AWS Cloud Operations Blog
Enhance your AWS cloud infrastructure security with AWS Managed Services (AMS)
Introduction
A security or data loss incident can lead to both financial and reputational losses. Maintaining security and compliance is a shared responsibility between AWS and you (our customer), where AWS is responsible for “Security of the Cloud” and you are responsible for “Security in the Cloud”. However, security in the cloud has a much bigger scope, especially at the cloud infrastructure and operating systems level. In cloud, building a secure, compliant, and well-monitored environment at large scale requires a high degree of automation, human resources, and skills.
This blog highlights how you can leverage a combination of AWS services to improve your “Security in the Cloud”. Following and implementing security best practices at scale can be challenging for many organizations due to lack of skills or business priorities. We will explore best practices from AWS Managed Services (AMS) on how they have been enhancing the AWS infrastructure security and compliance posture for their customers at scale. AMS provides proactive, preventative, and detective capabilities to help you achieve operational excellence in AWS cloud across monitoring, incident management, security, patch, backup, and cost optimization – so you can focus on innovation.
For example, when Coinhako migrated to AWS with AMS as their operations partner, CTO Gerry Eng said. “Numerous security features that come out-of-the-box with AMS would have taken us months, if not years, to properly roll out.” Learn more in the case study.
Cloud Security Management in AWS
Prevention
It is said, “Prevention is better than cure.” Areas where you can improve your security posture to help prevent issues include Identity and Access Management (IAM), securing ingress and egress traffic, backup and disaster recovery along with addressing the vulnerabilities.
AWS provides granular access control to cloud resources via a combination of AWS IAM and Service control policies (SCPs) services. AWS outlines the security best practices on using IAM service. However, customers often find it challenging to monitor and govern its optimal usage over time, leading to unauthorized or unwanted access. Today, you can leverage AMS for continuous validation of IAM changes against AWS best practices as well as AMS technical standards. AMS also implements best practices governing controls for IAM using custom AWS Config rules to ensure any anomaly or deviation is proactively arrested and remediated.
From an ingress/egress traffic perspective, you can use AWS WAF, a web application firewall service, at your edge networks to inspect the HTTP/HTTPS requests coming to your web application resources. AWS WAF integrates natively with most AWS external facing services like Amazon CloudFront, the Application Load Balancer (ALB), Amazon API Gateway. At the network layer, you can use AWS Network Firewall to define firewall rules to implement fine-grained control over all ingress/egress network traffic. Network Firewall works together with AWS Firewall Manager to centrally apply policies across multiple virtual private clouds (VPCs) and accounts. AMS can help you set up and operate these services on an ongoing basis using AWS best practices.
In addition, regular patching is one of the most effective preventative measures against vulnerabilities. According to a survey by Ponemon Institute, “60% of breach victims said they were breached due to an unpatched known vulnerability where the patch was not applied.” At the Operating System (OS) level, you can leverage AWS Systems Manager‘s Patch Manager service for complete patch management to protect against the latest vulnerabilities. For continuous vulnerability management, you can utilize AWS Inspector service to scan and identify OS vulnerabilities. However, setting patch schedules, patch compliance reporting, and responding to patch failure at scale can be a challenging and undifferentiated task. AMS performs these activities on your behalf at scale using automation and best practices. AMS can perform ad-hoc patching to address a high-risk or zero-day vulnerability reported by Inspector or your tools. You can also leverage AMS to build hardened OS Amazon Machine Images (AMIs) that adhere to Security Technical Implementation Guide (STIG) benchmarks to secure EC2 instances by default.
Finally, to protect against data loss during an incident, having a robust backup and disaster recovery (DR) strategy is essential. You can leverage a combination of AWS Backup and AWS Elastic Disaster Recovery (AWS DRS) to safeguard your data in the AWS cloud. Setting up backup plans and ongoing monitoring of backup compliance at scale can be complicated. AMS not only helps monitor and manage the ongoing backups, it provides multiple backup plans to choose from in order to suit your business use-cases for data recovery, including ransomware protection plans. Regular testing/restoration of backups is an important practice to ensure business service downtime is minimized during unforeseen issues. AMS provides service restoration Service Level Agreements (SLAs) to ensure reduced mean time to recovery (MTTR) during incidents. AMS conducts security and operational focused game days with your team to simulate scenarios such as compromised instance or ransomware events.
Detection
It is critical to continuously monitor your cloud environment to proactively detect, contain, and remediate anomalies or potential malicious activities. AWS offers services to implement a variety of detective controls through processing logs, events, and monitoring that allows for auditing, automated analysis, and alarming. For example, you can leverage Amazon GuardDuty which is a purpose-built machine learning (ML) based threat detection service that continuously monitors access-related activities and unauthorized behavior to protect your workloads in AWS accounts. GuardDuty can be complemented with Amazon Macie, a data security service that uses ML and pattern matching to discover and protect sensitive data in your AWS account.
AWS Security Hub is a cloud security posture management (CSPM) service that performs security best practice checks, aggregates alerts from AWS and third-party services, and suggests remediation steps. However, consuming these alerts and performing remediation at scale across many AWS accounts can quickly become operationally challenging.
AMS leverages Amazon GuardDuty to monitor threats across all of your subscribed AWS accounts and reviews all alerts generated by it around the clock (24×7). AMS uses automation that analyzes GuardDuty alerts to reduce noise and to perform the initial triage, resulting in actionable insights as part of incident notification. For critical issues, AMS proactively collaborates with you for joint security investigation and obtain required approvals for remediation. AMS can also monitor Amazon Macie findings and perform the required remediations on your behalf.
Monitoring and Incident Response
Amazon CloudWatch is a foundational AWS native service for observability, providing you with capabilities across infrastructure, applications, and end-user monitoring. Systems Manager’s OpsCenter enables operations staff to view, investigate, and remediate operational issues identified by services like CloudWatch and AWS Config. Systems Manager’s Incident Manager capability helps you resolve critical application issues faster with automated response plans. Both OpsCenter and Incident Manager integrates with IT Service Management (ITSM) and ticketing systems such as Atlassian Jira and ServiceNow to provide a holistic view of incidents in your tool of choice. Incident Manager also integrates with AWS Chatbot to investigate and remediate Incidents using collaboration tools such as Slack, Microsoft Teams, and Amazon Chime.
AMS helps you achieve operational excellence in the cloud with 24×7 security monitoring and incident response with engineers located in multiple sites across the world. Alerts and events are monitored from native services like AWS Config, Amazon GuardDuty, Amazon Macie, Amazon CloudWatch, and AWS CloudTrail. For Security Incident Response (SIR), AMS follows pre-defined National Institute of Standards and Technology (NIST) aligned runbooks to identify, analyze, contain, eradicate, recover, and respond to security alerts. AMS also uses Systems Manager’s OpsCenter to log all operational items, notifies you via AWS Support cases, and works with your team to resolve them. If you are using a third party or in-house security tool such as a Security Incident and Event Management (SIEM) or an Endpoint Detection and Response (EDR) solution, AMS can help remediate OS and AWS infrastructure-related findings reported by them as well. You can also leverage AWS Service Management Connector to integrate your existing ITSM tooling, such as ServiceNow and Atlassian Jira, to have seamless incident or ticketing experience with AMS.
Compliance
Under the AWS shared responsibility model, you assume the security and compliance responsibility of guest OS, application software, and the configuration and selection of AWS services within your AWS accounts. In addition, you may need to adhere to broad set of local/global compliance frameworks per your business needs, and mapping those frameworks to AWS security controls can be daunting.
Using AMS not only enhances your overall security posture in AWS, it helps accelerate your journey to the required compliance levels. First, AMS itself as a service is eligible and compliant to many of global compliance frameworks, regulations, and security standards, including HIPAA, SOC, ISO27001, FedRAMP, IRAP, NIST, PCI-DSS, and GDPR (refer to AWS Compliance Center). This makes the AMS managed cloud environment suitable for hosting your applications with specific compliance or regulatory requirements.
Second, from Day One, AMS provides you complete visibility into your security posture against four of the most stringent and diverse global security frameworks: CIS, NIST, PCI and HIPAA using AWS Config. AMS deploys curated AWS Config Rules which continuously monitor the state of the resources in your accounts to adhere to these compliance and framework standards. These rules can be configured to either auto-remediate or notify you as an incident or report based upon your business needs. For example, AMS enables CloudTrail logging within an AMS account by default, which is used for on-demand reporting, alerting, and auditing. This configuration alone contributes to meeting multiple controls such as AU-06/07(a-c,1-4) from the security standard NIST800-53 control family Audit and Accountability (AU) along with the ISO 27001 controls A.12.4.1-3.
Third, AMS implements centralized logging and auditing controls at both the OS and account levels to augment your compliance requirements. Pre-built AMS curated queries are available via the Amazon Athena console to extract audit reports on user access and changes made in your AWS account.
Reporting & Governance
A robust reporting and governance practice is essential to measure and track the security posture and potential risks across your AWS cloud environment. AWS Resource Tagging, which creates metadata using Key-Value pairs, plays a critical role in achieving operational excellence through auditing, automation, and cost allocation. For example, AWS metadata and tag value can be exported to an AWS storage service of your choice, allowing you to build patch, security compliance coverage reports, or other intelligent dashboards using services like AWS Glue, Amazon Athena, and Amazon QuickSight.
AMS provides self-service weekly/monthly reports on OS patching levels, Backup coverage, and high severity incidents. Your named AMS Cloud Service Delivery Manager (CSDM) and Cloud Architect (CA) act as your trusted advisors, and lead the monthly business reviews (MBRs) providing additional centralized reports across all managed AWS accounts. MBR includes insights into key cloud operational risks (KCORs) across AWS Well Architected pillars along with a forward-looking plan to address high severity items.
To apply and enforce AMS or your own custom tags, the AMS provided Resource Tagger tool can be leveraged for AMS-managed AWS resources. In addition to auditing and reporting, AMS-specific tags enables automated actions across access control, monitoring, patching, backup, and auto-remediation. The combination of AMS Resource Tagger and your custom tags allows you to build a robust tagging strategy for cloud governance.
Security On-Demand
AMS provides extended security support on-demand using its Operations on Demand (OOD) service. You can leverage AMS OOD to operate or execute any curated AWS service level changes to further improve your security posture in AWS cloud. It comes with a catalog of security-related services like AWS Network Firewall operations, or legacy OS upgrades for OS nearing end of support life to protection from known and unmitigated security threats.
Conclusion
In this article, we have reviewed many essential security best practices including preventative, detective, and response controls that you can implement to enhance your security posture in the AWS cloud. We also explained how you can leverage AMS to act as your trusted partner in implementing required “Security in the Cloud” by managing your AWS cloud environment. AMS enhances your cloud security posture by implementing multiple guardrails using AWS best practices, along with 24×7 security incident response and remediation. In addition, AMS also accelerates your compliance journey by helping you implement many required security controls and best practices around logging, auditing, and monitoring in your AWS account from Day One.
Beyond security-specific features, AMS helps you achieve operational excellence in your AWS cloud environment at scale with a combination of proactive infrastructure and OS monitoring, auto remediation of alerts, cost optimization, and ongoing governance. Visit the AWS Managed Services product page for more information.