Open in app

Sign in

Write

Sign in

Nutanix
4 min readMay 7, 2017

Surefire Tips to Overcome AWS Cloud Security & Compliance Challenges

Security on cloud is paramount. No matter if you have the cloud security strategies in place, continuously monitoring and auditing your cloud infrastructure to spot and heal the vulnerabilities way ahead of time is a challenge that most businesses are facing today.

Though you may adhere to security best practices to ensure that your infrastructure is compliant and secured, having proper access controls check in place is vital. As a business, it is important to understand that only by regularly running audits on their cloud infrastructure, they can stay compliant. Security is a shared responsibility.

Here’s an extensive list of 21 security best practices for AWS cloud security & compliance: Read full article

Few handy surefire best practices that can help you take your security posture a notch higher are:

1.Frequently Access Management Controls

AWS provides Identity and Access Management (AWS IAM) tool to manage the users who can access the resources directly. Enterprises should ensure that there is no unauthorized access to the resources though identity theft by ensuring that the passwords of these users are constantly rotated. Enabling Multi-Factor Authentication (MFA) is also a very important practice to to be followed. In addition to user level, the Access Management controls should ensure that EC2 key pairs to access the resources through protocols like SSH are also frequently rotated.

2. AWS Web Application Firewall (WAF)

AWS WAF, the popular application firewall, aids in protecting web apps from the most frequently used cyber-attacks techniques such as OWASP TOP 10 cyber-attacks. These attacks can compromise the security of your application. So, by deploying customized web security rules in AWS WAF, we can control which traffic can be let to access the apps or which one to be blocked from the web applications. This can be done by defining access rules. One can access readily available rules to block known attack patterns such as SQL injection or cross-site scripting. We can also deploy open source WAF solutions like Mod Security instead of AWS WAF.

3.Security Scans And Monitoring Of Audit Log

Using tools like OWASP ZAP, Security Scans can check for the existence of any vulnerabilities like publicly accessible ports. These tools should be used periodically to ensure that these vulnerabilities are closed immediately. Security Scans for OWASP Top 10 vulnerabilities can ensure that the WAF security rules are properly configured and are indeed protecting the applications from possible cyber-attacks. Analytics can reveal underlying patterns of attacks which have bypassed the Web Application Firewall’s predefined rules-sets.

4.Security Compliance

Compliance with the Payment Card Industry Data Security Standard (PCI-DSS) is a very key aspect of security that cannot be ignore. Especially if you are an ecommerce company or an online retail business. In order to comply with PCI-DSS standard, we have to track and monitor all access to network resources and cardholder data through deploying Logging mechanisms. In order to comply with PCI-DSS standards, we can deploy OSSEC, a scalable, multi-platform, open source/intrusion detection system (HIDS). OSSEC helps us to perform log analysis, check file integrity, monitor policy, detect intrusions, and alert in real time. In addition to OSSEC, we can also deploy Wazuh has integrated OSSEC HIDS with the ELK Stack and provides PCI compliance dashboard with rich visualizations. Wazuh also provides OSSEC rule-set for PCI-DSS compliance.

5.HSM For Data-At-Rest

For many enterprises, their applications and data are subject to be stored in encrypted forms to meet rigorous contractual or regulatory requirements. The cryptographic keys are needed to have additional protection. These highly sensitive cryptographic keys are stored in Hardware Security Modules (HSMs). To avail this feature on the AWS Cloud, AWS provides CloudHSM service for saving the encryption keys within HSMs designed to meet government standards. Using secure key management of CloudHSM, we can safely generate, store, and manage cryptographic keys used for data encryption so that they are accessible only by those who are previously authorized to do so. AWS CloudHSM can help businesses comply with strict key management requirements without sacrificing application performance.

You might also be interested in this article if you’re following old security practices on AWS (recommended for CISOs) : https://www.botmetric.com/blog/aws-cloud-security-question-old-practices/

AWS strives to monitor various security mechanisms. However, the customer has to manage the security controls that relate to the IT resource like server instances operating systems, applications, and data. Hence, periodic security audit, and comprehensive AWS cloud health check, is a critical task that security professionals on the AWS Cloud cannot neglect.

If you are still struggling with having the security best practices in place for your business on AWS, we’re listening!

Botmetric Security & Compliance will help you correct your security posture. Now you can check whether your cloud is CIS compliant or not.
Run a comprehensive audit and check with Botmetric.
Start your 14-day free trial here: Sign Up

And, if you’ve found this article helpful, feel free to drop in a line below in the comment section or give us a shout out at @BotmetricHQ.

AWS
Cloud Computing
Cloud Security
Compliance
Automation
Nutanix
Nutanix

Written by Nutanix

984 Followers
806 Following

We make infrastructure invisible, elevating IT to focus on the applications and services that power their business.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams