AWS Cloud Security: The Complete Guide

Everything you need to know about AWS Cloud Security - security features, compliance, best practices and mistakes to avoid

What is AWS Cloud Security?

The AWS cloud provides a shared responsibility model. AWS manages cloud security for its own infrastructure, while your organization is responsible for securing your own data and workloads. Amazon provides a range of security services and features, including encryption, key management and identity, and access management (IAM), to help you implement your organization’s security policies.

Another important aspect of security is compliance standards and regulations, since a misstep here can be costly for your organization. Amazon’s infrastructure is certified for almost every compliance standard in the world. However, this doesn’t mean the workloads you deploy on Amazon will be compliant as well. You must be mindful of your compliance obligations, and use the tools provided by Amazon to enforce the required security and privacy controls.

In this article, you will learn:

AWS Shared Security Model

Although Amazon provides a secure infrastructure that includes built-in tools, firewalls and encryption, private connections, and cross-service Transport Layer Security (TLS), AWS only takes responsibility for the infrastructure layer, and as is the case with managed services, the service layer as well. 

The customer is responsible for user authentication and access, operating systems, applications, networks, and third-party integrations. AWS provides features and tools that allow customers to fulfill their security responsibilities, but the responsibility for configuring them lies with the customer.

What Security Features Does Amazon Provide?

Amazon provides several features that secure cloud infrastructure, and allow customers to secure their workloads:

  • Encryption—Amazon provides built-in encryption for Elastic Block Store (EBS), Simple Storage Service (S3), Relational Database Service (RDS), and Redshift. The AWS Key Management Service (KMS) provides optionally independent key control using Server-Side Encryption (SSE) with Amazon S3-Managed Keys (SSE-S3), SSE with AWS KMS-Managed Keys (SSE-KMS), or SSE using Customer-Provided Encryption Keys (SSE-C).
  • Infrastructure security—including built-in VPC network firewalls employing private or dedicated on- or off-premises connectivity options, layer 3, 4, or 7 DDoS mitigation technologies, and automated traffic encryption between all AWS facilities — global and regional.
  • Configuration management—including tools to create or shut down AWS resources, manage changes, obtain an inventory of cloud assets, use infrastructure as code (IaC) templates to replicate tested secure configurations, and use Amazon Machine Images (AMIs) to create standard, preconfigured, hardened virtual machines.
  • Identity and access control—for defining, enforcing, and managing user access policies and access to cloud resources, service APIs, and the Amazon Console. AWS Identity and Access Management (IAM) defines user accounts and roles. Amazon supports secure login via AWS Multi-Factor Authentication and AWS Single Sign On (SSO).
  • Monitoring and logging—AWS CloudTrail monitors the AWS cloud environment including any API calls or console actions. Amazon CloudWatch provides standardized log data from all Amazon services, and Amazon GuardDuty can identify malicious or unauthorized activities by analyzing logs in real time. 
  • Multiple Accounts—AWS Control Tower helps customers manage multiple accounts and teams to more easily set up and oversee their environments.

Related content: read our guide to cloud security solutions ›

AWS Compliance

AWS SOC compliance

AWS provides System and Organization Control (SOC) reports that are prepared by independent third parties for the use of customers and auditors. These are generated for customers by AWS Artifact and include:

  • AWS SOC 1 Report.
  • AWS SOC 2 Security, Availability & Confidentiality Report.
  • AWS SOC 2 Security, Availability & Confidentiality Report, which only covers Amazon DocumentDB.
  • AWS SOC 2 Privacy Type I Report
  • The AWS SOC 3 Security, Availability & Confidentiality Report, which is also publicly available as a whitepaper

AWS HIPAA

Because there is no specific HIPAA certification for cloud service providers, AWS aligns HIPAA risk management requirements with FedRAMP and NIST 800-53 standards. NIST has issued document SP 800-66, which specifies how to align NIST 800-53 with HIPAA Security Rules.

PCI compliance

Amazon Web Services (AWS) adheres to PCI DSS Level 1 Service Provider certification—the most stringent available. It has been assessed by Coalfire Systems Inc., an independent Qualified Security Assessor (QSA). You can access the PCI DSS Attestation of Compliance (AOC) and Responsibility Summary through the AWS Artifact portal.

GDPR compliance

AWS services are in compliance with the European Union’s General Data Protection Regulation (GDPR). However, since clouds use shared responsibility, a GDPR-compliant infrastructure does not guarantee compliance. Users can use tools provided by AWS to ensure compliance across their ecosystems. 

Specific features provided by AWS to meet GDPR requirements include:

  • Access control—restricting access to resources to authorized individuals and service roles.
  • Monitoring and logging—ensures visibility and provides data for audits.
  • Encryption—data on AWS is encrypted by default, with several options for managing keys.

Other compliance standards and certifications

Additional compliance standards and certifications covered by AWS include:

  • Global benchmarks—such as CSA, PSI DSS Level-1, SOC 1, 2, & 3, and ISO9001, 27001, 27017, & 27018
  • North American benchmarks—including those published by the CJIS, FedRAMP, the US Department of Defense, FISMA, ITAR, Canada’s PIPEDA, and more
  • In Asia—Japan’s FinTech, NISC, and FISC, Australia’s IRAP, Singapore’s MTCS Tier 3, Korea’s M-ISMS, and more
  • In Europe—the UK’s G-Cloud and CYber Essentials Plan, France’s ASIP HDS, Germany’s C5, and more.

AWS Security Best Practices

Here are best practices you can use to enhance security for AWS workloads.

Encrypt Data

AWS built-in encryption features use AES-256 bit encryption. AWS service-managed keys are provided free, but provide server-side encryption only. The AWS Key Management Service (KWS) is a paid-for option that allows customers to create their own independent infrastructure for encryption or employ an AWS defined Customer Master Key (CMK), which AWS exchanges on a yearly basis.

Backing Up Systems and Data

Backup your cloud systems and data in accordance with the 3-2-1 rule (3 copies, 2 locations, 1 of them on a separate physical location—different service or region). Ensure that one of the two backups is on a non-AWS cloud service.

Limit AWS Security Groups

Network managers should provide access through security groups, and only required ports should remain open. Use AWS Config and AWS Firewall Manager to automate configuration of Virtual Private Cloud (VPC) security groups. The Network Reachability rules package, provided as part of Amazon Inspector, lets you determine which networks your VPC networks are currently allowed to access.

Secure Access to Cloud Resources

Amazon IAM lets you grant different users varying levels of access to cloud resources and APIs. You should create policies per role and not per user, using the principle of least privilege. Define password policies that prevent the use of weak and recycled passwords.

Centralize CloudTrail Logs

AWS CloudTrail logs should be written and encrypted to an S3 bucket to prevent deletion. Integrate your logs with Security Information and Event Management (SIEM) solutions or other AWS services that can allow centralized analysis. The same log archive can centralize logs from your entire Amazon deployment.

4 AWS Security Mistakes to Avoid

Here are common security mistakes teams should be aware of.

Failing to Set Authentication

At a minimum, ensure that all sensitive AWS resources are authenticated—there should be procedures to ensure nobody forgets to protect resources. Preferably, use multi-factor authentication (MFA) coupled with robust password policies for all accounts or service roles that have access to sensitive resources or the Amazon console.

Unrestricted Outbound Traffic

Outbound access should be restricted, to prevent data exfiltration during a security breach or in case of accidental loss. Enter specific IP addresses or address ranges rather than 0.0.0.0/0, to prevent your resources from connecting to IPv4 addresses outside your control.

Hard-coding Secrets

AWS IAM roles are often used to provide temporary AWS credentials. For longer-lived credentials, use ASW Secrets Manager to rotate, manage and retrieve database credentials, API keys and other secrets. These can then be retrieved using the Secrets Manager API, which eliminates the need to hard-code sensitive information.

AWS Cloud Misconfiguration

Cloud Security Posture Management (CSPM) solutions ensure proper configuration of cloud services, including the myriad of EC2 security configurations. You can leverage CSPM tools to ensure the health of cloud configurations on a continuous basis, identifying misconfigurations and other security issues, and automatically remediating them.

AWS Security with Aqua Security

Aqua provides the most complete security solutions to protect workloads running on Amazon ECS, EKS, AWS Fargate, and AWS Lambda. As an Advanced APN member and Container Competency technology partner, Aqua provides highly-integrated security controls for cloud native applications on AWS.

Aqua supports managed container services, such as Amazon ECS for container orchestration, Amazon EKS for Kubernetes-based deployments, AWS Fargate for on-demand container scaling, AWS Lambda for serverless functions, and Amazon ECR for storing and managing container images.

Protect workloads running on Amazon EKS – Prevent unauthorized images from running in your EKS cluster, enforce container immutability, network segmentation, and segregation of duties.

Secure Applications running on AWS Fargate containers – Embed Aqua MicroEnforcer into your containers to ensure that workloads running on AWS Fargate are only performing their intended function, detect vulnerable or compromised containers.

Extend security from Amazon ECR to Amazon ECS – Manage image vulnerabilities, ensure only trusted images can be deployed, automatically whitelist legitimate container behavior, and detect and block suspicious activities.

Protect AWS Lambda Functions – Control the risk of AWS Lambda functions by discovering over-provisioned permissions and roles, embedded credentials and keys, and vulnerabilities. Monitor functions at runtime, preventing code injection and malicious activity.

Cloud Security Posture Management (CSPM) – Ensure that your AWS accounts and services are configured according to best practices, including the CIS Foundation Benchmarks for AWS. Continuously scan hundreds of settings for risks and monitor CloudTrail events for anomalies. Automatically create and retain compliance reports for PCI, HIPAA, and more.

Cloud VM Security and Compliance – Protect workloads running on Amazon EC2 instances and ensure they are properly hardened. Scan for vulnerabilities and malware, apply File Integrity Monitoring (FIM), check configuration against the CIS Benchmark for Linux, and monitor user access and activity. Create command-level audit trail for compliance and forensics.

Image Vulnerability Scanning & Assurance – Prevent unauthorized images from running in your AWS environment. Continuously scan images stored in Amazon ECR to ensure that DevOps teams do not introduce vulnerabilities, bad configurations, or secrets into container images. Get actionable recommendations for remediation of security issues.

Serverless Function Risk assessment and Mitigation – Continuously scan Lambda functions in AWS accounts to ensure that developers don’t introduce vulnerabilities into function code, leave access keys in environment variables, or create overly permissive roles. Define security policies for AWS Lambda functions and alert or prevent the execution of functions that violate the policies.

Protect Applications in Runtime – Prevent unvetted containers from running in your Amazon ECS, EKS, and Fargate environments. Automatically create security policies based on container behavior and ensure that containers only do what they are supposed to do in the application context. Detect and prevent activities that violate policy, and defend against container-specific attack vectors.

Container-Level RBAC – Apply highly granular access control policies into containers at runtime via integration with AWS IAM roles. Define user access privileges according to role, allowing or preventing specific Docker actions, such as view, run, stop, view logs, and more.

Secrets Management – Leverage AWS KMS (key management store) to securely deploy secrets – such as passwords, keys, and tokens – into containers at runtime. Aqua makes it easy to manage, rotate, and revoke secrets in containers with no downtime, running only in memory without persistence on disk.