As businesses understand and leverage cloud adoption, companies of all sizes and industries are shifting to use cloud services. According to Gartner research, spending on cloud computing infrastructure and platforms is at an all-time high at $214.3 billion and is slated to grow exponentially through 2022. With this also comes the need to understand the various Cloud Services Providers (CSPs) and the solutions you can use to accelerate growth in the cloud.
Although all said and done, the ever expanding terminology might get overwhelming very quickly for a security or an IT professional. The jargon is never ending and new cloud security terminology on AWS can keep flooding your screens. But you are not alone! Let’s take a look at eight of the most common terms you will hear when you’re learning about Amazon Web Services cloud security.
IAM stands for Identity and Access ManagementIdentity and Access Management, and which AWS allows you to control the access of your resources on AWS. You’ll use the terms authenticated and authorized. Authenticated means that the user is signed in, and authorized means that they have the permissions that they need to use any given resources.
IAM is used to manage access in AWS by creating IAM identities, such as users, groups, or roles, and then attaching policies to these identities. This will define the permissions for each identity.
The root user will be the initial person that created the AWS account, and this is a single sign-in identity who will have access to all of the AWS services and resources that are in the account. AWS recommends that this root user create your first IAM user, as these access permissions are far too loose.
It’s important to note that defining policies using IAM logic doesn’t always mean that your environment is secure. In fact, even by design, some configurations can open you up to risk.
AWS Lambda service is a high-scale, provision-free serverless compute offering based on functions. It is used only for the compute layer of a serverless application. The purpose of AWS Lambda is to build event-driven applications that can be triggered by several events in AWS.
In the case where you have multiple simultaneous events, Lambda simply spins up multiple copies of the function to handle the events. In other words, Lambda can be described as a type of function as a service (FaaS). Three components comprise AWS Lambda:
- A function- This is the actual code that performs the task.
- A configuration- This specifies how your function is executed.
- An event source (optional)- This is the event that triggers the function. You can trigger with several AWS services or a third-party service.
AWS Elastic Computing (EC2)
Amazon EC2 stands for Elastic Compute Cloud, which offers secure, scalable virtual servers that can be used to run AWS applications.
EC2 also allows users to build apps to automate scaling according to changing needs and peak periods, and makes it simple to deploy virtual servers and manage storage, lessening the need to invest in hardware and helping streamline development processes.
Amazon Simple Storage Service (or Amazon S3) is a service offered by AWS that provides object storage through a web interface with the goal to make web-scale computing easier for developers. This service enables organizations of all sizes and across various industries to store large amounts of data for a variety of use cases including websites, mobile applications, disaster recovery, and big data analytics.
Amazon leverages a flat, non-hierarchical structure, storing data as objects within buckets. Below are some of the most important basic concepts of S3.
- Buckets serve as the containers for objects and provide the mechanisms necessary to control access to them
- An object is not only the file that is being uploaded but can also include the metadata attributes that describe the file
- Access points are named network endpoints that are attached to buckets that can be used to perform S3 object operations. Each access point has distinct permissions and network controls that are applied to any request made through that access point.
- Bucket Policies provide granular controls to buckets and the objects stored within buckets.
- Access Control Lists vary from policies in that they can add grant permissions on buckets or on individual objects
- AWS Identity and Access Management provides additional management of how users can access S3 resources
AWS Key Pair
A key pair is a set of security credentials that users need to access their instances and is made up of a public and a private key. The public key is stored by AWS, and user create and hold the private key which is unique to them and it works like a password to access the buckets and objects. As the cloud environment grows, it becomes harder to manage key pairs, and like with password misuse, many companies and users share key pairs across different instances.
AWS Least Privilege
The principle of least privilege (PoLP)The principle of least privilege (PoLP) is a concept that means all users have the permissions and access that they need to do their job, and no further. This means that if an attacker compromises an account, they are limited in terms of what they can access. This term was built for on-premises environments and does not carry over entirely to cloud security.
There are a few reasons for this disconnect. First, on the cloud, an attacker only needs one or two permissions to gain complete control over an account. Second, AWS least privilege isn’t always possible because of pre-setting rules that can’t be amended by the user. Lastly, attempting to create the number of policies needed for the least privilege creates a huge amount of work for DevOps teams.
Infrastructure-as-code makes it easier for DevOps to model, provision and manage a collection of resources. This is what AWS CloudFormation does, using templates. You can create resources with dependencies, and then configure these as one single stack, instead of needing to handle the individual parts. On AWS, these stacks can be used across multiple user accounts, and even across regions, too.
AWS CloudFormation saves time for DevOps, by allowing them to automate best practices and then roll them out quickly and easily across projects.
AWS Security Hub
AWS Security Hub brings all of your alerts together from all your AWS accounts into a centralized location. It is where you manage alerts that come in from your security tools, such as endpoint protection or firewalls, or compliance scanners for example, both for integrated AWS services and also for solutions that come from within the AWS Partner Network. Integrated with SIEM or SOAR tools, or with AWS tools such as Amazon Detective, you can also take steps towards remediation.
The challenge is that organizations today have so many security tools, both that fall under these categories and those which do not, that alerts have escalated past what can be managed within AWS Security Hub alone. This leads to alert fatigue, and security teams simply ignore many of these alerts, leaving their companies exposed to risk.
This is just the tip of the iceberg. If you need an expert consultation on which cloud security strategy is best for you, which tools do you need, then fill up this formfill up this form and a Horangi Cloud Security Specialist will walk you through Warden, our flagship all-in-one Cloud Security platform.