AWS Security Services

IAM Identity And Access Management

When utilizing the cloud to house any part of your technical infrastructure, you must first consider the security impacts of moving your resources onto the cloud. Unlike the on-premises data center protected by the virtual being within your physical reach, data centers hosting your cloud resources are in undisclosed data centers managed by AWS. By now, you’ve probably gathered it’s not the best idea to provide unrestricted access to your IT resources to everyone in your organization. Is there an easy way to simultaneously give highly granular access permissions to every user in the service, making them easy to manage? Thankfully AWS has a service called Identity Access Management, commonly referred to as IAM, which helps you do just that. Identity and Access Management, or IAM, is a free service provided by AWS that enables you to manage access to services and resources on the AWS cloud. You can create and manage users and groups and set permissions to allow or deny access to various resources.

You could use this to provide access to a user from another AWS account to your AWS account, such as when an organization has separate development and production environments. The last way to set access is to manage federated users. By enabling identity federation, you can allow existing identities in your enterprise to access your AWS cloud instance without having to create an IAM user for each user. You can use any identity management solution that supports SAML 2.0 or one of AWS’s federation samples. You’ve probably experienced identity federation when you sign up for an online service using your Facebook or Gmail account. In a corporate setting, you could have your Microsoft Active Directory users have federated access to your AWS cloud instance using identity federation. Some benefits of IAM are enhanced security, granular control, the ability to provide temporary credentials, and flexible security credential management.

Web Application Firewall

AWS Web Application Firewall, commonly called AWS WAF, protects web applications running on AWS Cloud from common web exploits. As the name suggests, it’s a firewall service for your web applications. WAF can protect against exploits that could compromise the security or availability of your web apps. It can also save the application from exploits that could force your app to consume excessive resources, which could cost you a lot of money. With WAF, you only pay for what you use with no upfront commitments. Web Application Firewall improves web traffic visibility, provides cost-effective web application protection, and delivers increased security and protection against web attacks. It is also easy to deploy and maintain, as you can deploy it on Amazon CloudFront as part of your content delivery network solution or via Amazon API Gateway. There is no additional software you need to deploy, and you can reuse the centrally-defined roles across your web applications. AWS WAF is an affordable, malleable, and adaptable protection for your web applications running on AWS Cloud that is easy to manage and deploy.

AWS Shield

Distributed Denial of Service or DDoS attacks is an awful thing to happen to anyone. You might have tried to access your favorite social network platform, only to find that the website is glitchy or nothing is loading on your browser. You might Google the website or complain about it on another social media network. And you might find out that the website is experiencing a DDoS attack. A Distributed Denial of Service Attack or DDoS attack is an attempt to make a machine or network resource unavailable temporarily or indefinitely, most often by making excessive repeated access requests to the website using thousands of unique IP addresses. A hacker or malicious personal organization would overload the server with access requests so that genuine users can’t access the website because it’s too busy. Have you ever felt incredibly overwhelmed by multiple demands from different places? Maybe you worked in a bustling eatery when a coworker called out, or you had numerous project deadlines at the office while some emergency was going on that you needed to fix. You likely felt overwhelmed, exhausted, and unsure how to deal with the workload. And perhaps you mentally shut down, unable to process all the different requests. This type of exhaustion happens to the servers when it’s under a DDoS attack.

AWS Inspector

If you or your company develops applications, there’s a service that can provide your auditors and your development team peace of mind knowing that the applications adhere to security standards set by the company and the industry. Amazon Inspector is an automated security assessment service for your applications deployed on AWS. Inspector helps you improve the security and compliance of these applications by automatically assessing them for exposure, vulnerabilities, and derivations from best practices. Once the assessment is completed, it generates detailed reports to help you check for unintended vulnerabilities. Security teams can then get reports validating that engineers performed tests. Inspector enables you to reduce the risk of introducing security issues during deployment and development by proactively identifying potential problems that do not align with best practices and policies. You can define your standards and best practices and ensure they’re being followed. Or you can choose to utilize AWS’s constantly updated standards. As the name suggests, Amazon Inspector inspects your applications to find security issues and bring them to your attention.

AWS Trusted Advisor

For your AWS Cloud infrastructure, you have a Trusted Advisor. AWS Trusted Advisor is a service that guides the provisioning of your resources to follow AWS best practices. Upon scanning your AWS infrastructure, Trusted Advisor advises you on how your infrastructure is or is not following AWS best practices based on five categories. Cost optimization, performance, security, fault tolerance, and service limits are categories. AWS then provides actionable recommendations to bring your infrastructure closer to best practice standards. All AWS customers have access to seven core trusted advisor checks for free. These checks are S3 bucket permissions, security groups, specific open ports, IAM use, MFA on the root account, EBS public snapshots, RDS public snapshots, and service limits. There is an extended set of checks and recommendations for those with enterprise or business support plans. On top of more assessments, those with full trusted advisor access also get notifications through weekly updates and the ability to set up automated actions in response to alerts with Amazon CloudWatch. They also have programmatic access to the scan results via AWS Support API. AWS Trusted Advisor is a valuable ally in ensuring that the deployment of your AWS Cloud resources is aligned with best practices and providing you with customized recommendations based on proactive monitoring of your infrastructure.

AWS Guard Duty

In a perfect world, you wouldn’t need to sleep, so you can be up all day and night monitoring your cloud infrastructure for threats and malicious activities. Unfortunately, we all need sleep, and some departments don’t have the budget to have people staring at dashboards 24/7. You don’t have to because AWS Cloud has a service that stays up all day and night for you. Amazon GuardDuty is a threat detection service that monitors malicious activity and unauthorized behavior to protect your AWS Cloud instance 24/7. It analyzes billions of events across multiple AWS data sources, which can then send actionable alerts via AWS CloudWatch events. GuardDuty uses machine learning, anomaly detection, and integrative threat intelligence to identify and prioritize potential threats that may impact your AWS Cloud infrastructure. Best of all, you can deploy GuardDuty within a few clicks as there is no additional software or infrastructure to manage to take advantage of that protection. Amazon GuardDuty continuously monitors your AWS Cloud infrastructure, intelligently detects threats using machine learning, and helps you take action immediately if a threat is found so that you and your team can have a good night’s sleep knowing your infrastructure is being monitored at all times.

AWS Security Services Summary

Let’s review the security-related services that we covered. We will review the security services: AWS Identity and Access Management or IAM, AWS Web Application Firewall or WAF, AWS Shield, Amazon Inspector, AWS Trusted Advisor and Amazon GuardDuty. First, AWS Identity and Access Management, more commonly referred to as IAM, is a free service enabling you to securely manage access to services and resources in the AWS cloud. The permission sets are highly granular, helping you allow or deny users or other services access to various resources. You can set access using IAM to manage users using granular permission sets. You could also create and manage IAM roles that have specific permission sets. You can allow entities to assume a part in doing particular actions in your AWS cloud instance. This way, you don’t have to manually set up every entity’s permission sets, which could result in human errors and inconsistencies. Finally, you can enable identity Federation, allowing existing identities in your enterprise accounts. Many organizations allow identity Federation for their Microsoft active directory. You are allowing employees to access their AWS cloud instance without having to create a new IAM user for every single employee. IAM allows you to have enhanced security, granular control over permission sets, the ability to provide temporary credentials, flexible security credential management, inability to utilize identity federation. Second, the AWS Web Application Firewall of WAF is as it sounds. A firewall service for web applications running on AWS cloud. It protects web apps from common exploits and potential compromises that could force your apps to consume excessive AWS resources, which could be detrimental to your finances. It improves web traffic visibility, provides cost-effective web application protection, and delivers increased security against attacks. It’s affordable protection for your web applications that you can deploy within minutes. Another security service is AWS Shield, which can protect your web applications from a distributed denial of service or DDoS attack. It provides detection and automatic mitigation of DDoS attacks to applications, helping you minimize the negative consequences and application downtime. There are two tiers available for customers. The standard tier is automatic and free and protects web apps against the most common DDoS attacks. The Advanced shield tier provides 24/7 access to AWS DDoS response team and detects and mitigates sophisticated DDoS attacks with near real-time visibility into events. You can receive comprehensive DDoS protection catered to your budget and needs with AWS shield. Next, Amazon Inspector is an automated security assessment service for your AWS applications, which helps you improve security and compliance. It inspects your applications automatically, assessing them for exposure, vulnerabilities, and derivations from best practices. After completing an assessment, it generates detailed reports to help you check for vulnerabilities. Utilizing Amazon specter helps reduce the risk of introducing security issues by proactively identifying potential vulnerabilities that do not align with best practices and policies. You can define your standards to check against and create reports validating that you performed those tests. You can continue enforcing the best rules within your AWS cloud infrastructure. What the help of AWS has constantly updated standards made available through the inspector. Another essential security service is the AWS Trusted Advisor. AWS trusted advisor guides the provisioning of resources to the AWS cloud. So you’re following AWS best practices. As the name suggests, it advises you on how your infrastructure is not following AWS best practices based on five categories; Optimization, Performance, Security, Fault tolerance, and Service limits. It then offers recommendations to bring your infrastructure closer to standards.