Top 8 AWS Security Best Practices for 2023

Managing security in AWS is not for the faint of heart. With infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS) offerings, organizations running AWS can have a wide range of — and large number of — applications and cloud services that need to be configured and secured.

To make matters even more complex, these resources could be running in a multi-cloud or hybrid environment with other on-premises and cloud platforms that must integrate and transfer data in a secure way.

Managing security in AWS isn’t difficult, however, as long as when you have policies, standards, and practices in place, (both internally and externally), that are upheld and enforced consistently. This includes evangelizing a comprehensive understanding of the AWS shared responsibility model and industry-accepted best practices across your IT organization.

In this post, we’ll discuss the meaning and division of responsibilities in the AWS shared responsibility model, review the important elements of an AWS cybersecurity strategy, and discuss the top eight best practices that will ensure your data, code, and cloud workloads are protected.

Understanding the AWS shared responsibility model

It’s not uncommon for companies to assume that because their cloud provider is hosting their environment, the provider is also delivering comprehensive security. It’s vital that security teams of all sizes familiarize themselves with the AWS shared responsibility model. This model outlines that AWS is responsible for the security of the infrastructure, and the customer is responsible for the security of everything that lives inside that infrastructure.

What does this mean in practical terms? Well, it means that your organization is responsible for configuring your S3 buckets, managing access, protecting network traffic, and ensuring your code is secure across the development lifecycle. Even though AWS secures the infrastructure, there’s a lot that can go wrong if you don’t take proactive steps to ensure that everything you build is configured securely.

So how do you do that? Start by building an AWS cloud security strategy.

Creating an AWS security strategy

Most likely, your organization has an overarching security strategy (and if you don’t, here’s a step-by-step guide from TechTarget). If your entire infrastructure was built on AWS, your strategy is probably inclusive of all the nuances of AWS. But if AWS has been adopted recently, you’ve undergone a migration, or you’re operating in a hybrid or multi-cloud environment, you will need to build AWS security best practices into that strategy.

Cloud security — and AWS cloud security, specifically — is its own animal. The beauty of the cloud is that it is elastic and scalable, meaning; you can spin resources up and down and build them every which way you want. The downside is this makes security far more complicated than it is for on-premises systems. A legacy cybersecurity strategy won’t properly protect your AWS resources, so take the time and effort to create a strategy that can address the myriad ways the cloud can be leveraged.

Your strategy should include elements like:

• Visibility across your cloud environments

• Zero trust policies and procedures

• Cloud native security tools and platforms

• DevSecOps strategies that merge security with development workflows

• Regular patches and updates across all technologies

• Security automation & Cloud automation wherever possible

• “Assume breach” mindset

• Defense in depth cybersecurity layering

Once you have outlined your strategy, it’s time to implement it with AWS security best practices. While this list is certainly not comprehensive, the following eight AWS best practices are the ones we have found to be most valuable to companies operating in the cloud.

1. Cloud security controls

2. Incident response planning

3. Monitoring & alerting

4. Encryption

5. Data backups

6. Up to date AWS

7. Compliance planning

8. Scaling security in workflows

1. Implement and enforce cloud security controls

The most basic and important security controls you need to have in place in your AWS environments are access controls. Providing least privilege cloud access to the people in your organization who need it and restricting or removing access from those who don’t — particularly those outside your organization — is core to good identity access management (IAM).

You can accomplish this by doing the following:

• Requiring multi- factor authentication (MFA)

• Enabling single sign-on (SSO)

• Creating IAM users rather than sharing AWS account root user credentials

• Rotating access keys regularly

• Requiring strong passwords of at least 14 characters with a mix of uppercase and lowercase letters, numbers, and symbols

In addition, be sure to review access privileges regularly to confirm that nobody has more or less access than they need.

2. Threat and incident response planning

“Assume breach” has been the war cry (more recently, a quite literal one, unfortunately) for cybersecurity professionals for over a decade. In this recent article from Forbes, author Yaki Faitelson explains that “any system, account or person at any time can be a potential attack vector. With such a vast attack surface, you need to assume attackers will breach at least one vector—if they haven't done so already.”

This demonstrates the urgency of creating a thorough incident and response plan. A strong plan will reduce the collateral damage — or “blast radius,” as Faitelson calls it — of a cyber attack. While the ideal situation would be to avoid a breach altogether, a comprehensive incident response plan will detail exactly when and where a breach is most likely to occur, how to detect it as quickly as possible, the actions required to contain it, and how your organization will recover. Check out our article on AWS security risks to find out what issues you should be prepared for.

3. Detection, monitoring, and alerting

With threats coming in so many different shapes and forms, establishing solid detection, monitoring, and alerting processes and solutions is an essential component of AWS application security. AWS has several tools that can help you build your strategy, such as:

• Amazon GuardDuty - Managed threat detection services that monitor your workloads for unusual activity that might indicate malicious activity.

• Amazon Macie - Provides AI-powered discovery, categorization, and protection for any sensitive data identified in your environments and delivers alerts if unauthorized access is suspected.

• AWS Config Rules - This tool evaluates the configuration of a resource against your pre-determined configuration rules so you can identify any potential compliance issues.

• Amazon CloudWatch - Monitoring service for AWS resources and any applications you run on AWS.

• AWS Security Hub - A comprehensive view of your environment with prioritization of all your security alerts from AWS services like Amazon GuardDuty, Amazon Inspector, Amazon Macie, and other third-party solutions.

4. Protect your data with encryption

Regulatory bodies require encryption under many circumstances, but encryption also adds an extra layer of protection over your data at rest. Should your access controls fail, encryption protects your data from anyone who has acquired it, regardless of their motivations.

AWS has encryption available across almost all of their services, and they also offer flexible key management so you can decide if AWS will manage your keys or you will maintain full control. Whatever you decide, you should design or adopt an encryption and keys management system to ensure that encrypted data and decryption keys are stored separately and under secure and stringent protocols.

5. Back up your data

When a malicious actor breaches a system, their plan could include anything from removing or stealing data to crashing your system. Regardless of the result, backing up your data is vital to ensuring you can restore any information that might be lost.

AWS Backup is the simplest solution for keeping your data safe and restorable. It’s available on the Amazon EC2 free tier and supports a vast number of other services as well, including S3 buckets, EBS volumes, DynamoDB tables, and more. You can easily automate your backups from within the console, create backup policies and requirements, and then apply those policies to other AWS resources with their tagging system.

6. Keep AWS up to date

It is, for the most part, a foregone conclusion that applying patches and updates is vital to the security of your cloud environments. But some IT leaders still put it off or deprioritize it in favor of more pressing matters. Don’t let that happen in your organization.

You must keep your AWS servers patched, even if they aren’t public. Outdated infrastructure offers a gateway to hackers, and you don’t want something as simple as a missed security patch to be the difference between another boring day in cybersecurity and a breach. If time is in short supply, take advantage of AWS Patch Manager to automate your patching across operating systems and applications or solicit the help of a service provider. Staying on top of this simple best practice should be non-negotiable.

7. Plan for regulatory compliance

Particularly in highly -regulated industries like healthcare, financial services, and government, you need to stay in compliance with privacy and security laws around personally identifiable information (PII), financial data, and data privacy.

AWS supports security and compliance standards like HIPAA/HITECH, FedRAMP, GDPR, and FIPS 140-2. Of course, with the shared responsibility model, it is still up to you to do your part in ensuring that your data, cloud workloads, and infrastructure configurations follow the guidelines of regulatory bodies to maintain cloud compliance.

8. Scale security across your development workflow

An AWS security strategy is incomplete if it only addresses your cloud infrastructure. Equally important is building a strategy that encompasses all stages of development, from coding the infrastructure to application coding to runtime.

Infrastructure as code and code scanning solutions like Snyk bring effective security into your AWS development workflows. With Snyk AWS scanning, you can catch security gaps and mistakes while your developers are coding so you can identify and resolve issues before your applications ever reach production.

Get started by implementing a cloud native security solution

As on-premises infrastructures go the way of the dinosaur, cloud native security is going to play a central role in modern organizations. In our Cloud Native Application Security (CNAS) report, 99% of respondents recognized security as part of their cloud native strategy.

The NSA identifies misconfiguration as another important area of cloud native security: - "While CSPs often provide tools to help manage cloud configuration, misconfiguration of cloud resources remains the most prevalent cloud vulnerability." Over 56% of Snyk’s CNAS report respondents experienced a misconfiguration or known unpatched vulnerability incident involving their cloud native applications including AWS, so using an IaC security solution like Snyk IaC to catch misconfigurations before they enter production can provide an additional layer of security.

To truly address today’s cloud security challenges, you need to adopt cloud native security solutions. This ensures that security is built-in from the start of the development process through production, ensuring multiple layers of security and continuous monitoring for new vulnerabilities.

Today’s organizations have greater cybersecurity challenges than ever. By building a solid AWS security strategy, implementing a cloud native security solution, and adopting the eight best practices discussed in this article, you are putting yourself in a good position to protect your applications and your organization from threats of all kinds.

To learn more about AWS security best practices and working with AWS security tools click here.