AWS Security Blog
New Whitepaper: AWS Cloud Security Best Practices
November 3, 2020: This blog is out of date. Please refer to this post for updated info: Introducing the AWS Best Practices for Security, Identity, & Compliance Webpage and Customer Polling Feature
- How security responsibilities are shared between AWS and you, the customer
- How to define and categorize your assets
- How to manage user access to your data using privileged accounts and groups
- Best practices for securing your data, operating systems, and network
- How monitoring and alerting can help you achieve your security objectives
- Defining and categorizing assets on AWS
- Designing your ISMS
- Managing Identities
- Managing OS-level Access
- Securing your data
- Securing your operating systems and applications
- Securing infrastructure
- Managing monitoring, alerting, audit trail, and incident response
Concern | Recommended Protection Approach | Strategies |
---|---|---|
Accidental information disclosure | Designate data as confidential and limit the number of users who can access it. Use AWS permissions to manage access to resources for services such as Amazon S3. Use encryption to protect confidential data on Amazon EBS, or Amazon RDS. | Permissions File, partition, volume or application-level encryption |
Data integrity compromise | To ensure that data integrity is not compromised through deliberate or accidental modification, use resource permissions to limit the scope of users who can modify the data. Even with resource permissions, accidental deletion by a privileged user is still a threat (including a potential attack by a Trojan using the privileged user’s credentials), which illustrates the importance of the principle of least privilege. Perform data integrity checks, such as Message Integrity Codes (parity, CRC), and Message Authentication Codes (MD5/SHA), or Hashed Message Authentication Codes (HMACs) to detect data integrity compromise. If you detect data compromise, restore the data from backup, or, in the case of Amazon S3, from a previous object version. | Permissions Data integrity checks (MIC/MAC/HMAC/CRC/Parity) Backup Versioning (Amazon S3) |
Accidental deletion | Using the correct permissions and the rule of the least privilege is the best protection against accidental or malicious detection. For services such as Amazon S3, you can use MFA Delete to require multi-factor authentication to delete an object, limiting access to Amazon S3 objects to privileged users. If you detect data compromise, restore the data from backup, or, in the case of Amazon S3, from a previous object version. | Permissions Backup Versioning (Amazon S3) MFA Delete (Amazon S3) |
System, infrastructure, hardware or software availability | In the case of a system failure or a natural disaster, restore your data from backup, or from replicas. Some services, such as Amazon S3 Amazon DynamoDB, provide automatic data replication between multiple Availability Zones within a region. Other services require you to configure replication or backups. | Backup Replication |
We think this new document structure will make it easier for you to find and understand the information you need.
Sharing Security Responsibility for AWS Services
We are constantly launching new AWS services and adding features to our existing services. The number and types of services offered by AWS have increased dramatically. The whitepaper provides a clear description of AWS’s shared responsibility model and discusses the model in depth for different categories of AWS services: Infrastructure Services, Container Services, and Abstracted Services. This approach will help you to customize AWS security controls for your organization and help build a more efficient security posture depending on the services you consume.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.