Cloud services provide lots of advantages: they’re cheaper, easier, and faster to use than building your own network from scratch. For example, Amazon Web Services provides cloud computing tools and resources for storing data, creating databases, communicating with customers, managing identities and access, and more.
Most importantly, the responsibility for data protection is usually divided between you and your cloud vendor. But to keep your data fully secure, you must ensure that your part of the job is done perfectly. And to do that, you need to make sure you thoroughly audit the security of your cloud solution.
At Apriorit, we have lots of experience testing cloud security. In this article, our expert Yan Lypnytsky shares some tips on auditing the infrastructure of AWS products.
In order to protect your cloud data from stealth attacks, you need to analyze the root causes of a hypothetical breach and identify weak spots in your cloud solution.
There are a few ways of analyzing the causes of a data breach. You can employ a framework like the MITRE matrix, which is designed to prevent, detect, and remediate a cyber intrusion. MITRE breaks down a security breach into 11 stages and provides you with ways of strengthening weak spots.
Using collected data, the MITRE team contributes to the CWE/SANS Top 25, a list of the most dangerous software errors that allow hackers to steal data, break down software, etc. Errors are ranked based on the likelihood of being exploited, their importance, and their prevalence.
You can also find out about the most critical risks regarding cybersecurity. The Open Web Application Security Project (OWASP) Top 10 is a well-known index of web app security vulnerabilities. This list is formed yearly by a team of security experts from all around the world.
Between 2013 and 2017, the top three causes of data breaches — code injection, management shortcomings, and cross-site scripting — remained unchanged. This indicates that despite the large number of best practices for writing safe code, data cleaning tools, and the introduction of various tokens and other instruments, applications haven’t become much safer over the last five years.
Given such cybersecurity problems, it isn’t surprising that the bulk of breaches are accidental and not the result of a deliberate, targeted attack. To reduce the risk of data leaks, it’s necessary to audit cloud infrastructure security on a regular basis.
The main difference between various types of cloud solutions (software as a service, platform as a service, infrastructure as a service) in terms of security is the number of parameters you have to manage by yourself. Unlike on-premises software, with cloud services, companies can outsource data storage, servers, networking, and their security to a cloud service provider.
If you’re looking for good configurability and want to create server virtual machines (VMs) from scratch, it will be better to choose an IaaS solution. This cloud service model provides optimal duty separation between client and vendor. You’re responsible for the operating system and applications installed on the virtual machine, stored data, runtimes, and middleware. The service provider is responsible only for the infrastructure: servers, storage, networking, and virtualization.
Saas, PaaS, and IaaS Explained
Amazon Web Services (AWS) is considered one of the best IaaS providers on the market. This platform provides a variety of tools in four domains: application services, computing and networking, databases, deployment and management.
If you use AWS products, you’re responsible for the AWS security configuration of your server virtual machine, the services on it, and your own app. Regarding compliance, AWS specifically institutes a shared responsibility model for data security. According to this model, AWS is only responsible for security of the cloud platform itself; you, the customer, are responsible for the security of what’s in the cloud.
An AWS cloud infrastructure security audit should be a routine task of your testing team. It’s recommended to perform such an audit:
- every half a year, to check that everything is working the way it should;
- after substantial changes (pay extra attention to access management);
- after discovering a security violation.
There are many tools for auditing the security of AWS products. Some of them are developed by Amazon, while others are custom made. You can use Amazon’s AWS Security Audit Guidelines as a basic checklist for an examination.
Let’s take a closer look at the most popular AWS services you should audit in order to confirm the security of your cloud solution. Make sure you test the services you use the most frequently.
The AWS Identity and Access Management (IAM) service is created for governing users, user groups, and permissions to access AWS resources. We recommend using the credentials report feature in IAM for listing all users and the status of their passwords, access keys, and MFA devices.
Key points to pay attention to during the IAM security audit:
- There should be no active keys for the root account.
- The root account shouldn’t be used for day-to-day tasks.
- Multi-factor authentication should be enabled for root.
- Multi-factor authentication should be enabled for each user with access to the AWS Console.
- Service users (for example, for continuous integration and continuous deployment) should have only programmatic access.
- All users should have only one active access key.
- All access keys should be changed every 180 days or less.
- There should be no unused security groups.
- Password policies should be enhanced for each user with access to the AWS Console.
The AWS Elastic Compute Cloud (EC2) service is used for virtual machine provisioning and management. EC2 provides access to Amazon’s proven computing environment and allows fast scaling and configuration of VMs. The main recommendation for AWS EC2 auditing is making sure that all powered instances are really needed. Don’t forget to stop instances that were created for testing or development purposes.
Key points to pay attention to during the EC2 security audit:
- There should be no default security groups in use.
- There should be no unused security groups.
- Only allowed ports should be opened to everyone.
- There should be a description for each opened port/port range.
- All whitelisted IPs should be known and have a description.
The simplest description of the S3 bucket is that it’s a cloud folder. It’s storage that supplies you with a variety of settings: region exceptions, versioning, access logging, encryption, and access permission configuration.
Key points to pay attention to during the S3 bucket security audit:
- Permissions to list, get, put, delete, and manage data should be enabled only for specific users.
- Bucket versioning should be enabled.
- Bucket access logging should be enabled.
- Granted permissions should be configured for a specific user, not for everyone.
A Virtual Private Cloud (VPC) is an isolated part of the network infrastructure where you can deploy AWS resources. You can fully configure the IP address line, subnets, route tables, and network gateways for each network segment. This service is great for separating different environments. For example, you can isolate the production environment from the staging” and test environments.
Key points to pay attention to during the Private Cloud security audit:
- Network access control lists (ACLs) should be configured according to your framework type.
- Unused network ACLs should be removed.
- Flow logs should be enabled for all subnets in use.
CloudTrail is a service to help you manage AWS accounts and run operational, risk, and compliance audits. It logs, monitors, and saves all account activity within the AWS infrastructure, such as actions performed in AWS SDKs, command-line tools, and the AWS Management Console. This service data is helpful for conducting an audit, as it allows you to analyze any event within the cloud environment. When configured correctly, CloudTrail simplifies security analysis, resource change tracking, and troubleshooting.
Key points to pay attention to during the CloudTrail security audit:
- CloudTrail should be turned on and configured correctly, not by default.
- Global services logging should be enabled.
- Write access to S3 buckets with logs should be allowed only for the CloudTrail service.
Simple Notification Service (SNS) is a solution for sending messages to a large number of subscriber endpoints via SMS, push notifications, and email. This service will be helpful if you have, for instance, a mobile travel app with an AWS backend on AWS Lambda and you need to send push notifications to all users about a new deal.
Key points to pay attention to during the SNS security audit:
- Permissions to Add permission, DeleteTopic, Publish, Receive, Remove, SetTopicAttributes, and Subscribe shouldn’t be granted to all principals.
- A separate IAM user with programmatic access should be used only for working with the SNS service.
The Amazon Relational Database Service (RDS) makes it easy to set up, use, and scale a relational database in the cloud. It manages database administration processes and provides resizable capacity for an industry-standard database. RDS is used for allocating resources, creating backups, updating software, and monitoring and scaling hardware resources.
Key points to pay attention to during the RDS security audit:
- Data backup should be enabled.
- The backup retention period should be more than 7 days.
- A Multi-AZ deployment should be used.
- Instance storage should be encrypted.
- The security group should allow access only to specified IP addresses.
- Database snapshots should not be publicly accessible.
A general recommendation: There’s no default possibility to encrypt an existing database, but you can encrypt a copy of the original database instance.
A security audit for cloud infrastructure is an important activity that cannot be neglected. At the same time, in a constantly changing environment, a cloud computing security audit should become a regular task.
There is a set of specific features that should be taken into account when auditing Amazon Web Services products. To perform audits, you can use publicly available Amazon guidelines and tools. If you have some issues or need an experienced testing team for infrastructure security auditing in cloud computing, just contact Apriorit.