Secure AWS cloud environment

Cloud technology has paved the way for accelerated innovation, elastic scaling, serverless computing, agility, and cost optimisation of workloads. Security has always been a baseline for well architected frameworks. Increasing popularity of flexible work schedules, remote work environments and global clientele have enhanced the focus on this discipline.

Security and compliance are always a shared responsibility. Cloud service providers have done significant work to make their infrastructure secure, but onus is also on customers to keep their cloud infrastructure secure.

In this article, we will highlight AWS security recommendations as they are imperative to prevent data breaches and cyber-attacks.

• AWS Identity and Access Management (IAM) is used to manage identities across a single or multiple organisational accounts. Access should be controlled through IAM users, instance profiles, groups and Roles also called principals.
• Restricted root user access and multi factor authentication is key to secure your root account as well as other admin and user accounts.
• Always use distribution list email id for primary and alternate contact for management account and for all services like billing operations and security notifications. This way ownership and reachability is not affected due to human resource attrition in your organization, and you always stay in control in any situation.
• Root user has all the ownership and permissions. Only few tasks require root user access, rest all the operations can be managed by IAM users with administrative powers. Create individual users based on job profile and always assign granular permissions.
• Do not share single credentials among a group of users, Create individual console access for all users. Multifactor is standard these days to keep users accounts secure.
• Users can be divided in groups like dev, operations, and IT or under different projects. Custom permissions on groups help manage users more effectively. Least permission is best practice for each user to perform their tasks.
• A strong password policy should be implemented to protect accounts from brute force attack or social engineering.
• Logging not only allows you to keep an eye on account activity but also meet standard compliance requirement for organisations. Aws Cloud trail logs all API calls whether made by role, services, or users. Cloud trail record logs for 90 days by default. Logs can be retained in secure s3 bucket using appropriate lifecycle to review beyond the 90-day period for all events. Keeping your s3 bucket private is most important while creating bucket.
• During initial configuration, most of the time cloud administrators configure VPC, ec2 instances and security group for testing. They are not useful once initial setup completes. Always delete all unused services to keep your account safe and secure.
• AWS Budgets helps you monitor monthly costs and forecasts. It also gives you an idea about unexpected activity in your account.
• AWS Guard duty is a threat detection service to monitor unauthorised behaviour and malicious activity like compromised IAM credentials and access to other resources and cryptocurrencies mining activities. Use CloudWatch events to create notification about guard duty findings.
• Trust advisor is used to resolve elevated risk issues related to security performance, cost, and reliability by passively scanning your infrastructure. Keep a regular eye on Trust advisor findings and fix the issue before they make your infrastructure vulnerable.

Hope you find this information useful! Always remember, following best cloud security guidelines not only simplifies IT Management but also protects entire cloud lifecycle from unwanted miscreants.