Data Governance for the Multi-Public Cloud: Top 10 AWS Best Practices
This article discusses the need for data governance for the multi-public cloud by outlining the top 10 AWS best practices that organizations should implement.
Join the DZone community and get the full member experience.Join For Free
“Cloud computing offers individuals’ access to data and applications from nearly any point of access to the Internet, offers businesses a whole new way to cut costs for technical infrastructure, and offers big computer companies a potentially giant market for
Hardware and services”- Jamais Cascio
Over the past few years, companies have been massively shifting their data and applications to the cloud that ended up raising a community of data users. They are encouraged to capture, gather, analyze, and save data for business insights and decision-making. More organizations are leading towards the use of multi-cloud, and the threat of losing data and securing has become challenging. Therefore, managing security policies, rules, metadata details, content traits is becoming critical for the multi-cloud. In this regard, the enterprises are in search of expertise and cloud tool vendors that are capable of providing the fundamental cloud security data governance competencies with excellence.
“A well-designed data governance program provides the right ownership and accountability model to get to the root cause and
resolution of data issues” – Allison Sagraves, Chief Data Officer,
M and T Bank
Let’s dive into the best practices that cloud vendors offer to shield your data.
Start with building policies and write them into code, or scripts that can be executed. This requires compliance and cloud security experts working together to build a framework for your complex business. You cannot start from scratch as it will be error-prone and will take too long. Try to invest in some Cloud security tools then build your process and policies to run at scale to meet and exceed compliance and governance.
Key areas for Governance are noted above. Visibility means not only understand your inventory of assets which changes by the minute but at the same time understand the risk ratings for each asset and prioritize the remediation accordingly. Again, you will need to invest in some commercial tools that can provide the above. Risk analysis and constantly monitoring security policies to see if they are being enforced is not a simple task with home built scripts.
We also recommend starting with your basic security vendor’s tools of choice. The above matrix shows the list of tools you need to run to manage your security and governance program. Now, either you build all the integrations into all these tools or invest in some third-party tools. At some point, you need to comprehend the “Holistic” view of security or context around specific alert so that you can prioritize things, or else it will be lots of noise. Note none of the cloud vendors offer any holistic risk management tools. For example, they will not tell you that not having MFA on a root admin account is a high risk and should be remediated. This is where commercial tools come into play.
Hence, as the chart shows above that, you need a data collection process to drive security posture and understand overall risks in your enterprise portfolios of applications and web services. The above chart talks about how you can achieve this.
Bottom line, your team should be able to produce a report such as above to demonstrate what an overall risk posture looks like per regulations whether its GDPR or NIST the above report is what your team needs to produce to defend its work
Top 10 Security Control Best Practices for AWS
Mitigate Data Breaching Risks by Employing NIST Framework
NIST has a series and every series is designed for a specific function. This cybersecurity framework ensures increased security for critical programs and valuable assets.
Talking about the series of NIST so each series is responsible for a particular function. For instance, NIST SP 800-37 provides assistance in stimulating continuous monitoring by controls. It guarantees risk management in real-time. Others include NIST SP 800 that possesses several sets of sub-clauses. And NIST SP 800-53 builds a framework of security controls. This is in high demand for federal systems.
Get Rid of Malicious Activities With IAM Controls
The enabled root access keys are not controlled and thus serve as gateways for hackers to breach your real asset “data.”
The enabled root access keys are the gateways that allow hackers to take over your entire system. Hence, they are pretty dangerous. As they are not restricted therefore create users that have admin rights by the use of IAM controls. Meanwhile, an up-to-the-minute billing contact is all you need for the recovery of your account.
Set Robust Policies and Passwords
Control access to AWS resources and services for your users secretly by AWS IAM i.e. Identity and Access Management and enjoy a protected data.
Identity and Access Management permits organizations to build and generate AWS groups and users along with the authorization or denial of their access to the AWS resources. The red flag of not building powerful passwords or policies is the elevated footprint for attackers.
Allow Confirm Access Logging on CloudTrail S3 Bucket
Maintaining access records, user regulations, and tracking access requests are not an uphill battle when the organizations will give a big thumbs up to the use of the Amazon S3 bucket. However, mind that the logging settings must be limited to the related Amazon S3 bucket.
In order to store CloudTrail logs, the organizations employ Amazon S3 bucket. They maintain track of each and every activity that is affecting or touching CloudTrail. The settings for logging are restricted to the relevant Amazon S3 bucket. Therefore, they make the organizations capable of keeping the track of access requests.
Build Powerful Security by Enabling Multifactor Authentication
An extra security layer – Multifactor Authentication demands not only a username or password but unique features for users as well.
While google authenticator limits you for password processes, turn on Multifactor Authentication for each admin accounts that you have. Besides, talking about compliance regulations so these turned-on Multifactor Authentications hold higher significance.
Heads-Up to Bastion Login for Every Availability Zone
A Bastion host is a separate EC2 instance that runs within a Virtual Private Cloud and it is peered – also known as “Jump Server”.
The secured Bastion login facilitates SSH i.e. Secure Shell access to EC2 instances of Amazon for systems troubleshooting activities and troubleshooting. And therefore having replicated networks in every zone is vital because it narrows down the blast radius.
Prevent Lambda Function From Accessing Account Tables
AWS Lambda - serverless compute function that performs actions based on events and alerts. It has access to cloud servers.
The organizations must opt for one IAM role for having vigorous control over blast radius via lambda function. The thing to remember is that the Lambda function should not access Account Tables while they are working with users.
SES Assists Organizations in Tracking Configuration – Go for It
Amazon SES - an email service and the oldest services that many enterprises use heavily. If exhibited, anyone can impersonate you by email communication. So, close the access of cross-account.
A dozen of spoofs occur with Simple Email Service and its resources are not open to the public. That is the reason configurations must set appropriately, tracked, and monitored every second.
Ease the Path to Data Security With CIS
CIS benchmarks are consensus-based and are developed by the non-profit Center for Internet Security. And to enhance the security posture and shield private and public organizations from cybersecurity threats, are vital.
Having a policy that demands creating root user accounts with MFA turned off can be overwhelming for the organizations. However, here comes CIS into action. It assures that the multi-factor authentication is on for every root user account. Moreover, its benchmarks detect violations in real-time. Thus, with this, companies can overview the risk levels and changes.
Shielding Your S3 Buckets Is Mandatory
Amazon S3 basically objects storage. And it is designed specially to not only store but to retrieve data also from anywhere such as from websites, corporate applications, mobile apps, and IoT devices or sensors.
The organizations get exposed when a third party pulls your data to put in S3 buckets. Well, in such a case, securing your S3 buckets is a no-brainer when you have these on hand:
- Check the list of Bucket Access Control daily
- Find API Keys that open S3 buckets
- Keep a watch on all grantees involving Authenticated users
- Keep a track of Unauthorized Access
AWS CloudTrail enables compliance, governance, risk, and operational auditing for your AWS account. Whereas Cloudwatch alarm permits companies to watch out for metrics and for receiving notifications.
In order to record the activity of API, the organizations must employ CloudTrail. While CloudWatch is designed to send notifications that are created on configurations. However, the proper setting of the metrics will empower organizations to leverage both.
Encrypt Your Data on Transit and at Rest
Cryptographic best practices weaken excessive reuse of encryption keys. IETF deprecate SSL 2.0 and 3.0. That’s why make your cipher levels vigorous.
The encryption gets complicated within ALBs, S3 buckets and databases, and ELBs. So, it becomes crucial to track the encryption flow of your traffic. Therefore, the cipher levels have to be robust. But, keep one thing in mind that encryption has to be across the board particularly for sensitive data.
Create a Secure Amazon Machine Image (AMI)
An Amazon Machine Image provides the information required to launch an instance, which is a virtual server in the Amazon EC2 i.e. Elastic Compute Cloud (EC2).
The organizations generate a set of stacks that is known as Amazon Machine Image. These stacks help organizations in deciding their access and assuring them about the account logins and remote root logins.
Data Is an Asset; Let Us Safeguard It With Excellence
The Cloudnosys platform scans the cloud infrastructure via APIs, and building a comprehensive report of threats in addition, to real-time monitoring all our changes to see if there are any vulnerabilities that exist. With this, enterprises become well-versed in every security policy implemented in their cloud environment.
Let’s begin monitoring, securing, and optimizing your Azure, GCP, and AWS cloud services without breaking your bank.
Opinions expressed by DZone contributors are their own.