santiago silver - Fotolia


Perform an AWS security assessment with these tips and tools

Cloud security is an ongoing process that demands regular checks for potential vulnerabilities. Use tools such as Amazon Inspector to perform frequent and thorough cloud security assessments.

Everyone in IT knows it's critical to ensure system and application security, but even the most sophisticated cloud users make mistakes.

Careful system design is the foundation of cloud security, but users must also regularly validate their security posture to ensure it meets requirements and can withstand common attacks. An AWS security assessment can help.

Cloud security assessments are a subset of an overall risk assessment that must address business, legal and regulatory requirements, along with IT security policies, as an AWS white paper points out. While there are many formal risk assessment methodologies, including OCTAVE, ENISA IRAM and the NIST's Risk Management Guide, the sophistication and complexity of cloud infrastructure leads to mistakes and oversights. Therefore, automate as much of the process as possible.

Fortunately, AWS provides tools, such as Inspector, GuardDuty, Macie, Shield and Security Hub, that proactively detect threats, unprotected data and attacks. Admins can use these tools to facilitate a systematic security assessment process.  

AWS security assessment basics

The first step to formally review any IT function is to understand the pertinent systems and configurations. To start a cloud security assessment, create a list of policies and parameters that are most critical to a secure deployment. Review the AWS shared responsibility model, which defines boundaries between AWS' security responsibilities and those of its customers. From there, take the following steps:

  • Use AWS Config and Systems Manager Inventory to identify AWS assets.
  • Catalog the risks and threats -- including data theft, network penetration, system compromise, database corruption or manipulation -- to the identified assets.
  • Establish security policies for different categories of AWS assets. Example categories include systems that are publicly accessible, such as web servers; highly controlled databases that are accessible only via authentication; and mission-critical systems that require high availability.

Next, use various AWS resources and policies you've compiled to build a security assessment checklist. Reference AWS' baseline checklist, which covers general policies along with specific items for EC2, VPCs, Elastic Block Store and S3. Items relevant to an AWS environment's overall security include root account protection, access controls for CloudTrail and billing data, IAM policies, and cost and usage reports.

AWS' recommended checklist is a lengthy one, and can be time-consuming for some IT operations staff to complete. Fortunately, the Amazon Inspector service can streamline and accelerate the process.

Inspector overview and usage

Inspector automatically identifies application and resource vulnerabilities, as well as any deviations from established AWS security best practices. By default, Inspector assessments follow a predefined set of rules that cover best practices and common vulnerabilities with EC2 instances.

Define Inspector rules in an assessment template. Specify the length of an assessment run, the Amazon Simple Notification Service (SNS) topic to which run states and assessment results are sent, and any optional attributes to assign to assessment findings. An AWS security assessment can include any or all of the following Inspector rules packages:

  • Network reachability
  • Common host vulnerabilities and exposures
  • Center for Internet Security (CIS) Benchmarks
  • AWS security best practices

The output of an Inspector scan is a comprehensive list of security issues prioritized by severity. Admins can integrate Inspector with IT operations workflows and ticketing systems via SNS, using notifications to trigger Lambda functions. For example, an Inspector-triggered Lambda function might read the findings of an assessment, format them into an email message and send them to an operations or security team using the SNS email action. SNS notifications can also trigger Lambda functions to run EC2 Systems Manager to push patches or update code that is flagged for a Common Vulnerabilities and Exposures violation.  

Advanced assessments and pen testing

A more detailed AWS security assessment, which often includes white hat penetration testing of systems and applications, requires a manual process and security expertise. To set the baseline for such assessments, use the AWS Well-Architected Framework, which establishes security best practices to identify areas for improvement and urgent remediation. The framework helps cloud architects and security professionals determine whether a particular AWS implementation aligns with best practices and the steps required to make that implementation compliant.

If AWS security tools, such as Inspector, GuardDuty, Macie, Shield and Security Hub, are not enough to perform a personalized assessment, consider a third-party service provider. There are many options, including CloudSploit by Aqua, Coalfire, Nettitude and ThreatStack, along with the major IT consulting providers, such as Deloitte.

Dig Deeper on AWS infrastructure

App Architecture
Cloud Computing
Software Quality