Questions about the innate security of the public cloud have dwindled as organizations of all sizes continue to adopt cloud solutions at a dizzying pace. Still, with increasing numbers of companies leveraging cloud services like AWS, and with cloud environments becoming increasingly complex, it’s critical that organizations develop comprehensive security strategies that build-in security from the beginning and scale up their security as their infrastructures evolve.

While measures to improve transparency with the public cloud have helped to reassure administrators and cybersecurity pros concerning production workloads on cloud platforms, the shared-responsibility model still requires watchfulness. Here, we will examine four areas that can be addressed from the ground up to aid in securing your AWS environment

Refine Your Control Model

Even with the shared responsibility model in place, you still need to have the right controls. Controls focused on logging and identity and access management give customers more  control and greater insight into workload security. Even with a trusted cloud provider, access controls are essential because they let you enforce rules and policies that are tailored for your business. While the consensus is that AWS adheres to the industry best practices, there may be areas where it becomes prudent to modify rules to suit your situation.

In other words, if you don’t have the proper IAM controls in place, there’s no time like the present to add this layer of security.

IDC… Identify, Define, and Categorize Assets

In an earlier resource in this space, we discussed how some organizations put tools and controls in place first, and then craft a security strategy around them, when in fact the reverse is a more practical route. This is part and parcel of that scenario. The first step when implementing AWS security best practices should be identifying all of the information assets that you need to protect, then defining an efficient, cost-effective approach for securing them from threats.

Some recommendations for categorizing assets include: 

• Essential information assets (e.g., business-related information, internal specific processes and other data from strategic activities)
• Supporting components and elements (e.g., hardware infrastructure, software packages, personnel data and partnerships)

Engage Native AWS Security Services 

When integrating additional services or migrating new workloads into your deployment, it is prudent to use the security tools AWS provides. When a development team deploys a workload, the cloud provider doesn’t necessarily protect that application from all external security threats (e.g., DDoS attacks). Even with the AWS infrastructure functioning properly, external attacks can reduce workload performance or leave it unavailable. Attacks like this can stop an IT team in its tracks and result in wasted resources.

Engage Multi-factor Authentication on the Root Account

The AWS user’s root account has access to all of AWS’ resources. Multi-factor authentication provides additional layers of protection to eliminate unauthorized access. Here, the safest practice is to have a secured, dedicated device to receive one-time passwords, instead of linking it to a mobile device. The dedicated device should reside in a restricted environment, with automated alerts to help alert you to attempts of theft. When devices such as mobile phones are used for one-time passwords, there’s a risk of device theft compromising the security of your root account’s access.

Order of the Cipher is an Amazon Web Services (AWS) training company and a novel approach to cybersecurity training that combines theatrical presentation with proven teaching techniques. We’ve mastered Amazon Web Services, and we’ve perfected how to showcase the versatility and capability of AWS technology in a manner that provides real-world immersion experiences that prepare students to expertly navigate the AWS ecosystem.