent to the policy that other firewall vendors call, that is, the set of rules. However, there are key differences between security groups and traditional firewall policies, and this needs to be fully realized.
First, there are no ‘actions’ in the AWS rules that traffic is allowed or abandoned. This is because all of AWS’s rules are positive and always allow designated traffic to pass – unlike traditional firewall rules.
Second, AWS rules allow you to specify a traffic source or destination address—the two rules are different. For inbound rules, the source address declares where the traffic comes from, but does not require the destination address to tell where it is going. The outbound rule is the opposite: you can specify the destination address instead of the source address. The reason for this is that the AWS security group will always automatically set the unspecified end (source or destination address, depending on the situation) for the instance of the application.
AWS gives you a lot of flexibility in applying rules. A security group can be applied to multiple instances just as you can apply a traditional security policy to multiple firewalls. AWS also allows you to reverse: Applying multiple security groups to the same instance means that the instance inherits rules from all its associated security groups. This is one of the many features Amazon offers, allowing you to create security groups for specific features or operating systems and then mix and match them to suit your business needs.
Manage outbound traffic
AWS will, of course, manage outbound traffic, but management is somewhat different from the usual approach, so keep an eye out. During the initial setup process, AWS users are not automatically directed to outbound traffic settings. By default, all outbound traffic is allowed.
Obviously, this is an unsafe setting that can lead to company data loss, so it is recommended to create rules that only allow you to specify outbound traffic to protect really critical data. Since the AWS Setup Wizard does not automatically boot for outbound settings, you have to manually create and apply these rules.
Audit and compliance
Once you start using AWS in your products, you have to remember that these applications are now under the eye of compliance and internal auditing. Amazon does offer some built-in features to assist with compliance and auditing: Amazon CloudWatch, similar to instance health monitors and log servers, and Amazon CloudTrail, which records and audits your API calls. However, if you are using a hybrid data center environment, you will need additional compliance and auditing tools.
Your business will be subject to different regulations depending on the industry you are in and the type of data you are dealing with. For example, if you are dealing with credit card information, you are subject to the Payment Card Industry (PCI) regulation. So if you want to process this sensitive data with the AWS cloud platform, you need the right third-party security management product to give you the same reporting capabilities as a regular firewall.
The most important things you need to get from a third-party solution are the visibility of all security groups and the entire hybrid asset, as well as the analysis and auditing of comprehensive security and environment that your local security infrastructure can provide.
The security of everything placed in the AWS environment is your responsibility. With all of the above in mind, you will be able to help protect your data and comply with regulatory requirements as you move to AWS.