#8 AWS Security best practices

#8 AWS Security best practices

"Stay hungry. Stay foolish." - Steve Jobs

Hello Cloud learners,

Hope my posts are helping you in such way to gain some insights about learning AWS cloud computing. Leave your comments and provide your valuable feedback so that I can improve my posts in a better way.

In recent time, exploring many areas on how to focus on our work without any distractions and found something useful so I'll be sharing those in end of the post and keep that excitement until we go there !!!

Keeping Your Cloud Data Safe: A Simple Guide

Here I'll be sharing few important AWS security best practices for someone new to cloud computing, with definitions, real-world examples, and many more interesting to read.

You may check out this for "How to start your AWS Cloud computing guide"

If you are already planning to start AWS Cloud practitioner exam you may check out this exam study notes (As per CLF-C01)

Let's start about AWS security best practices here.

Multi-Factor Authentication (MFA)

In your daily life you are already using this MFA for some your apps. When we talk about cloud security this should be very important to keep your resources in very safe manner. An extra layer of security for user authentication that requires entering a unique code from a mobile app, along with the main login credentials.

Enable MFA for your AWS root user account and all IAM user accounts in order to prevent access from stolen passwords aloneYou can manage your MFA devices in the IAM console. The following options are the MFA methods that IAM supports.

FIDO security keys

Virtual authenticator apps

Hardware TOTP tokens

Hardware TOTP tokens for the AWS GovCloud (US) Regions

Check out this link for more details : https://aws.amazon.com/iam/features/mfa/

No more wait, Let's go and Set up MFA for root and IAM users via AWS console. Install apps like Google Authenticator.

Identity and Access Management (IAM)

After creating your AWS account, this is the first place to create users/groups/roles/policies.

Securely manage identities and access to AWS services and resources

Use IAM to manage and scale workload and workforce access securely supporting your agility and innovation in AWS.

Creates individual user accounts and allows granular control of permissions and access to AWS resources. Have separate IAM users for developers, operations teams allowing access only to required services.

Create least privilege IAM accounts for each user role. Assign policies based on their needs. Define users needed. Provide access through groups/roles minimizing permissions.

Security Groups & Network ACLs

Act as firewall controls to regulate traffic to EC2 instances in VPCs. Restrict SSH access only from office IP range. Allow web traffic only on ports 80/443

Mainly resolves the problem of Unrestricted network traffic exposure.

Set up tight security groups & ACLs around what is allowed inbound/outbound to resources. Audit default groups. Define app network needs. Add/remove rules accordingly.

Audit default groups. Define app network needs. Add/remove rules accordingly and get more hands on with this great feature.

Encryption

Encoding data using keys so only authorized parties can read or access the information. Mainly this is used to encrypt EBS volumes and S3 buckets that store sensitive customer data.

Resolves the problem of Data is exposed if storage is compromised.

AWS offers you the ability to add a layer of security to your data at rest in the cloud, providing scalable and efficient encryption features. These include:

  • Data at rest encryption capabilities available in most AWS services, such as Amazon EBS, Amazon S3, Amazon RDS, Amazon Redshift, Amazon ElastiCache, AWS Lambda, and Amazon SageMaker

  • Flexible key management options, including AWS Key Management Service, that allow you to choose whether to have AWS manage the encryption keys or enable you to keep complete control over your own keys

  • Dedicated, hardware-based cryptographic key storage using AWS CloudHSM, allowing you to help satisfy your compliance requirements

  • Encrypted message queues for the transmission of sensitive data using server-side encryption (SSE) for Amazon SQS

Leverage encryption mechanisms provided by AWS services to encode data. Enable encryption options for EBS, S3, RDS. Manage keys securely.

CloudTrail Log Monitoring

Provides event logs of all activity across AWS accounts for visibility, auditing and troubleshooting. Stream CloudTrail logs to CloudWatch Logs and set up metric alarms for anomalies or unauthorized activity

Track user activity and API usage on AWS and in hybrid and multi cloud environments

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and auditing of your AWS account.

CloudTrail Insights tracks unusual activity for write management API operations. Turn on CloudTrail across all regions. Stream logs to CloudWatch/S3 for analysis and alerts.

Getting started:

Enable CloudTrail on console. Configure log shipping to CloudWatch and monitoring.

Infrastructure as Code

Managing cloud infrastructure, configurations, services programmatically using declaration files rather than console/CLI. Use CloudFormation templates to manage test vs production environments.

Resolved the problem of manual configuration leads to environment inconsistencies.

Maintain version controlled Infrastructure as Code definition files that can recreate entire stacks. Explore using AWS CloudFormation/Terraform to programmatically create reusable infrastructure.

We reached the final stage of this article and there are lot more best security practices mentioned in some of the AWS official documentation pages and you may explore.

Here is our Top productivity tips as I told in the starting of the post.

✅ Turn off your mobile notifications
✅ Check your emails only 2-3 times a day (more than 95% emails are promotions/irrelevant)
✅ Daily at least spend ~10 mins to learn new things (in all days )
✅ Daily have a habit to read at least 10 pages/day of any of your interested book
✅ Plan your day before the day starts, it means before sleep make a list of activities with priority

Let's connect on LinkedIn for grow together and learning never stops !!

Happy cloud journey !!!