In 2014, Code Spaces’ Amazon Web Services Account, and its control panel was compromised by an attacker. The attacker held Code Spaces’ infrastructure hostage while demanding money. When the founders refused, the attacker systematically deleted a vast number of resources in Code Spaces’ infrastructure, starting with S3 buckets, EBS Snapshots, and all the way to VPCs running in their AWS Account. The attack was so devastating that Code Spaces’ had to shut down for good, and became the martyr for Cloud SecurityCloud Security for years to come.
With the advent of Public Cloud services like AWS, the game has fundamentally changed. However, with the right preparation and proper configurations, any company can implement a number of security practices to reduce the attack surface area and the blast radius of a cyber breach. Below are the top 5 best practices that every organization should implement immediately to minimize the risk of a breach of their AWS environment.
Enable And Securely Configure CloudTrail
From our observations, CloudTrail is one of the most neglected security configurations in typical AWS environments. CloudTrail is an AWS service that helps generate log files of all API calls made within AWS. This helps organizations to monitor activities in AWS for compliance and incident response/digital forensics. Enabling CloudTrail properly is extremely important as it is one of the few ways to monitor all activities within AWS. Without it, an attacker could compromise AWS systems and leave no trial or trace on what they did or how they did it. CloudTrail gives organizations visibility and audit trails to follow. Hackers usually disable CloudTrail as one of the first things they’ll do and delete the log files, as the evidence is incriminating and can be used to track them down.
To securely configure your CloudTrail organization must:
- Enable CloudTrail across all your AWS regions and services, for full coverage on monitoring, even those that are not currently being used, as attacked will exploit any weaknesses
- Enable CloudTrail log file validation, to track all changes to log files, ensuring log file integrity, and tamper-proofing the logs
- Enable access logging for all CloudTrail S3 buckets, to identify when access requests are made and identify potential unwarranted access attempts
- Enable CloudTrail S3 Bucket MFA deletion protection, to make it difficult for attackers to get rid of evidence by erasing logs
- Encrypt all CloudTrail log files in transit and at rest to make it harder for attackers to use for reconnaissance
Taking it a step further by enabling CloudWatch and pumping CloudTrail logs to CloudWatch can give you an added layer of observability. Set up alarms to alert you of high-risk actions like the use of the root account or changes to security groups.
You can use CloudWatch to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly. Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
Harden Your IAM Configurations
IAM is the AWS service that enables user provisioning and access control capabilities for AWS users. AWS Admins are able to use IAM to create, manage, and remove AWS users or groups while applying granular permission rules to specific user groups to limit access to their AWS APIs and resources. When first setting up an AWS environment it is important to create a best practice around IAM to maintain IAM hygiene within your infrastructure. You should:
- Ensure that IAM policies are attached to groups/roles instead of specific users when creating IAM policies this is to minimize the risk of individual users over time accumulating excessive and unnecessary permissions/privileges
- Use IAM roles to provide access to resources instead of providing specific individual access credentials/keys to a resource. This minimizes the use of long-lived credentials and makes it harder for misplace or compromised credentials to lead to a breach.
- Only provision the minimum access privilege to IAM users to access AWS resources, work on a least privilege model which allows them to fulfill their job responsibilities
- Ensure all IAM users have enabled MFA (multi-factor authentication
- Limit the number of IAM users with Admin privileges to the minimum number
- Enforce the rotation of IAM access keys every 90 days and also enable password expiration every 90 days to ensure that your AWS environment cannot be accessed with lost or stolen keys/credentials
- Enforce mandatory strong password policies requiring a minimum of 14 characters containing at least one number, one upper case letter, and one symbol
- Enforce a password reset policy that prevents users from using a password they may have used in their last 24 password resets
These steps will help you ensure that your IAM roles are properly hardened, and maintain the concept of least privilege while maintaining the highest level of security for individual IAM users. This helps prevent the blast radius of a breach when an IAM user/role is compromised, restricting the lateral movements of an attacker.
Follow Security Best Practices when using AWS Databases and Data Storage
Over the past 5 years, there have been multiple AWS data leaks by organizations both large and small. For example, Capital One’s data breach in 2019 was one of the most high profile breaches leading to credit card details of over 100 million credentials. Misconfigured S3 buckets and other data storage services have underscored the need to ensure that your AWS services are continuously audited and kept secure.
- Audit your S3 Buckets and ensure that none of your S3 Buckets containing sensitive information are publicly readable/writeable. If required by the business, ensure that it is noted as part of your risk management profile
- Enable Redshift audit logging on all services, this will help support auditing and in the case of an incident, post-incident forensics can be carried out for investigations
- Enable Encryption for all EBS Volumes and EBS Snapshots as an added layer of security
- If you are using Amazon RDS, enable encryption on the database
- Restrict access to your RDS Instances, you can first start by placing your RDS Instances in a private subnet and closing it off to the public. This will help reduce the attack surface area of your environment and reduce the risk of malicious activities such as brute force attacks or Denial-of-Service (DoS) attacksDenial-of-Service (DoS) attacks
How To Get Started With Cloud Security Posture Management (CSPM)
The list of security configurations to enable in your AWS environment is far more extensive than the list provided above. However, these top 3 configurations are the absolute basics and where AWS users should start. The effort for checking these configurations by yourself or your teammates can be quite time-consuming and tedious, particularly if these checks are to be done regularly.
CSPM tools have recently made headlines as one of the tools to help enable cloud compliancecloud compliance, maintaining configurations, and identifying security risks. CSPM solutionsCSPM solutions help automate the auditing process of checking individual configurations in your AWS environment, removing the need for tedious manual effort. CSPM solutions help to materially reduce the risk of running sensitive services in your cloud.
We believe here at Horangi, that Cloud Security is one of the top security risks in the new decade. We have created a CSPM tool, Warden, to help AWS or GCP users like you to automate compliance checks in your cloud infrastructure. Warden enables you to identify risky security configurations, giving you visibility into your environment and the ability to quickly remediate flagrant configurations. Learn more about how Warden has helped cloud-native companies build cyber resilience and protect customer data on AWS.
If you are looking for a CSPM tool to help you with your cloud compliance, do also read our Whitepaper: What is a CSPM and How to Select One.