DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Cloud Architecture
  4. 3 Things You Can Do to Improve Your AWS Security Posture

3 Things You Can Do to Improve Your AWS Security Posture

In this post we take a look at three popular choices for helping to secure your AWS setup. Read on for more details!

Pete Cheslock user avatar by
Pete Cheslock
·
Nov. 12, 16 · Tutorial
Like (1)
Save
Tweet
Share
7.45K Views

Join the DZone community and get the full member experience.

Join For Free

There’s no question that Amazon Web Services is an incredibly powerful and secure cloud services platform for delivering all sorts of software applications. AWS offers an extensive number of products and services for creating a scalable, reliable, and flexible architecture that meets the unique needs of your development. However, it can be difficult to know how to approach securing your AWS infrastructure. While we can’t give you insight into all of them, of course, we are going to talk about the security benefits provided by three of our favorites, just to get you started.

CloudTrail

CloudTrail gathers information about API calls for your account (such as the caller, time, and source IP address of the call as well as request and response information about the API call), and drops it all into an S3 bucket so you can access it later on for security tracking, incident response, and compliance auditing. And by the way, CloudTrail encrypts all of this data by default. Amazon even provides a free tier of CloudTrail that currently enables you to look up events over the previous seven days in each region.

Image title

Here’s an example of how we use CloudTrail at Threat Stack. We will pop an alert when a Route53 DNS change occurs in our production environment. While this might be an expected action, CloudTrail captures the data, and Threat Stack quickly alerts us that it’s happening.

Image title

EBS Encryption

EBS stands for Elastic Block Store and is used to store persistent data for your EC2 instances. Think of it as hard drives attached to your EC2 instance. EBS is different from S3 in that it can only be used in conjunction with EC2. The huge upside to using EBS encryption is that you can turn it on with no performance penalty. And it only requires you to select a checkbox to enable it. If anyone ever gets access to your previously used volumes, there’s no way they can access any of the data on them.

Image title


Enable IAM With STS

IAM is Identity and Access Management, and STS is Amazon’s Security Token Service. STS basically allows you to request temporary and privilege-limited IAM credentials for users. While this is a bit trickier to set up than the previous two features, it’s worth it. By using STS, you can protect your users’ Access keys and Secret IDs with Two Factor. Instead of giving your users Access Keys with long-lived permissions, they will authenticate with the Amazon IAM API with their keys AND their Two Factor device. Next, the IAM API will respond with a set of keys that give a user access for the next hour, after which the keys become invalid. IAM supports shorter lifetimes for the keys as well; the minimum is 15 minutes, and the maximum (and default) is one hour. While this isn’t a silver bullet for solving the issue of Access Key loss, it can dramatically improve your ability to contain any sort of access key leaks and ensure that time-limited access is behind Two Factor devices.

Image title


Wrapping It Up . . .

A huge number of variables can come into consideration when you’re planning to add security to your AWS account, and even expert practitioners can become a little overwhelmed by the possibilities. We hope the examples discussed in this post will help you cut through some of the complexity and enable you to strengthen your security posture with minimal effort.

AWS security Amazon Web Services

Published at DZone with permission of Pete Cheslock. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Unleashing the Power of JavaScript Modules: A Beginner’s Guide
  • Core Machine Learning Metrics
  • Exploring the Benefits of Cloud Computing: From IaaS, PaaS, SaaS to Google Cloud, AWS, and Microsoft
  • Public Cloud-to-Cloud Repatriation Trend

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: