Amazon Web Services (AWS), the leader in the public cloud infrastructure-as-a-service (IaaS) market, offers a broad set of global compute, storage, database, analytics, application, and deployment services that help organizations move faster, lower IT costs, and scale applications. According to Amazon, over one million active AWS customers are reaping the cost and productivity advantages they have to offer.
Like most cloud providers, AWS operates under a shared responsibility model. AWS takes care of security ‘of’ the cloud while AWS customers are responsible for security ‘in’ the cloud. This means customers wholly own the responsibility of ensuring that AWS services are configured in a secure manner. The recent spate of misconfigured AWS S3 buckets is just one example of what could happen when customers ignore their cloud security responsibility.
To help customers fulfill their end of AWS’s shared security responsibility, we’ve published a 51-point security checklist (Download your copy here) that AWS customers should follow to ensure that AWS services are configured to the highest level of security.
Since Amazon can’t fully control how AWS is used by its customers, they have focused on the security of AWS infrastructure, including protecting its computing, storage, networking, and database services against intrusions. Amazon is responsible for the security of the software, hardware, and the physical facilities that host AWS services. Amazon also takes responsibility for the security configuration of its managed services such as Amazon DynamoDB, RDS, Redshift, Elastic MapReduce, WorkSpaces, and others.
AWS customers are responsible for secure usage of AWS services that are considered unmanaged. For example, while Amazon has built several layers of security features to prevent unauthorized access to AWS, including multifactor authentication, it is the responsibility of the customer to make sure multifactor authentication is turned on for users, particularly for those with the most extensive IAM permissions in AWS.
Furthermore, the default security settings of AWS services are often the least secure. Correcting misconfigured AWS security settings, therefore is a low hanging fruit that organizations should prioritize in order to fulfill their end of AWS security responsibility.
Here is a sample of AWS configuration checklist security experts recommend you follow:
- Enable CloudTrail logging across all AWS
- Turn on CloudTrail log file validation
- Enable CloudTrail multi-region logging
- Require multifactor authentication (MFA) to delete CloudTrail buckets
- Turn on MFA for the “root” account
- Minimize or completely avoid using the “root’ account
- Ensure S3 buckets don’t have public write permissions
- Ensure S3 buckets containing sensitive data don’t have public read permissions
- Encrypt Elastic Block Store (EBS) database
- Disallow unrestricted ingress access on uncommon ports