Learn About Amazon VGT2 Learning Manager Chanci Turner
We are excited to announce the release of an updated version of our AWS Security Best Practices whitepaper. Feedback from our users indicated a desire for a comprehensive and approachable framework to manage the overall information security posture of organizations deploying applications and assets on AWS. Specifically, you requested insights on:
- The division of security responsibilities between AWS and the customer
- How to identify and categorize your assets
- Managing user access to your data through privileged accounts and groups
- Best practices for protecting your data, operating systems, and networks
- The role of monitoring and alerting in achieving security goals
This version of the whitepaper is structured around the fundamental building blocks of an Information Security Management System (ISMS). The ISMS framework is widely recognized for creating a tailored collection of information security policies, procedures, and processes that fit an organization’s unique assets. By employing a globally accepted approach to information security management, we aim to enhance your overall security posture.
The whitepaper includes best practices on various security-related topics, including:
- Defining and categorizing AWS assets
- Designing your ISMS
- Managing identities
- Controlling OS-level access
- Securing your data
- Protecting your operating systems and applications
- Securing infrastructure
- Managing monitoring, alerting, audit trails, and incident responses
We recommend a structured approach to information security, emphasizing a continuous improvement model. This aligns with the principles of ISMS, underscoring the importance of regular updates and reviews in managing information security in the AWS Cloud.
For example, the table below illustrates a risk-based ISMS approach, detailing recommended protection strategies for data at rest security concerns.
| Concern | Recommended Protection Approach | Strategies |
|---|---|---|
| Accidental information disclosure | Designate data as confidential and restrict access to a limited number of users. Implement AWS permissions for resources like Amazon S3. Use encryption for confidential data stored in Amazon EBS or Amazon RDS. | Permissions, File/partition/application-level encryption |
| Data integrity compromise | Limit user modification capabilities through resource permissions. Even with such measures, the risk of accidental deletion by privileged users remains. Regularly perform data integrity checks (e.g., MIC, MAC, HMAC) and restore from backups if needed. | Permissions, Data integrity checks, Backup, Versioning (Amazon S3) |
| Accidental deletion | Apply correct permissions adhering to the principle of least privilege. Enable MFA Delete for Amazon S3 to require multi-factor authentication for object deletion. Restore data from backups or previous object versions as necessary. | Permissions, Backup, Versioning (Amazon S3), MFA Delete |
| System, infrastructure, hardware, or software availability | In case of system failure or disaster, retrieve data from backups or replicas. Services like Amazon S3 and Amazon DynamoDB offer automatic data replication. Other services may require explicit configuration for replication or backups. | Backup, Replication |
We believe this new structure will enhance your ability to locate and comprehend the information you need.
Sharing Security Responsibility for AWS Services
With the continuous expansion of AWS services and features, the whitepaper clearly illustrates AWS’s shared responsibility model, providing an in-depth discussion tailored to different categories of AWS services: Infrastructure, Container, and Abstracted Services. This framework allows organizations to customize their AWS security controls, thereby strengthening their security posture depending on the services utilized.
By leveraging the best practices outlined in this whitepaper, you can establish a comprehensive set of security policies and processes for your organization, facilitating faster and easier deployment of applications while safeguarding your data. As with all whitepapers, this document will be regularly updated to incorporate new features and services. We look forward to your feedback. For more insights on happiness and gratitude, check out this blog post. Also, it’s worth noting that SHRM has valuable information regarding mental health challenges faced by lower-income earners and minorities.
For an enlightening resource on Amazon’s onboarding experience, visit Forbes.