5 Ways to Avoid Cloud Creepers
From tiny startups to titanic enterprises, all companies face security risks with their data. Fraudsters, creepers, and hackers want to steal your trade secrets, your company’s financial data, your social security number, your bank account details, and more. Once attackers acquire your data, they move quickly to profit via trades, sales, and blackmail.
One hundred years ago, important information was kept secure in company safes or bank vaults. Decades ago, businesses began to digitalize this information and store it in protected hard drives. Today, with the advent of cloud computing, our personal information is stored in massive data centers in undisclosed locations. Companies like Amazon Web Services (AWS) have altered the compute and storage landscape by offering infrastructure as a service, however, the fundamental security principles are unchanged. To profit from your company’s data, hackers require access.
Here are five proven ways to control and limit access to your most valuable information in AWS:
S3 Bucket Access – Data stored in S3 buckets is secure by default. Through Identity and Access Management (IAM) policies, bucket policies, and Access Control Lists, users can control exactly who can access S3 buckets. Authenticating identity and restricting access may seem like common sense best practices, however, these actions are often overlooked. You should limit S3 bucket access to trusted administrators and audit their permissions frequently. Know who your vendors are and thoroughly examine their permissions as well. Companies will frequently allow vendors access to vulnerable areas of their network.
Root Access – All AWS accounts have root account credentials. Privileges can’t be modified for the root account – a root account has full access to management tools, billing information, and every AWS service attached to your account. Experts at AWS recommend NOT having an access key for your root account. Instead, create Identity and Access Management (IAM) users and grant the necessary permissions (admins, users, temporary credentials for vendors, etc.). If you’ve already created an access key for your account, AWS recommends replacing the root access key with an IAM user access key.
CloudTrail Monitoring – AWS CloudTrail records and logs API calls for your account. The logs contain the identity of the API caller, the time of the API call, the API caller’s IP address, the request parameters, and the response elements. CloudTrail allows users to configure SNS notifications of API activity and create custom alarms to alert you to suspicious actions. Lastly, you can validate the integrity of your log files in CloudTrail to determine if your log files stored in S3 were modified or deleted.
Amazon Inspector – One of AWS’s newest features announced at re:Invent 2015, Inspector assesses applications for vulnerabilities. Inspector contains a library of rules mapped to security compliance standards (e.g. PCI, DSS) and vulnerability definitions. Once initiated, Inspector checks your application against these rules and generates a report with prioritized steps for remediation. If your application depends on vulnerable software versions, for example, Inspector will automatically let you know and offer tips to secure your environment.
AWS Trusted Advisor – Trusted Advisor is a service that acts as your personal cloud expert. It monitors and checks the health of all of your AWS services. Although Trusted Advisor suggests excellent tips and best practices for cost reduction and resource optimization, the most value lies in its security checks. Trusted Advisor takes care of the above four topics for you – reminding you to monitor access to your root account, security groups, IAM accounts, S3 bucket permissions, log files, and more.
With 6+ billion devices connected to the Internet, there are over a billion ways to hack, creep, and steal your company's data. If you're in the cloud, these five tips can help mitigate the risk of a security breach. Relus is an expert in designing secure and compliant cloud architectures. For more information on how to best manage your cloud security, reach out to a Relus Cloud Architect today!