AWS Security Blog

New Whitepaper: AWS Cloud Security Best Practices

We have just published an updated version of our AWS Security Best Practices whitepaper. You wanted us to provide a holistic and familiar approach to managing the overall information security posture of the organization that’s based on periodic risk assessments when you deploy applications and assets on AWS. Specifically, you asked for:
  • How security responsibilities are shared between AWS and you, the customer
  • How to define and categorize your assets
  • How to manage user access to your data using privileged accounts and groups
  • Best practices for securing your data, operating systems, and network
  • How monitoring and alerting can help you achieve your security objectives

 We decided to structure and model this version of the paper around basic building blocks of designing an Information Security Management System (ISMS). ISMS is a familiar framework that helps build a collection of information security policies, procedures, and processes customized for the organization’s assets. We think that using a widely adopted global security approach that outlines the requirements for information security management systems helps improve your overall security posture. The paper provides a set of best practices on a variety of different security-related topics:
  1. Defining and categorizing assets on AWS
  2. Designing your ISMS
  3. Managing Identities
  4. Managing OS-level Access
  5. Securing your data
  6. Securing your operating systems and applications
  7. Securing infrastructure
  8. Managing monitoring, alerting, audit trail, and incident response
In the paper, we recommend that you take a structured approach for managing information security with a continual improvement model. Learning from the continuous improvement model of managing ISMS, we emphasize is the need for constant updates, reviews and improvements in the way customers manage information security in the AWS Cloud.
As an example, the table below extends the risk based ISMS approach and maps a recommended protection approach and multiple alternative strategies for data at rest security concerns.
Concern Recommended Protection Approach Strategies
Accidental information disclosure Designate data as confidential and limit the number of users who can access it. Use AWS permissions to manage access to resources for services such as Amazon S3. Use encryption to protect confidential data on Amazon EBS, or Amazon RDS.

Permissions

File, partition, volume or application-level encryption

Data integrity compromise To ensure that data integrity is not compromised through deliberate or accidental modification, use resource permissions to limit the scope of users who can modify the data. Even with resource permissions, accidental deletion by a privileged user is still a threat (including a potential attack by a Trojan using the privileged user’s credentials), which illustrates the importance of the principle of least privilege. Perform data integrity checks, such as Message Integrity Codes (parity, CRC), and Message Authentication Codes (MD5/SHA), or Hashed Message Authentication Codes (HMACs) to detect data integrity compromise. If you detect data compromise, restore the data from backup, or, in the case of Amazon S3, from a previous object version.

Permissions

Data integrity checks (MIC/MAC/HMAC/CRC/Parity)

Backup

Versioning (Amazon S3)

Accidental deletion Using the correct permissions and the rule of the least privilege is the best protection against accidental or malicious detection. For services such as Amazon S3, you can use MFA Delete to require multi-factor authentication to delete an object, limiting access to Amazon S3 objects to privileged users. If you detect data compromise, restore the data from backup, or, in the case of Amazon S3, from a previous object version.

Permissions

Backup

Versioning (Amazon S3)

MFA Delete (Amazon S3)

System, infrastructure, hardware or software availability In the case of a system failure or a natural disaster, restore your data from backup, or from replicas. Some services, such as Amazon S3 Amazon DynamoDB, provide automatic data replication between multiple Availability Zones within a region. Other services require you to configure replication or backups.

Backup

Replication

We think this new document structure will make it easier for you to find and understand the information you need.

Sharing Security Responsibility for AWS Services

We are constantly launching new AWS services and adding features to our existing services. The number and types of services offered by AWS have increased dramatically. The whitepaper provides a clear description of AWS’s shared responsibility model and discusses the model in depth for different categories of AWS services: Infrastructure Services, Container Services, and Abstracted Services. This approach will help you to customize AWS security controls for your organization and help build a more efficient security posture depending on the services you consume.

Diagram of AWS's Shared Responsibility Model
By using the various best practices highlighted in this whitepaper, you can build a set of security policies and processes for your organization and help you deploy applications and protect data quickly and easily.Like all whitepapers, this whitepaper is a “living document” and we plan to update this whitepaper as we introduce new features and services. We look forward to your feedback.- Jinesh, Dob, and Yinal