Happy Business Starts Here

Baseline Security to Bootstrap your AWS Cloud Infrastructure

Community Manager


With an ever-growing footprint on the public cloud, including production environments, security is at the forefront of Zuora’s business priorities. Having selected AWS as our public cloud vendor of choice, security for our AWS Infrastructure services is built on the Shared Responsibility Model. This essentially means that AWS is responsible for the security of underlying cloud infrastructure, but AWS customers are responsible for the security of cloud resources provisioned using the infrastructure.

 

AWS provides its customers with several security tools and features, and as a customer, our responsibility is take full advantage of these features to secure our cloud infrastructure. What follows is a description of some of the features and best practices that, from our experience, can help bootstrap your own AWS Cloud Infrastructure.

 

Root Account Security


The root account provides extremely powerful privileged access. Do not use the root account for day-to-day use. One of the best ways to protect your account is to avoid generating an access key for your root account. Also, don’t forget to enable MFA for your root account.

 

IAM Best Practices


AWS Identity and Access Management (IAM) allows for the creation of users, groups and roles - each of which is a more streamlined and standardized way of providing access permissions. A few must-have IAM features and best practices include:

 

  • Enabling MFA for IAM Users
  • IAM password policies aligned to your company’s information security policy
  • Least Privileged Access with managed IAM policy
  • Regular audits of unused IAM Access Keys
  • Using IAM Roles for EC2 Instances

Segment Your Network


Leverage AWS Virtual Private Cloud (VPC) features, including subnets, routes, Internet and NAT Gateways to create a segmented network per your business need. Most web architectures should fit within the following basic 3-Tier architectures:

 

  • Perimeter Tier: Hosts ELB and NAT Gateway
  • Application Tier: EC2 instances that host frontend and backend applications
  • Persistent Tier: Hosts database servers & services: RDS, MySQL, Redshift etc.

Whether you follow a multi-VPC or Single-VPC architecture (usually driven by your organization policy or VPC limits), you should keep Command & Control (CNC) in a separate VPC outside your service VPC. CNC VPC should host DNS, SMTP, Jumphosts (a.k.a bastion hosts for single point of entry to other hosts) and monitoring services, to name a few. This way you will be able to build simple IAM policies to limit access to CNC Services.

 

Security Groups & Network Access Control Lists (NACLs)

 

The stateless firewall of AWS, combined with VPC subnets and routes make Security Groups a convenient way to support your desired network segmentation. Some general best practices for Security Groups include:

 

  • Create function or tier specific security groups and define standard set of policies for each category
  • Setup continuous monitoring around those security groups to review changes
  • All inbound connections from public network restricted via Elastic Load Balancer (ELB)
  • All egress traffic to the internet are routed via NAT Gateway
  • Enforce a standard tagging policy for Security Groups to distinguish them by tier, environment or application. Once you have so, you will be able to monitor easily right security group(s) are applied to right resources

Some of the key best practices to follow while creating policies for Security Groups:

 

  • Do not allow wide open (unfettered) access to instances from world (0.0.0.0/0 to all-ports).
  • Allow management services (SSH, RDP etc) only from authorized sources, such as Jumphosts
  • Allow database (MySQL/3389, Redshift/5439 etc) ports only from application subnet
  • Do not allow database ports from public network
  • Access to world (0.0.0.0/0) is restricted for customer facing application protocols (e.g. HTTP/HTTPS) via ELB
  • Internal service/application ports (8080, 8443 etc) are restricted from ELB (Security Group) only
  • Audit them regularly to identify unused and wide open security groups

 

Encryption at Rest


This is a cool feature we really like using in AWS. In the good old days, whenever we wanted to enable encryption, we always had to be cognisant of performance implications. In AWS, IOPS are guaranteed with or without encryption, which makes “enable encryption wherever you can” practical and realizable. Some of the key places to consider encrypting at rest include S3 SSE, RDS, Redshift, and EBS Volumes.


Simple Storage Service (S3) Security


If your organization uses S3 storage to store critical data, here are some best practices you should consider:

 

  • Ensure that S3 buckets that do not need public access are set as private
  • Access to private buckets are restricted via VPC Endpoint
  • Enable Server-Side-Encryption (SSE)
  • S3 access policies can be managed at multiple places, so auditing might sometimes become tricky if they are not managed properly. Use IAM policies as much as possible to control access. S3 lets you create two types of access policies:
    • Resource Policies: Bucket Policy, Access Control List
    • User Policies:  IAM Policy

 

Leveraging Resource Tagging


While tagging is mostly considered an operational and cost traceability tool, a consistent tagging policy across resources becomes handy for security. You can implement:

 

  • Access policies based on tags (e.g. department or service)
  • Governance and audit of controls based on tags (e.g. environment)
  • Vulnerability Management (e.g. intelligent threat modeling based on tier, service or environment)

Logging and Auditing

 

Finally, a key to success for all Security controls is quality monitoring and auditability. We recommend enabling all of the following logging options, then ingesting the logs into whichever 3rd party analysis tools that your organization uses.

 

  • CloudTrail: Monitor changes in your infrastructure near real time and set notification/thresholds to be alerted on for critical changes: IAM Policy changes, new user creation, wide-open security group, and so on.
  • ELB Access Log: Monitor who is accessing your web application
  • S3 Access Log: Monitor who is accessing data
  • VPC Flow Log: Monitor traffic reaching deep into your network; do you see SSH, RDP or database access from external origins?


What’s next

 

Now that we’ve provided a bit of a whirlwind tour of some of the security features we leverage and best practices we recommend, we’ll dive deeper into some of the specific controls in future blog posts. Stay tuned!