AWS Security Services: Infrastructure
Design Your Cloud Infrastructure for Scalability, Reliability and Security
AWS security services boast 230 features and support for 90 security standards/compliance certifications. We’ve broken down this plethora of options into these 5 categories:
- Incident Response
- Logging and Monitoring
- Identity and Access Management
- Data Protection
While AWS itself is responsible for the security “of” the cloud, the AWS customer is responsible for security “in” the cloud, as seen in this chart:
The AWS infrastructure itself is secure. To ensure the security of your organization’s own infrastructure, AWS offers several AWS security services for you to make use of.
5 Infrastructure-Related AWS Security Services
Here are 5 AWS security services that allow you to increase privacy and control network access to your infrastructure:
- Amazon VPC
- Amazon CloudFront
- AWS Shield
- AWS Artifact
AWS Security Services: Amazon VPC
A foundational AWS service, Amazon Virtual Private Cloud (VPC) is an elastic cloud service that lets you define how permitted users can access your application. It works with resources such as Amazon EC2 and Amazon RDS instances. Here’s the official AWS definition:
“Amazon Virtual Private Cloud (VPC) is a service that lets you launch AWS resources in a logically isolated virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 for most resources in your VPC, helping to ensure secure and easy access to resources and applications.”
Amazon VPC security features are very robust, including:
- Flow logs
- IP address manager
- IP addressing
- Ingress routing
- Network access analyzer
- Network access control list
- Reachability analyzer
- Security groups
- Traffic mirroring
AWS Security Services: Amazon CloudFront
Amazon CloudFront is a content delivery network (CDN) service offered by AWS. It’s designed to combine security with high performance and developer convenience. As AWS describes:
“Securely deliver content with low latency and high transfer speeds. Improve security with traffic encryption and access controls, and use AWS Shield Standard to defend against DDoS attacks at no additional charge.”
Several features of CloudFront are based in security, such as:
- CloudFront Origin Access Identity (OAI)
- Server Name Indication (SNI)
- CloudFront Signed URLs
CloudFront Origin Access Identity
CloudFront Origin Access Identity allows users to only access the contents of an S3 bucket via the CloudFront distribution. When OAI is enabled, CloudFront will add a bucket policy to the S3 bucket which will allow access only via the CloudFront distribution.
Server Name Indication
With SNI, multiple websites can share a single IP and all of these websites can have their own SSL certificate. Prior to the availability of SNI, each website required its own dedicated IP address to be eligible for an SSL certificate. It’s important to note that legacy clients (including Internet Explorer and Windows XP) do not support SNI.
CloudFront Signed URLs
CloudFront Signed URLs mandates users to provide signed URLs or signed cookies to access the private content. CloudFront signed URLs can be generated by the trusted signers assigned in your AWS account.
AWS Security Services: AWS Shield
AWS Shield works with Amazon CloudFront to prevent Distributed Denial of Service (DDoS) attacks from taking down your infrastructure. DDoS attacks are very common attack vectors used nowadays to bring down the servers or flood the network. The reason why they are so successful is because of the ease of ability to launch the attack, and most protection mechanisms are based on expensive hardware.
But AWS Shield safeguards the workloads running on AWS against DDoS attacks. There are two tiers of AWS Shield:
- Shield Standard
- Shield Advanced
AWS Shield Standard provides basic level protection against most common network and transport layer DDoS attacks.
For a higher level of protection, you can subscribe to Shield Advanced. Shield Advanced protects against large and sophisticated DDoS attacks with near-real-time visibility into the attacks that might be occurring.
AWS Shield Advanced also gives customers 24x7 access to the AWS DDoS Response Team (DRT) during ongoing attacks.
One interesting part about AWS Shield Advanced is that during the attack, if your infrastructure has scaled, AWS will return you the amount that occurred during scaling in the form of credits. This is also referred to as Cost Protection.
AWS Security Services: Lambda@Edge
Lambda@Edge lets you run Lambda functions to customize content that CloudFront delivers.
You can use Lambda functions to change CloudFront requests and responses to insert the following safeguards:
- Perform Authentication and Authorization Checks
- Dynamically select origin based on the request headers
- Intercept and replace various 4XX and 5XX errors from the origin
AWS describes the trust and security controls built into Lambda@Edge:
“Code Signing for AWS Lambda allows you to verify that only unaltered code published by approved developers is deployed in your Lambda functions. You simply create digitally signed code artifacts and configure your Lambda functions to verify the signatures at deployment. This increases the speed and agility of your application development, even within large teams, while enforcing high security standards.”
AWS Security Services: AWS Artifact
The AWS Artifact portal provides on-demand access to AWS' security and compliance documents, also known as audit artifacts. Many AWS services are compliant against various standards, such as PCI DSS, HIPAA, and others.
If your organization is using certain AWS services, then an auditor will ask you to show a certificate that the service is compliant.
And unlike most AWS services, this one is free!
You May Have Heard of Bastion Hosts
A bastion host (sometimes called a “jump box”) is one way we recommend boosting your network security. This topic deserves its own article, so we’ve answered all your bastion host questions here: “What the heck is a bastion host?”
Is your cloud infrastructure as secure as it needs to be? Or are you risking an impending security lapse? Bloomip’s AWS cloud experts can help you answer those questions and get confident in your cloud security. Contact us.