The Brave New World of AWS Security | Observable Networks

The first in a three-part series on how to think about security in AWS environments.

We’ve written quite a bit about Amazon Web Services (AWS) recently – not surprisingly, as Observable’s Dynamic Endpoint Modeling solution has been winning acclaim as an important complement to Amazon’s own tools for ensuring security in VPC (virtual private cloud) environments.

Now, Observable’s founder and CTO Patrick Crowley has published a new whitepaper, “A New Way to Look at AWS Security,” in which he distills key concepts regarding how AWS addresses some fundamental security challenges in any network environment (on-premise or cloud). The whitepaper also explains how innovative solutions from developers such as Observable, when integrated with Amazon’s own AWS-native services, enable organizations to address network security issues that are unique to the cloud.

In this article, we’ll summarize the power of AWS – along with AWS-native tools – to resolve long-standing issues in information security, but also the limitations of the AWS environment that require a “shared responsibility” model, in order to achieve security in your organization’s cloud environment.

Legacy problems get out-of-the-box solutions

Three information-security problems that continue to trouble IT and security professionals working with conventional (on-premise) networks are visibility, identity and access management, and policy declaration and enforcement. In AWS environments, they are all problems that have been solved on Day 1 of an organization’s AWS deployment.

Visibility within an AWS environment – or the detailed understanding of how users, applications, and IT resources are behaving – is generally superior to visibility in any conventional network. It derives from AWS operating as a service-oriented architecture (SOA), which means that all actions within your AWS “footprint” are initiated by authenticated API calls, with authenticated user credentials. From there, three AWS-native services provide the visibility:

  • AWS CloudTrail delivers a structured feed of all requests to access or monitor your AWS footprint
  • AWS CloudWatch is a monitoring service that reports on utilization and status of both built-in Amazon services (such as servers, databases, and data analysis), as well as custom applications and services
  • VPC FlowLogs provide visibility into the network traffic that your AWS servers send and receive

Together, these three services represent a comprehensive “visibility layer” for your AWS footprint, with out-of-the-box visibility into your account usage, user behavior, infrastructure management, application/service activity, and network activity.

As suggested above, it is impossible to use AWS unless you have structured, audited IAM (identity and access management) credentials. The built-in, fully integrated IAM service provides credentials for all aspects of interacting with AWS, and declares which user identities exist and what privileges they possess.

AWS also provides a built-in service for comprehensive policy declaration and enforcement. AWS Config is a resource inventory and configuration service that enables both ad hoc and continuous auditing of AWS resources and their internal configurations.

AWS is a flexible platform for computing, and it provides ample flexibility to shoot yourself in the foot, if that is your aim!

Other problems require shared effort

So if visibility, identity and access management, and policy enforcement are now solved problems within an AWS environment, does that mean all security challenges have been resolved? Not so fast, for two reasons. These three legacy challenges are by no means the only ones found in cloud environments such as AWS; and, as Patrick Crowley writes, “AWS is a flexible platform for computing, and it provides ample flexibility to shoot yourself in the foot, if that is your aim!”

Among the many security pitfalls that may characterize a cloud environment (by no means limited to AWS) are:

  • Using software with known vulnerabilities
  • Carelessness with user credentials 
  • “Temporary” access permissions that are never revoked
  • Neglecting to log out of an application on a shared machine
  • Lost or stolen devices
  • End-to-end encryption (which can obscure the content of data packets)

Against this backdrop, Amazon advocates a shared responsibility model for security within AWS. While the cloud provider runs a tight security ship within its own purview, each customer organization must take care to secure its own environment, and the resources it has initiated in its AWS footprint.

Stay tuned for part two in this series, where we’ll discuss how to anticipate – and combat – both the known and unknown threats to security in an AWS environment.

Experience Dynamic Endpoint Modeling on your own network

Protecting your public cloud infrastructure by identifying insider and external threats faster couldn't be easier. Sign up for a free, no-risk trial of Observable’s Endpoint Modeling solution, and change the way you see security.

Detect Threats Faster – Start Your Free, No-Risk Trial