How to Secure Your Information on AWS: 10 Best Practices

About one in three organizations that leverage cloud service providers (CSPs) use Amazon Web Services (AWS), according to November 2024 research from Synergy Research Group. This means two things. One is that when attackers are looking to get the most out of a single exploit, they will likely craft them to target AWS systems. And two, that AWS data security best practices are a timely topic for a wide range of today's organizations.

AWS Data Security Threats

Unsecured S3 buckets

Organizations oftentimes overlook infrastructure-as-a-service (IaaS) systems like AWS, leading to undiscovered misconfigurations and vulnerabilities. And sometimes the problem is hidden in plain sight. One attack that received recent attention was known as "Bucket Monopoly," a method that allows attackers to compromise a large amount of S3 buckets in a single sweep. S3 buckets are containers for holding assets in AWS (objects, images, and both structured and unstructured data), much like file folders.

The error? Lead researcher for Aqua, Yakir Kadkoda, explained in Dark Reading: Up until 'Bucket Monopoly' was discovered, often "the only thing that an attacker need[ed] to know about an organization [was] their public account ID for AWS, which is not considered sensitive data right now." Bucket numbers have since been customized and not created by default, though they are still public – something which Kadkoda and fellow researchers still argue against.

DDoS attacks

In February 2020, Amazon Web Services (AWS) successfully mitigated a significant Distributed Denial-of-Service (DDoS) attack that peaked at 2.3 terabits per second (TB/s). This attack, targeting an undisclosed AWS customer, is considered one of the largest DDoS attacks to date.

The incident exploited the Connectionless Lightweight Directory Access Protocol (CLDAP) to amplify traffic, a technique that can increase the volume of malicious traffic by a factor of 56 to 70 times. While AWS's robust security measures effectively mitigated the attack, they underscore the persistent and evolving nature of DDoS threats on public cloud service platforms like AWS.

Ransomware

As recently as mid-January, researchers at Halcyon warned about a new ransomware attack method that uses Amazon's own encryption against it. Notes the report: "Unlike traditional ransomware that encrypts files locally or in transit, this attack integrates directly with AWS's secure encryption infrastructure. Once encrypted, recovery is impossible without the attacker's key." Frustratingly, the attack doesn't even require threat actors to probe an AWS vulnerability; only gain illicit access to an AWS account holder's credentials.

Understanding the Shared Responsibility Model

The AWS platform itself has strong security thanks to extensive investments by Amazon. Even then, the strongest defenses are vulnerable to attack by resourceful bad actors. This is the purpose behind the Shared Responsibility Model, a standard adopted by major CSPs. The Shared Responsibility model outlines that:

• CSPs are responsible for the security of the cloud. Under the AWS Shared Responsibility Model, Amazon is responsible for cloud infrastructure, including hosting facilities, hardware, and software. Amazon's responsibility includes protection against intrusion and detecting fraud and abuse.
• CSP customers are responsible for the security of what's in it. The AWS Shared Responsibility Model states that the customer, in turn, is responsible for the organization's own content hosted within AWS, applications using AWS, and identity access management, as well as its internal infrastructure, like firewalls and networks.

This means that AWS customers need a firm grasp of their cybersecurity responsibilities under the Model and a firm idea of how to execute them. Enter: AWS data security best practices.

AWS Data Security Best Practices

Now that we understand the shared responsibility model let's zero in and see what organizations can do to fulfill their responsibility for security "in" the cloud. These AWS data security best practices can serve as a starting point:

1. Activate CloudTrail across all AWS accounts. Turn on CloudTrail log file validation to detect any unauthorized alterations after delivery to Amazon S3.  Activating Cloud Trail captures API call history, providing visibility into resource changes like API usage and user activity. CloudTrail provides teams with increased ability to audit, govern, maintain compliance, and oversee operations within their AWS environment, boosting their ability to proactively implement security best practices and see threats on the horizon ahead.
2. Enable CloudTrail S3 bucket access logging. Record and save information about requests made to your Amazon S3 bucket. Capture information on all requests made, such as PUT, GET, and DELETE to help spot signs of unauthorized access and maintain compliance with data privacy and security standards.
3. Restrict access to the CloudTrail bucket logs and use multi-factor authentication for bucket deletion. Unrestricted access, even to administrators, increases the risk of unauthorized access in case of stolen credentials following a phishing attack. If the AWS account becomes compromised, multi-factor authentication will make it more difficult for hackers to delete evidence of their actions and so conceal their presence.
4. Enable flow logging for Virtual Private Cloud (VPC). Get deep visibility into network traffic and monitor network traffic that crosses the Amazon Virtual Private Cloud (VPC). VPC flow logging insights will help you spot anomalous activity (like unusually high levels of data transfers), troubleshoot connectivity issues, monitor performance, and optimize network usage. Get access to data like:

• Source/destination IPs
• Ports and protocols
• Traffic volume across multiple network interfaces

5. Restrict access to commonly used ports, such as FTP, MongoDB, MSSQL, SMTP, etc., to required entities only.
6. Utilize identity and access management (IAM) policies to provision access to groups or roles. By attaching the IAM policies to groups or roles instead of individual users, you minimize the risk of unintentionally giving excessive permissions and privileges to a user while simultaneously improving the efficiency of permission management.
7. Don't use access keys with root accounts. Doing so can easily compromise the account and open access to all AWS services in the event of a lost or stolen key. Create role-based accounts instead and avoid using root user accounts altogether.
8. Regularly rotate IAM access keys. Setting a standard password expiration policy helps prevent access due to a lost or stolen key.
9. Terminate unused keys and disable inactive users and accounts. Both unused access keys and inactive accounts increase the threat surface and the risk of compromise.
10. Encrypt log files at rest. Only users who have permission to access the S3 buckets with the logs should have decryption permission in addition to access to the CloudTrail logs.

AWS will continue to be a high-value target for attackers so long as it remains a prominent player in the public cloud space. By implementing key AWS data security best practices, customers can bolster Amazon's external cloud security provisions with their own internal security controls. Fortra VM can help organizations scour cloud resources for vulnerabilities, prioritize fixes, and establish a pattern of vulnerability management that can make them less exposed targets for AWS-centered attacks. 

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.