Some Security Practices to follow while using AWS Resources

We will cover some important AWS Cloud security practices which we need to know and enforce on our AWS resources. It will cover configurations that we usually tend to skip, but are really important to protect our data and to have a secure environment on the cloud.

S3 Bucket

Enable server-side encryption on the bucket by enabling default encryption in the bucket properties, by choosing AES-256 for keys managed by Amazon S3 or choosing AWS-KMS to pass keys created by you(Remediation steps in detail).

Limit S3 traffic to only HTTPS requests, by explicitly denying access to http requests in the bucket policy

{
"Sid": "DenyInsecureConnections",
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
],
"Condition":
{
"Bool":
{
"aws:SecureTransport": "false"
}
},
"Principal": "*"
}

EC2

EBS Snapshots should not be public.

Create EBS Volume with encryption enabled. Note that you cannot directly encrypt an existing unencrypted EBS volume or EBS snapshot, you will have to create a new volume.

Prohibit inbound and outbound traffic on default security group of a VPC. If someone creates an instance in the VPC without assigning a security group, then it is automatically assigned the default security group, which could lead to public exposure of the associated resources.

Remember to create an instance profile when you create an IAM role for your EC2 instance via AWS CLI or AWS API(steps to follow to attach it), unlike via console, in which case console automatically creates it with the same name as the role.

Kinesis

Enable server-side encryption for your kinesis stream, to start encrypting your incoming data written to stream. On cost front, note that though SSE is a free kinesis feature, AWS KMS usage costs will apply.

RDS

DB instances should prohibit public access.

Enable encryption of DB instances, to encrypt your data, including all logs, backups and snapshots of the instance.

Set snapshot visibility as private.

Redshift

Encrypt all data in your cluster by using AWS KMS or a hardware security module(HSM) for key management. Though infrequently used, using a HSM device will add greater security since we now have direct control of key generation and is separating key management from the application and database layers. You can easily enable encryption using AWS KMS on an unencrypted cluster, Amazon Redshift will automatically migrate your data to a new encrypted cluster(more details).

Elasticsearch Service

Create an Amazon ES domain with VPC access. Note that a domain created with public access, cannot be placed in a VPC later. Its data has to be migrated to a new domain — details to migrate from public access to VPC access.

CodeBuild

Connect using OAuth if you are using GitHub or Bitbucket as the source.

DynamoDB

By default, all data in DynamoDB tables are encrypted at rest — no action required.

In case you want to encrypt your data in transit you can consider using Amazon’s DynamoDB Encryption Client — a client side encryption library to encrypt data before sending to DynamoDB, for full lifecycle protection.

This is only a small list of best practices that we do not know or usually tend to ignore while using AWS resources that can make our system on cloud more secure. I hope this is useful.

Please let me know by clicking on the clap👏 button, if this post was helpful.

--

--

--

Software Engineer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What is SRV Record?

Booking.com’s position on the Digital Services Act

Full path disclosure

Energy Web Token Staking Roadmap

{UPDATE} Football Manager 2019 Mobile Hack Free Resources Generator

Where to Buy $PLU — These Are the Best Exchanges to Buy $PLU

{UPDATE} 12 Etiquetas de Navidad - 12 Taps of Christmas Like A Christmas Food Fever Cooking, A…

5 factors for success in cybersecurity projects among shifting priorities

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Riya John

Riya John

Software Engineer

More from Medium

Building scalable and resilient applications using AWS

Radaar AWS DevOps Transformation

AWS Security Tips #001: Virtual Patching on AWS

Why AWS WAF?