A guide to cloud security tools for AWS

Endpoints (laptops, workstations, mobiles and other similar devices) are the entry point to up to 70% of all successful breaches according to recent statistics. The high success rate of this type of attack has triggered a skyrocketing increase in attempts against organizations, with reports of up to 60% YoY increases in attempts targeting endpoints.

Phishing, ransomware, malware and exploits to vulnerable software are only a few of the full range of potential attack strategies that use endpoints, or their users, as a primary target.

• Human errors and social engineering remain perhaps the largest attack surface in most of today’s organizations, and one that presents unique challenges in protecting. Building a security layer that enforces protection to the human vector of attacks requires a complex and balanced mix of automation, policy and continuous scanning, all while ensuring that users continue to experience high-performance and usability.

• Zero-day vulnerabilities are very difficult to detect and defend against using traditional security measures and require advanced threat intelligence mechanisms deployed to be able to detect and respond quickly before they can be exploited.

• User identity and patch management are also key concerns to consider when protecting endpoints from malicious actors.
  

Key tools for the job

Try Crowdstrike in AWS Marketplace 

Get started with Amazon WorkSpaces 

CrowdStrike Falcon Endpoint Protection

• Next-Generation Antivirus (NGAV) cloud security tool with integrated threat intelligence analyzes all processes running in an endpoint and uses advanced detection methods to identify potential threats and trace them back to their origin.
  
  With agents available for Windows, MacOS, and Linux, this solution provides a common platform for all your different endpoints and their users, regardless of their role and user profile.

Amazon WorkSpaces

• With Amazon WorkSpaces your users can access powerful, cloud-based workstations with direct integration to Amazon Identity and Access Management (IAM) services and private access to cloud-hosted resources and applications. Using machine images and automation, your cloud-hosted workspaces can enforce endpoint protection by automatically installing and configuring the necessary agents to continuously monitor and respond to threats.

Getting started

• Sign up for CrowdStrike Endpoint Protection in AWS Marketplace using your AWS account.

• Spin up for Amazon WorkSpaces and install the CrowdStrike Endpoint Protection agent and save it as a your “golden image.”

• Use that image to create the Amazon WorkSpace for your users.

There are many types of identities that relate to the operation of your cloud-native applications that require cloud-specific security tools. From internal user identities, namely developers and others working in building your application, to the identity of services, workloads, and third-party systems your application integrates with, to your end users. Managing all those identities and ensuring each of them follows the least-privilege principle is a non-trivial challenge to operate at production scale.

• Centrally managing all the different types of entities that may access different services and interfaces of your systems is a complex task, particularly as architecture becomes decentralized and service-oriented and as users, both internal and external, may get their identity from third-party identity providers.

• Each different identity type will surface unique requirements to credential rotation and access policies. Managing these requirements at scale is usually a complex task.

• Providing identities to non-interactive entities such as workloads and services requires efficient means of handling them across environments.
  

Key tools for the job

Try CyberArk in AWS Marketplace 

Try AWS Identity and Access Management 

CyberArk

• CyberArk integrates tightly with IAM and enables continuous review and risk management of your IAM configuration in the cloud. It’s a cloud security tool that helps you optimize your IAM architecture while also enabling powerful features such as just-in-time roles for cloud resources access and attribute-based access controls.

IAM

• IAM provides a comprehensive framework to define role-based access controls that is tightly integrated with all AWS services. With CyberArk you will be able to extend role-based access control (RBAC) to attribute-based access control (ABAC) and enable powerful just-in-time and workload identity capabilities thanks to its tight IAM integration.

Getting started

• Sign up for CyberArk in AWS Marketplace using your AWS account.

• Choose the integrations that you want to deploy in your AWS environment, such as AWS Security Token Service (AWS STS) console access for temporary access to consoles using AWS STS or deploy Privileged Access Management (PAM) capabilities.

East-west traffic refers to traffic between services and applications inside your cloud environment. As the architecture of most systems continues its transition to microservices and distributed services, the volume of this type of traffic has dramatically increased. Ensuring that all communication between services is safe and authorized becomes a mounting concern.

• With distributed services and horizontal scalability, traditional firewalling with rules based on ports and source IP ranges become obsolete, and new patterns towards building rules and policies for controlling traffic must be adopted.

• Strategies such as Zero Trust create an even further separation between cloud-native security best practices and traditional security patterns. Zero Trust implies that nothing should be implicitly trusted regardless of its running location and relies on authentication and workload identity as the primary way in which traffic is permitted.

• Mutual TLS (Transport Layer Security), known as mTLS, has surfaced as one of the most efficient and secure ways to apply Zero-Trust security in cloud environments, providing a common and proven framework to mutually authenticate using battle-proven encryption protocols. The challenge here becomes effectively managing and assigning identities through certificates to workloads that are dynamically scaled and that can be moved around regions, clusters, or networks.
   

Key tools for the job

Try Palo Alto Networks in AWS Marketplace 

Get started with AWS Certificate Manager 

Palo Alto Networks Cloud Next Generation Firewall (NGFW)

• Palo Alto Networks Cloud Next Generation Firewall is a security tool offering a feature called AppID, which allows it to create rules and policies to manage traffic between source and destinations using the identity of the application. It can identify the application of the identity by using data in TLS certificates, guaranteeing a remarkable level of security.

AWS Certificate Manager

• With AWS Certificate Manager you can fully automate the generation, assignment, and lifecycle of your application’s TLS certificates used for mTLS authentication between services. You can fully automate the assignment of certificates to applications running in Amazon Elastic Kubernetes Service (Amazon EKS), Amazon Elastic Container Service (Amazon ECS) ,and even Amazon Elastic Compute Cloud (Amazon EC2) instances.

Getting started

• Sign up for Palo Alto Networks Cloud NGFW in AWS Marketplace using your AWS account.

• Configure AWS Certificate Manager to generate and assign certificates automatically to your AWS running workloads.

• Create an AppID identifier in Cloud NGFW to match applications using data in the generated TLS certificate.

• Create rules that allow or deny traffic using AppIDs as required.

North-south traffic refers to traffic moving between your cloud environment and the external internet. As more applications and services move to the cloud and integrate with external services, it has become more important to secure the increasing volume of this traffic. Key risks involving north-south traffic include data exfiltration and high volumes of egress traffic to third parties. Ensuring that all communication between external entities and internal services is secure, properly authenticated, and authorized becomes a critical concern for organizations.

• Egress security in cloud environments presents a significant challenge for organizations managing North-South traffic. The ephemeral and dynamic nature of cloud resources makes it difficult to maintain consistent control over outbound connections.

• Organizations must implement sophisticated egress filtering mechanisms that can adapt to rapidly changing cloud workloads, prevent data exfiltration, and block communication between private resources and malicious servers.

• Security teams require a solution that can simplify the management of cloud network security, eliminating the need to deploy and maintain firewall software infrastructure. This would allow them to concentrate their efforts on defining and enforcing effective security policies to protect against external threats, while offloading the underlying infrastructure management responsibilities.

Key tools for the job

Try Fortinet Fortigate in AWS Marketplace 

Learn more about NAT Gateway 

Fortinet FortiGate Cloud-Native Firewall (CNF)

• Fortinet FortiGate Cloud-Native Firewall (CNF) is a SaaS cloud security tool that allows users to define security policies to be enforced at the network level. Fortinet FortiGate CNF inspects all traffic outbound to the internet from your network while enforcing these security policies. Security of multiple networks can be monitored using the Fortinet FortiGate CNF management console, allowing for streamlined security management as well as eliminating the need to configure, provision, and maintain any firewall software infrastructure.

NAT Gateway

• With a NAT gateway, you can allow resources in your private subnets to access the internet, while preventing external services from connecting to these private resources. Outbound traffic can be further secured as FortiGate CNF inspects the traffic before it reaches the NAT Gateway.

Getting started

• Sign up for Fortinet FortiGate Cloud-Native Firewall in AWS Marketplace using your AWS account.

• Launch the provided CloudFormation template from the AWS Marketplace console.

• Navigate to the onboarding wizard within the FortiGate CNF management console, enter your AWS account ID, and launch the CloudFormation stack.

• Create policy sets to allow or deny outbound traffic as needed.

• Create a CNF instance through the FortiGate CNF management console and place it in the same AWS region as your network.

• Route traffic to the Gateway Load Balancer Endpoint deployed by FortiGate CNF.

For users to reach your web application or online service, there are many moving pieces between your application in the cloud and the user, wherever they are. From Domain Name System (DNS) resolution to internet service providers (ISPs), points-of-presence, and network service providers, the security of your cloud application may be impacted by vulnerabilities or attacks across any of those systems that lie between your application and its users.

• Detecting a man-in-the-middle (MITM) attack is very complex, as there is usually no direct attack to your application or infrastructure, which means it must be identified externally or discovered through indirect analysis of your application traffic or usage patterns.

• This type of attack targets systems that are managed and operated by other parties and to which you have no direct way to analyze or protect, which makes defending against MITM attacks particularly difficult.

• Once an attack is ongoing, a corresponding range of potential application-side vulnerabilities may be exploited leveraging the data or intelligence acquired by the attacker from the first stage of the exploit. Identifying unusual user behavior and/or limiting the surface of the attack through internal security mechanisms is also an angle that can’t be overlooked.
  

Key tools for the job

Try WebOrion in AWS Marketplace 

Get started with Amazon Route 53 

WebOrion Monitor

• WebOrion works as an external observer to your web application, monitoring that content, headers, scripts and domain name details match what is expected of your legitimate applications. It works without the need to install any agents or make any modifications to your web application and uses advanced machine learning algorithms to detect attacks to your website, even those that could have been achieved through compromise of intermediary systems between your application and its users.

Amazon Route 53

• One of the most likely targets for man-in-the-middle attacks is your domain name. Amazon Route 53 has integrated support for DNS Security Extensions (DNSSEC), which enforces security in the identity and data exchanged between users of your web application and the domain name infrastructure. Implementing DNSSEC is one of the most fundamental ways in which you can protect your web presence and can be directly used by WebOrion Monitor to ensure the integrity of your web application.

Getting started

• Sign up for WebOrion Monitor in AWS Marketplace using your AWS account.

• Configure DNSSEC in your Route 53 hosted domains.

• Configure WebOrion to point to your application in its various environments.

• Configure rules and alerts on WebOrion as required.

Most applications today rely on HTTP and web-based access for user access, which makes HTTP traffic analysis and security one the most critical and fundamental requirements to consider when deploying a production-ready web application.

• There’s huge diversity to the types and scale of attacks that web-based applications are exposed to. Everything from scraping and defacement to massive scale distributed denial of service (DoS) attacks to exploiting vulnerabilities for data theft or unauthorized access.

• Today, web applications are usually built on top of many different microservices, each exposing its own attack surface.

• Optimizing security centrally in your architecture to protect all services from the wide range of potential services becomes a key strategy to ensure security and reliability.
  

Key tools for the job

Try DataDome in AWS Marketplace 

Try Amazon CloudFront 

• Datadome

  • DataDome offers a unique range of threat-detection capabilities backed by AI algorithms that enable signature-based, behavioral, reputational, and vulnerability detection mechanisms with a single implementation. You can modify and define custom rules using these various detection capabilities for highly dynamic and optimized criteria that matches specifically to your own application and environment.

  Amazon CloudFront

  • DataDome integrates directly with Amazon CloudFront using the AWS Lambda@Edge service. This simple integration provides real-time analysis of all the requests hitting your web application while leveraging the global and ultra-low-latency capabilities of Amazon CloudFront.

  Getting started

  • Sign up for DataDome in AWS Marketplace using your AWS account.

  • Make sure you have your Amazon CloudFront distributions configured and enabled.

  • Use Lambda@Edge to run the DataDome agent for your Amazon CloudFront content delivery network (CDN) traffic.

Security is not just a concern that revolves around attacks and vulnerabilities. Achieving a secure deployment must also consider risks that derive from system failure, data corruption, and human error.

• Getting data backed up is only half of the job; making sure that data can be restored and moved around as needed in the case of a disaster is just as important. Having the necessary cloud security tools to backup, validate, and restore that with flexibility are key concerns to satisfy in a backup-and-disaster recovery scenario.

• Storing and moving data around can be costly, which means ensuring you are optimally using different storage tiers and reducing the total volume of data transferred at any given time is critical to keeping costs under control without negatively impacting the reliability your backup-and-recovery solution offers.
  

Key tools for the job

Try Clumio in AWS Marketplace 

Try Amazon DynamoDB

Clumio Protect and Discover

• Clumio offers an integrated solution to back up your Amazon Simple Storage Service (Amazon S3), Amazon Elastic Block Store (Amazon EBS), Amazon Relational Database Service (RDS), and Amazon DynamoDB data, providing a unified view into your data estate and providing consolidated information that can be used internally and externally (for example, by auditors, to ensure your compliance obligations are met). When used together with services like Amazon DynamoDB, Clumio provides a common plane to back up both your data together with other application components in a single management plane. If disaster strikes and recovery is necessary, Clumio’s massive parallelization capabilities make restore and rehydration efficient and seamless.

Amazon DynamoDB

• The architecture of data in Amazon DynamoDB lends itself to optimized backup and restore processes, thanks to its flexible primary and partition key definition capabilities and its massive table capacity.

Getting started

• Sign up for Clumio Protect and Discover in AWS Marketplace using your AWS account.

• Configure your various AWS data sources for backup.

• Validate recovery and compliance.

Viruses have existed as threats to systems since as early as the late 1960s and remain one of the most pervasive and damaging risks to systems and their users. Viruses can act in many ways, directly disrupting system capabilities and, sometimes, hiding in plain sight, providing access to more advanced attack vectors.

• Viruses leverage many ways to spread themselves and can serve many purposes, from acting as Trojan horses to acting as ransomware, and may be dormant in storage for long periods of time before executing malicious code.

• Scanning for viruses, depending on the volume of data that must be scanned, can be a slow activity that negatively impacts the performance of services or applications that rely on the data being scanned.

• Identifying virus signatures requires continuous updating of virus databases and ongoing rescanning of data to ensure newly discovered viruses are guarded against.
  

Key tools for the job

Try Cloud Storage Security for Amazon S3 

Get started with Amazon S3 

• Cloud Storage Security Antivirus for Amazon S3

  • This cloud security tool can scan all sorts of AWS sources including Amazon S3 but also Amazon Elastic File System (EFS) file systems, Amazon EBS volumes, and more. You can configure if for event-based, on-demand. or schedule scanning, giving you flexible control to ensure there is no impact to user experience or performance during scan processes. And, if using event-based scanning, that gives you the most optimized solution to only scan that which changed, when it changed. The solution runs inside your AWS environment, making sure data never leaves your account.

  Amazon S3

  • Using Amazon S3, whether for staging data or as final storage location, allows for efficient scanning regardless of your data pipelines and processes, and of course you get the absolute flexibility of the infinite scale of Amazon S3.

  Getting started

  • Sign up for Cloud Storage Security Antivirus for Amazon S3 in AWS Marketplace using your AWS Account.

  • Configure your Amazon S3 buckets and other AWS resources as scan targets.

  • Configure scanning frequency and other configuration parameters.

   

As cloud-native solutions scale, data sources that require analysis towards ensuring security as well as the regulatory and compliance frameworks that must be satisfied grow in number and complexity. Having an efficient and intuitive platform that allows for centrally observing, identifying, and reacting to threats in this complex landscape is a must for organizations that operate cloud-native applications on a global scale, and this is the role of security incident and events-management platforms.

• Integration and configuration cloud Security Information and Event Management (SIEM) tools is usually a complex task that requires integrating many different data sources and workflows. Identifying relevant data sources, understanding the regulatory landscape, and fine-tuning all these attributes to ensure alerts and correlations are effectively configured requires time, attention to detail, and a lot of cross-functional collaboration.

• Having a view into the potential scale of the data and events that will flow through the platform is also critical to avoid scalability problems as the tools are rolled out.
  

Key tools for the job

Try Logz.io Cloud SIEM in AWS Marketplace 

Get started with Amazon CloudWatch 

Logz.io Cloud SIEM

• The SIEM offering by Logz.io is uniquely powerful in its infinitely scaling cloud-native capabilities, something indispensable as new data sources get in the picture of your application landscape. It allows for cross-referencing and analyzing user behavior at scale and dramatically simplifies identifying and responding to threats across known frameworks such as MITRE ATT&CK. Ramp-up time is optimized through out-of-the-box dashboard and an ample range of available integrations.

CloudWatch

• Most AWS solutions ship telemetry to Amazon CloudWatch by default, making Amazon CloudWatch a simple and powerful source of data and insights into your entire cloud estate. With Logz.io AWS Lambda extensions you can easily ship all or some of your Amazon CloudWatch data to Logz.io Cloud SIEM for correlation and analysis.

Getting started

• Sign up for Logz.io Cloud SIEM in AWS Marketplace using your AWS account.

• Configure the Logz.io AWS Lambda function to ship your Amazon CloudWatch telemetry for Cloud SIEM analysis.

• Explore your data in Cloud SIEM.