ComputerWeekly: What are the best practices for securing AWS tech stacks?

An insecure or improperly configured AWS tech stack provides a gateway for cyber criminals to enter corporate systems and sensitive files. The biggest example of this occurred in 2019, when an ex-Amazon employee stole the data of 100 million Capital One customers simply by exploiting a misconfigured web application firewall in the financial service giant’s AWS tech stack.

The incident ended with a high-profile lawsuit in which the financial services giant had to pay a $190m (£140m) settlement to affected customers. Other big businesses impacted by similar incidents include Accenture, Facebook, LinkedIn, Pegasus Airlines, Uber and Twilio. So, what can organisations do to secure their AWS tech stacks?

One of the biggest risks of an insecure AWS tech stack is data theft and exfiltration by cyber criminals, according to Rik Turner, chief cyber security analyst at Omdia. He explains this can happen when S3 buckets, which contain large volumes of files and sensitive metadata, aren’t set up properly.

As a result, S3 bucket access rights can be granted to employees who don’t require them for their roles, leading to insider threats. Or, worse, these crucial storage objects can end up on the public internet for anyone to access and abuse.

Sensitive corporate and customer data exposed in this way can lead to businesses experiencing “enormous financial losses”, says Sylvester Kaczmarek, a professor at online higher education provider the Open Institute of Technology. Their finances take a hit through regulatory fines, customer lawsuits and expensive recovery efforts that can last for months. Reputational damage is often substantial, too.

Additionally, weak or reused user credentials, the absence of cyber security logging and monitoring capabilities, and weaknesses in cyber defences like firewalls leave AWS tech stacks dangerously exposed to data breaches, he adds.

Data breaches can also stem from poorly secured Relational Database Service databases, Elastic Compute Cloud (EC2) instances and application programming interfaces, explains Bob McCarter, chief technology officer of risk and compliance software provider Navex. Erroneous identity and access management policies, a lack of multi-factor authentication, unpatched software and open ports are common security issues affecting these AWS services.

Besides costly data breaches, the day-to-day operations of modern businesses can grind to a halt in the aftermath of an EC2 instance compromise. The latter results in “impaired performance”, and even “a complete malfunctioning” of critical applications and workloads, explains Turner.

These issues are largely the product of mistakes made by AWS users and not cyber attacks targeted at Amazon, according to Neil MacDonald, vice-president and distinguished analyst at Gartner. But he emphasises that mistakes can easily happen due to the “sheer size, complexity and rate of change of AWS deployments”, adding that they are “impossible” to monitor without using appropriate security tools from AWS or other technology companies.

It is, therefore, the responsibility of AWS users to take steps to protect the data they upload to AWS cloud resources. This is enshrined in the cloud security shared responsibility model, with the responsibility of cloud companies like AWS being to secure the infrastructure they sell to customers.

Best practices to secure AWS tech stacks

When it comes to securing AWS tech stacks, many effective best practices are laid out in the AWS Well-Architected framework. McCarter explains that it offers a comprehensive guide for access management, infrastructure management, data privacy, application security, and cyber threat monitoring and detection.

Crystal Morin, cyber security strategist at cloud security company Sysdig, is another vocal supporter of this framework. She says it’s great for handling the prevention, protection, detection and response sides of cyber security. “This model helps you think through how to prevent problems in the first place, ensure your workloads have security in place, and then have the right tools in place to detect and respond to cloud security threats if and when they do take place,” says Morin.

As well as adhering to AWS’s own security best practices, MacDonald points out that the Center for Internet Security also offers advice for creating and maintaining a secure AWS tech stack. He adds that many modern cyber security tools are aligned with the latest AWS best practices, whether provided by Amazon or an outside organisation.

Given that lots of AWS-related security incidents are caused by inadequate access controls, Jake Moore – global cyber security advisor at antivirus maker ESET – urges organisations to implement the principle of least privilege to ensure access rights are limited to those who require them for their roles. This should be enforced as part of a wider identity and access management strategy.

Of course, staff hiring, attrition and promotion can make it difficult to manage AWS access controls. Still, Moore says businesses can use cyber security monitoring tools to track these changes and ensure access controls are amended accordingly, minimising security incidents. In addition to investing in these tools, he urges organisations with AWS stacks to regularly audit their cyber security posture to ensure security gaps are identified and closed swiftly. Automated analysis tools can help with this.

To ensure cyber criminals can’t steal sensitive data stored on and travelling between AWS servers, OPIT’s Kaczmarek says organisations must encrypt data when it’s at rest and in transit. Utilising the AWS Key Management service will help protect data at rest. Meanwhile, tight network security configurations are the key to securing transit data and wider network traffic. These should apply for virtual private clouds, Security Groups and Network Access Control Lists, according to Kaczmarek.

Organisations operating AWS tech stacks can log all network traffic using AWS CloudTrail and monitor it using AWS CloudWatch, says Kaczmarek. He adds that these efforts can be complemented by using multi-factor authentication, implementing security patches when they’re issued and replacing manual processes with infrastructure as code. The previous step is paramount for “consistency and auditing”, he claims.