Cloud services, such as Amazon AWS, has made it very easy for you and other businesses to create new servers without having to buy additional hardware or even waiting for your IT staff to do it for you. And this may be why it can be fraught with headaches. While you might not be that familiar with the security pitfalls to avoid, your IT staff knows these quite well.
For example, your IT people will know that one wrong setting or administrative error can easily compromise the entire cloud infrastructure of your business. The new server is not the only thing that is affected, but also your production and critical applications that you have put on Amazon services.
Taking the time to learn for yourself the top Amazon AWS mistakes to avoid might benefit you later on as you run your business. What are these?
1. Having no clue who is responsible when it comes to security.
The security of AWS services is shared between your in-house team and Amazon’s. Not many admins, however, know what part of the service they should be responsible for, respectively. They do not know what security protocols to apply.
Some admins also use the default configurations set by Amazon blindly, not bothering to check if these defaults are right for their workloads.
This becomes more and more complex as you use more than one Amazon cloud service because each one of these services has different levels of responsibilities. You should know which responsibilities are yours so that you can be sure that your cloud environment is totally secure. If you have no clue, then just imagine how many open holes are present in your cloud infrastructure and how risky it could get.
2. Not properly managing access control.
Remember that not everyone is an admin and that is the reason why Amazon AWS has user access control and access keys. One big mistake that you can make is to give just anyone access. There are just too many people in your organization that could easily wipe out your entire Amazon AWS environment. Administrators should just give full access to privileged users instead of creating policies that would help them get the access to do the work they need to do.
3. Not defining the roles and power of each user.
Another one of the Amazon services that you should know is the AWS Identity and Access Management. The free service makes it very easy for administrators to create identities, define roles and users, and then assign policies that are already formulated or create customized permissions. This will ensure that if there is a breach, the damage will be limited.
4. Not using logs.
Have you ever opened an Amazon AWS instance without using AWS CloudTrail? CloudTrail logs API calls it gets from various AWS services, SDKs, and other sources. As such, it gives you priceless log data that can help you for other processes such as resource management, compliance audits, change tracking, or security analysis.
The thing is, there are a lot of people out there that delete CloudTrail and disable log validation with individual instances. That means that you will not be able to see the activity of the instances you run.
5. Depending on passwords too much.
While passwords are important in keeping any system secure, it is not enough to keep hackers out. There have been a lot of hacking instances that involve stolen login credentials. For this reason, you should also use other security checkpoints, such as two-factor authentication, for getting into AWS EC2 or multi-factor authentication for applications. Amazon AWS also offers physical cards, smartphone apps and other tools that could help you with multi-factor authentication.
6. Using one VPC or account for everything.
Amazon AWS gives you a good number of virtual private cloud and accounts to use, so do not be stingy. Isolate teams and workloads into different accounts or VPCs. For instance, your testing, production and development teams should have their own respective accounts instead of sharing just one.
7. Not being careful with keys and secrets.
You might think that it does not happen, but it does. Login credentials are usually coded into the source code of an application, or there is a file that has passwords and keys in locations that are publicly accessible. Yes, some IT personnel have made it very easy for hackers to steal credentials. So what should you do? Rotate keys regularly, so even when you do not know that keys have been stolen, these keys would have very short validity and would keep out any hackers that use them. Or you can set Amazon EC2 and other services to force password changes and disallow using old passwords.
8. Not being careful with root.
Disable Root API access. There is no reason why anybody or any application should be able to access the root account on Amazon AWS and its associated keys. Keys that are used to access the resources on Amazon AWS should be very few, and these should be managed, protected and tracked.
9. Not using encryption.
There are a lot of enterprises that do not turn on encryption for the Amazon AWS environment. That is a hacking attempt and data breach that is just waiting to occur. AWS S3 data should be secured, and so do Amazon EC2 instances, so enable encryption.
Also, be sure to turn encryption on correctly. Good news for you is that Amazon AWS gives you a variety of tools that can help you with enabling encryption the right way.
10. Leaving connections open.
Maybe it’s because they do not realize how dangerous it is, but there are a lot of admins that use 0.0.0.0/0, or giving global permissions to instances. Use AWS Security Groups to assign very narrow focus to your AWS EC2 instances. Better yet, use different AWS security groups for your instances to limit the load balancers and instances that can communicate with it.
Open ports are the most common configuration mistake on AWS. Thankfully, there are automation tools that can help you in disallowing remote access to your AWS EC2 instances.
Avoid these mistakes and fix them now! If you need help with your Amazon AWS, EC2 or AWS S3 deployments, you can count on Four Cornerstone. We have the experts ready to help you with your AWS services, and they are just one phone call away. Call us at +1 (817) 377-1144.
Photo courtesy of Thomas Hawk.