Best Practice CIS Amazon Web Services Foundations Security Requirements
With AWS, you have complete control over how you secure your cloud ecosystem.
Join the DZone community and get the full member experience.Join For Free
This post was originally published here.
The Amazon Web Services or AWS suite remains one of the most popular cloud computing services on the market. For everything from setting up an EC2 server and optimizing the flexibility of Amazon’s storage options to the numerous other features integrated into the AWS ecosystem, all are designed to maximize performance for the many different types of users that take advantage of AWS’ myriad forms of usability. The inexpensive nature of the pay-as-you-use AWS model along with its mass of resources and performance scalability certainly make the suite appealing for a wide range of users.
With AWS, you have complete control over how you configure your cloud ecosystem. This is a great thing in many ways. You can configure the AWS environment to suit a specific app or web service as easily as you can set up a full web hosting service in the same environment. There is also an integrated AWS Marketplace offering unique access to software and solutions by third-party providers.
As with all Cloud-based environments, the security aspect of your setup is crucial. AWS data centers and Amazon’s own network architecture are designed with security in mind from the start, leaving you to weave security into the server setup yourself. Fortunately, Amazon has a set of best practices — outlined in conjunction with the Center for Internet Security or CIS — that you can follow.
The CIS Amazon Web Services Foundations Benchmark
The Amazon Web Services Foundations Benchmark from CIS, as the name sug gests, is a series of guidelines that is unique in the way it is created. Rather than taking a more limited approach and seeing AWS from one point of view, the CIS AWS Foundations Benchmark is the result of a consensus. It is a comprehensive set of security guidelines that will work for a wide range of implementations.
For starters, the security guidelines from CIS are widely accepted by governments, businesses, various industries, as well as universities and research facilities. The guidelines are not only accepted by organizations in various fields — these same organizations helped define the guidelines to make it as comprehensive as possible.
At the same time, the CIS AWS Foundations Benchmark is also easy to follow. Every security aspect of using AWS is divided into sections — the CIS matrix, which we will discuss later in this article — with each section containing detailed guides on how to achieve maximum security as defined by CIS’s requirements.
Here’s another great thing about the security guidelines from CIS: it is absolutely free. The complete CIS AWS Foundations Benchmark is available for download from the Center of Internet Security website here.
The Benefits Of Using CIS AWS Foundations Benchmark
Before we start discussing the CIS matrix itself, it is important to understand why the CIS AWS Foundations Benchmark is very useful to those who use the AWS ecosystem. The security guidelines included in the Benchmark bring a number of benefits that you don’t want to miss out on.
First of all, the CIS Benchmark is designed to be a concise and clear step-by-step guide that any AWS user can follow easily. You don’t have to be a security expert to use the CIS AWS Foundations Benchmark as a guide for securing your AWS setup better.
The guide also aims for the highest security standards. No, these are not basic security measures you deploy to get started. It is actually a set of industry-accepted rules and top-level security best practices that even the most established corporations now use.
In addition, the CIS AWS Foundations Benchmark goes beyond the basic security measures already implemented by Amazon. Products such as the Amazon VPC and EC2 come with built-in security features that go hand in hand with the measures you will find in this Benchmark.
On top of all this, there is also the fact that the Benchmark is widely used and easy to audit. The best security vendors use the same guidelines as standard ones. Both the PCI 3.1 and FedRAMP also reference this Benchmark as a model to follow.
Identity and Access Management
As mentioned before, the process of following the CIS AWS Foundations Benchmark to secure your AWS setup is straightforward. You are guided through the steps of securing different parts of your AWS environment, starting with the first section: Identity and Access Management or IAM.
Some practices are pretty basic, such as removing the use of a Root account for most operations. Rather than using a Root account directly, it is much more secure to manage identities and access in a more meticulous way. On a server level, this is the equivalent of setting up a user and giving that user a Sudo credential. Amazon IAM lets you create users and manage their access levels accordingly.
Next, you want to activate multi-factor authentication (MFA) for all IAM users that use passwords to secure their accounts. MFA adds extra layers of security to user login and access to the AWS environment, reducing the risk of unauthorized access by a substantial margin. This measure is further strengthened by rotating access keys every 90 days or less and disabling unused credentials after 90 days.
The CIS AWS Foundations Benchmark also contains a list of policies for a strong password. Information entropy, quantified in bits, is a strong measure for passwords. Adding one bit of entropy to a password makes it twice as strong by increasing the number of guesses required to crack it — making a hacker’s work twice as difficult.
The access key for the Root account should be disabled completely, and the MFA feature needs to be activated for the account as well for maximum security.
As an added measure, it is necessary to set up a security question for registered IAM accounts, particularly the Root account. As the administrator of the ecosystem, you can safely recover the Root account of the AWS setup by setting up security questions with unique answers.
The CIS AWS Foundations Benchmark does not stop there. It also guides you towards setting up other security measures, including:
- Managing users and access policies in IAM user groups and roles
- Maintaining up-to-date contact details
- Registering security contact information
- Using instance roles rather than a permanent assignment for EC2 instances and applications
- Creating a support role for dealing with security incidents
- Skipping the creation of access keys when setting up password-enabled users
- Avoiding the use of full “:*” administrative privileges.
The next part the CIS AWS Foundations Benchmark focuses on is logging. Logging is a crucial part of information security, which is why following the logging best practices when setting up your AWS environment is a must.
Amazon has a comprehensive logging and audit tool known as AWS CloudTrail. The tool is responsible for aspects such as management, compliance, operational and risk audits, and other evaluative functions. For these multiple reasons, the guideline recommends enabling AWS CloudTrail from the start. Once activated, you also need to make sure that the CloudTrail log file validation is also enabled.
You can further secure your log files and boost the environment’s ability to keep track of any activity by using Amazon S3 to store log files; the S3 bucket used for this purpose is configured to be privately accessible only. When you use S3 buckets to store data, you also want to activate CloudTrail for each of the S3 buckets you utilize.
As an added layer, the guideline also recommends activating Amazon CloudWatch. Unlike CloudTrail, CloudWatch handles more of the monitoring tasks while also acting as a management service. These two tools, when integrated properly, give you all the insights you will ever need at any point.
Last but not least, you need to encrypt CloudTrail logs using AWS Key Management Service (AWS KMS) Custom Master Keys (CMKs). Implementing protection using Server-Side Encryption with AWS KMS–Managed Keys (SSE-KMS) prevents uploads of unencrypted objects to your S3 buckets, which means you can rest assured knowing that the integrity of the log files is always managed. Regularly rotating the CMKs and activating logging on all Virtual Private Clouds (VPCs) completes the set for logging best practices.
The monitoring section of the CIS AWS Foundations Benchmark involves setting up a series of log metric filters and alarms. The purpose of these alarms, naturally, is to notify server admins about potential issues in real-time. With the alarms in place, you can better manage your AWS environment and react to server anomalies quickly — before they turn into a serious problem.
The log metric filters and alarms you need to establish are for:
- Unauthorized API calls, which would reveal potential application errors as well
- AWS Management console sign-in without MFA
- Usage of the root account, which is avoided in the previous step of IAM security setup
- IAM policy changes
- CloudTrail configuration changes
- Management Console authentication failures, which will also help prevent brute-force attacks
- Disabling and the scheduled deletion of customer-created CMKs, acting mostly as a reminder to rotate your CMKs and to prevent data from being stored without proper encryption
- S3 bucket policy changes
- Security group changes
- Changes to the Network Access Control Lists or Network ACLs, which will also prevent unintended exposure of AWS resources and services to certain risks
- Changes to network gateways
- Route table changes, and
- VPC changes
The complete set of alarms is designed to help you mitigate risks early. When configured correctly, you can also stop problems early and maintain the smooth operations of your AWS setup with ease.
The last part of the equation is networking. Just like with any other server setup, you want your server network to be fortified and for the server exposure to risks to be minimized. The process begins by adding a rule that restricts access SSH (port 22) to a single IP address like 184.108.40.206/32; the rule should never be 0.0.0.0/0 — which will allow every IP access.
The same unrestricted access to port 3389 should also be removed from the security group policies. 3389, as you know, is the port used for RDP and similar remote console services.
Change the default rule for VPC instances to Deny. This will restrict all traffic to your VPCs as the default configuration. You can then manually grant access to security groups and for other purposes in the development process. Lastly, set the routing tables for VPC peering to “Least Access” and you are all set.
By going through the CIS AWS Foundations Benchmark step by step, you are implementing the information and server security best practices. It is a standard that will ensure the safety and smooth operations of your AWS instance. Besides, the guidelines are very easy to follow, even when you are not a security expert. There is no reason not to follow these best practices and achieve a high-performance security level—every developer’s ideal.
Published at DZone with permission of Kiran Sangeetam. See the original article here.
Opinions expressed by DZone contributors are their own.