You’re probably familiar with this icon and see it a lot these days. After all, it’s one of the most trending things in business circles today. In case you’re among the minority and have no idea about what the icon represents then here’s a bit of useful information for you. The above icon is an insignia of AWS or Amazon Web Services, a subsidiary of Amazon.com that provides on-demand cloud computing platforms to individuals, companies and government, on a paid subscription basis.

Cloud computing platforms such as AWS provide immediate access to computer power over the internet. Rather than buying on-premise machines, businesses and developers can rent access to servers, storage systems and other software that run atop these services. The idea was brought forth by Amazon about a decade ago, and Google, Microsoft, and many others have followed suit.

AWS allows you to get applications up and running fast. Moreover, the Cloud computing service offers an array of solutions and rigorous security that enables you to scale with ease. To help businesses meet their needs, AWS provides trusted, cloud-based solutions. From developer tools to virtual private networks to virtual servers, AWS delivers an instinctive and strong platform for scalability.

With AWS, businesses can execute their vision fast.  Moreover, they can move quickly while maintaining enterprise-grade security by running solutions and applications within AWS. To allow businesses to operate with complete confidence, AWS delivers a broad range of services for network, database, storage, compute, migration and content delivery.

Some Background About Amazon AWS

Since the 1990s, Amazon, the American electronic commerce and Cloud computing company, has invested millions of dollars in building and managing large-scale IT infrastructure. Amazon launched AWS, a cloud computing platform, to allow other organizations to take advantage of its reliable IT infrastructure.
There are many scenarios in which AWS is an efficient option for running web applications or organization portals. Let’s explore a few AWS use cases. A small manufacturing organization can use its expertise in expanding its business through quality production while leaving IT management to AWS. A large enterprise spread across the globe can use AWS to deliver training to its distributed workforce. An architecture consulting company can use AWS to get a high-compute rendering of its construction prototypes. Finally, a media company can use AWS to provide different types of content such as videos, eBooks, and audio files to its worldwide customers.

Based on the concept of pay-as-you-go, AWS provides a suite of services that customers can use when required and without any long-term commitments or upfront expenditure. The platform enables customers to procure services such as computing, programming models, database storage, networking, and development platforms in minutes. This allows the customers to enjoy the benefits of low operational overheads.

Using AWS, a Cloud service, you can ensure that your files are highly available, meaning that your files are available all the time and from any device that you want. Also, if something was to go wrong like if your hard drive was to crash or your computer was to go down, you’d have backup. So, no matter what goes wrong, your files will never be deleted. Finally, a Cloud service such as AWS allows you to quickly grow and shrink on-demand based on your needs. These are three of many reasons why both personal users and enterprise users love the Cloud-based service AWS.

Secure Your Business with the Security, Identity and Compliance Products of AWS

At AWS, security, specifically, cloud security, is the highest priority. Today, organizations are exposed to the most hostile information security threats. So, the number one priority of AWS is protecting your data. As a customer of AWS, you will benefit from a data center and network architecture built to meet the requirements of the most security-sensitive organizations. Moreover, the global infrastructure of AWS is designed and managed according to security best practices and a variety of compliance standards.

A number of security services are offered by AWS to manage access and keys, encrypt data, send alerts whenever changes are made to your AWS resources, mitigate DDoS attacks and analyze data for irregular activity with machine learning capabilities. Additionally, as an AWS customer, you will have access to audit-friendly, governance-focused service features that help meet audit standards and compliance regulations. Following is a list of security services offered by AWS under the ‘Security, Identity & Compliance’ banner that can help you to prevent threats from cyber criminals and ensure security compliance.

Amazon Cloud Directory

A fully managed cloud-based directory, Amazon Cloud Directory allows you to store and organize data hierarchies across multiple dimensions. Since it is a managed service, Amazon Cloud Directory does not require you to install or patch software, manage servers, or scale any infrastructure.

A specialized graph-based directory store, Amazon Cloud Directory provides the building block for applications. A highly scalable and available web-based directory, Cloud Directory is used to organize and manage resources for applications like users, groups, locations, devices, policies and the relationships between them.

Whether it is in transit or at rest, data in Amazon Cloud Directory is secured. Moreover, unlike most traditional directory systems, Cloud Directory does not limit organizing directory objects to a single fixed hierarchy. A specialized directory store, Amazon Cloud Directory can be used to:

  • Build cloud-based applications that offer device registry, group and user management, permissions or policy management, address books, application or product catalogs and customer management

  • Minimize the complexity of layering applications that sit atop Cloud Directory

  • Create directory-based applications without worrying about deployment, availability, performance and global scale

  • Manage schema information over time to ensure future compatibility for users

AWS Identity & Access Management (IAM)

A free service from Amazon, AWS Identity & Access Management (IAM) was launched in 2010 and in 2011, the e-commerce and cloud computing company announced the availability of IAM support for CloudFront.

A web service, IAM enables customers of Amazon Web Services to manage users and user permissions in AWS. An identity within your AWS account, a ‘User’ has unique security credentials that can be used to access AWS services. With IAM, there is no need to share passwords or access keys. Moreover, you can easily enable or disable User’s access as appropriate. When you’re using AWS, IAM offers you greater control, flexibility and security.

Targeted at organizations having multiple users or systems in the cloud that use AWS products such as the AWS Management Console, Amazon SimpleDB, and Amazon EC2, the IAM service allows you to centrally manage:

  • Users

  • Permissions that control which AWS resources users can access

  • Security credential such as access keys

Amazon Inspector

In April 2016, Amazon Web Services publicly released Amazon Inspector, a security vulnerability assessment tool. Performing vulnerability scans in the cloud have always been a challenge. Keeping up with your continuous deployment workflow becomes difficult when you try to arrange scans with your security team and cloud provider. The good news is that you can solve this security challenge with Amazon Inspector.

To help you find potential security issues, Amazon Inspectors allows you to conduct ongoing assessments of your EC2 application environment. In addition to identifying potential security issues, Amazon Inspector examines the behavior of the applications that you run in AWS. Issues that Amazon Inspector can look for include failure to follow best practices, out of date software and areas to harden the operating system. With this broad coverage, you can get a good view into the security posture of your Amazon EC2 instances.

Amazon Inspector raises a finding as soon as it sees an issue. And, a recommended action is provided by each finding. These recommendations provide solid guidance on how to manually resolve each issue. As it isn’t a penetration testing tool, Amazon Inspector looks at your AWS instances from within. In fact, this AWS service requires you to install an agent into your AWS instances.

Amazon Macie

On August 14, 2017, Amazon Web Services launched a new service: Amazon Macie, a machine learning service that helps organizations to protect their sensitive data in the cloud. For now, you can use this AWS service to protect intellectual property and personally identifiable information in the Amazon S3 storage service.

A service that can identify names, addresses, driver licenses, social security number, credit card numbers and other such information, Macie tracks data on the S3 storage service. In addition to monitoring the aforementioned -data, Macie keeps an eye out for irregularities. While it cannot conclude if the leak is malicious or not, Macie will send out notifications once it identifies there is a leak. Amazon Macie ensures data security within your AWS environment by allowing you to:

  • Identify and protect various data types

  • Receive notifications when data and account credentials go beyond protected zones

  • Identify policies and access control lists changes

  • Verify compliance with automated logs that allow for instant auditing

  • Detect when large quantities of business-critical documents are shared internally and externally

  • Observe changes in user behavior and receive actionable alerts

AWS Certificate Manager

In January 2016, AWS released AWS Certificate Manager, a product that allows AWS customers to easily and automatically provision, deploy and renew SSL and TSL certificates on supported AWS resources. But, the best thing is that AWS is not charging for these certificates. Yes, they are free!

Now that it’s free to get an SSL/ TSL certificate from Amazon, it would be no less than a crime for anyone to run a site without SSL.

AWS CloudHSM

A cloud-based hardware security module (HSM), AWS CloudHSM enables you to easily generate and use your own encryption keys on the AWS cloud. Hardware-based security service, CloudHSM gives customers an extra level of protection for strict contractual, corporate and regulatory compliance requirements by offering them isolated HSM appliances.

Single-tenant access to each HSM within an Amazon Virtual Private Cloud (VPC) is what the AWS CloudHSM provides. Until the administrator terminates the instance, AWS bills the service upfront for each instance, plus an hourly fee. Following are some of the features of AWS CloudHSM:

  • NIST FIPS 140-2 compliant devices

  • Suitable for OFFICIAL and/or SENSITIVE workloads

  • Tamper-resistant hardware security modules

  • Connectivity options for N3, PSN, Janet, RLI and regional networks

  • NCSC Cloud Security Principles aligned, Security Cleared (SC) staff available

Following are some of the benefits of using this AWS service:

  • Integrated with other AWS services

  • Improved application performance

  • Integrated role-based access control across all AWS services

  • Training and architectural patterns/guidance

  • Contractual and Regulatory compliance

  • Secure connectivity in AWS VPC

  • Comprehensive, cross-service API audit logging and security

AWS Directory Service

An Amazon web services tool, AWS Directory Service eliminates the need for the system administrator to build an active directory from scratch. The AWS Directory Service offers a way for AWS resources to use managed Active Directory in the AWS cloud. With AWS Directory Service, an administrator can minimize the time spent on management tasks.

The AWS Directory Service automatically creates and manages the entire directory for customers. As Amazon takes care of all the hard work, there is no physical access to the underlying machine or its operating system. Using a client tool to connect to the service endpoint is all that users do. Following are some of the benefits of AWS Directory Service:

  • No manual setup

  • Automatic Fault Tolerance

  • Automated Backup

  • Simple Security Group Configuration

  • Integration with other AWS Applications

  • Single sign-in for console users

  • Domain joining made easy

AWS Key Management Service

A fully managed service, AWS Key Management Service provides you with a uniform, centralized control over your encryption keys. Using HSMs, it protects the security of your keys and enables you to easily encrypt the data across your AWS infrastructure as well as within your own applications. AWS Key Management Service allows examining carefully the use of encryption keys used to encrypt your data. Following are the benefits of using this AWS service:

  • Full control over your encryption keys

  • Centralized key management

  • Integration with other AWS services

  • Built-in auditing

  • One click encryption

AWS Organizations

A cloud service, AWS Organizations applies and manages access policies across Amazon Web Services accounts. With AWS Organizations, you can manage AWS accounts from a single root account. The need for a developer to code scripts to allow individual or groups to communicate when workload is divided across multiple AWS accounts is eliminated by AWS Organizations.

Thanks to AWS Organizations, you no longer need to manage security policies through separate AWS accounts. Before the introduction of this AWS service, if you had multiple AWS accounts, you had to ensure that users in those accounts had the right level of access to AWS services. But, with Organizations, you can easily launch an individual account, Organization Unit (OU), or service control policies (SCPs), which allows you to configure a single policy and have it apply to your entire organization. Following is what this AWS service allows you to do:

  • Centrally manage policies across multiple AWS accounts

  • Control Access to AWS services

  • Automate AWS account creation and management

  • Consolidate billing across multiple AWS accounts

AWS Shield

An Amazon Web Services tool, AWS shield offers protection against Distributed Denial of Service (DDoS) attacks. A commonly used attack type, DDoS continues to rise in frequency. According to a recent survey, an average of over 100,000 DDoS attacks per week was recorded over the last year and a half.

A powerful managed service, AWS Shield protects your sites or web applications from many types and sizes of DDoS attacks. Now, there are two types of AWS Shield available to customers: AWS Shield Standard and AWS Shield Advanced.

Available to all AWS customers by default, AWS Shield can be availed without any extra cost. This version of AWS Shield protects your web applications from over 90% of common DDoS attacks such as Syn/ACK floods, Volumetric attacks and HTTP slow reads. On Amazon Route 53, Amazon Cloud Front and Elastic Load Balancing resources, AWS Shield is turned on by default. To provide quick detection and protection from most of the DDoS attacks, AWS Shield standard uses analysis techniques, traffic signatures, and anomaly algorithms to track malicious traffic in real-time. With Shield Standard, you get:

  • Quick Detection

  • Inline Attack Mitigation

On the other hand, the advanced AWS Shield provides a higher level of protection against DDoS attacks including intelligent DDoS attack detection for network layer, transport layer and application layer. With AW Shield Advanced, you get:

  • Enhanced Detection

  • Advanced Attack Mitigation

  • Visibility and Attack Notification

  • Specialized Support

  • DDoS Cost Protection

AWS Web Application Firewall (WAF)

A security system, AWS WAF controls inbound and outbound traffic for applications and websites based on the Amazon Web Services public cloud. This AWS service helps protect your web applications from attacks that could affect application availability, compromise security, or consume excessive resources.

By providing them with the ability to customize security rules, AWS WAF allows developers to allow, block or track web requests. This helps protect applications and sites from common web attacks that could otherwise negatively affect application performance and availability. Following are the benefits of using this AWS service:

  • Increased protection against Web Attacks

  • Ease of development and maintenance

  • Improved web traffic visibility

  • Cost effective web application protection

  • Increase web security as you develop your application

There you have it – the security, identity and compliance products of AWS that can help secure your business.

Securing some of the commonly used Amazon AWS products

You would have probably noticed that the aforementioned-products of AWS secure your business by supporting/ securing other AWS products. Some of these products include CloudFront, EC2, S3, VPC, Route 53 and Elastic Load Balancing. Following is a bit of information about these services and how you can secure them to avoid security issues.

CloudFront

A global content delivery network (CDN) service, CloudFront delivers APIs, applications, videos and data securely to your viewers with high transfer speeds and low latency. As of now, CloudFront uses a global network of over 70 edge locations across 49 countries covering Asia, Europe, Australia, North America, and South America.

The delivery of any files or content that you’d normally serve over HTTP (S): static, dynamic or media streaming, is what CloudFront can speed up. Let’s suppose that you use Amazon Web Services but haven’t signed up for CloudFront. Now, when someone views your video, their computer will download it from S3 server where you host your media. Now, S3 has the following eight main servers:

  • US Standard

  • US West (Northern California)

  • US West (Oregon)

  • EU (Ireland)

  • South America (Sao Paolo)

  • Asia Pacific (Sydney)

  • Asia Pacific (Tokyo)

  • Asia Pacific (Singapore)

Now, if you start using Amazon CloudFront, your video will still be stored on the main S3 server but copies will be created on a Content Delivery Network (CDN), a network of servers around the world. In short, CloudFront is S3’s CDN and each edge server i.e. each server in the network will have a copy of your video.

Now, when a viewer wants to watch your video, their computer will retrieve a copy from the nearest edge server. As the data doesn’t have to travel far from the server to reach the viewer, it will be less vulnerable to attacks and can be downloaded quicker.

Securing CloudFront

To securely deliver content through CloudFront, you can do the following:

  • Allow access to users only through special CloudFront signed URLs or signed cookies

  • Allow users access to your Amazon S3 through CloudFront URLs, and through Amazon S3 URLs

While doing the above isn’t mandatory, it’ll help to stop users from bypassing the restrictions specified in signed URLs or signed cookies.

Amazon S3

Also known as Amazon Simple Storage Service, Amazon S3 is an online storage facility. Regardless of format, Amazon S3 makes it simple and practical to store, collect and analyze data-all at massive scale. Designed for online backup and archiving of data and application programs, S3 is a scalable, high-speed, low-cost, web-based cloud storage device.

By subscribing to Amazon S3, you get access to the same systems that Amazon uses to run its own websites. An AWS customer using S3 can upload, store and download almost any file that is up to 5 GB in size. Following are some of the benefits of using Amazon’s S3 storage service:

  • Unlimited Bandwidth

  • Better Scalability

  • Pay only for what you use

  • Store files online

  • Easier files retrieval and sharing

Securing Amazon S3

To secure data stored in it against unauthorized access, Amazon S3 provides authentication mechanisms. So, all S3 resources-buckets, objects, and related sub-resources are private by default. The resource can be accessed only by its owner i.e. the person that created the AWS account. As a resource owner, you can allow access to others by writing an access policy. By supporting user authentication, Amazon S3 allows you to control access to data. Following is how you secure your Amazon S3:

  • Selectively grant permissions to users and group of users by using control mechanisms such as Access Control Lists (ACLs) and bucket policies

  • Using the HTTPs protocol, securely upload or download data to Amazon S3 through SSL endpoints

  • You can use the Server Side Encryption (SSE) option with Customer-Provide Keys (SSE-C) to encrypt data stored-at-rest for extra security

Amazon EC2

A cloud computing platform, Amazon EC2 allows AWS customers to rent virtual machines (instances), and host their applications on either Linux or Windows. Just to make things clear, EC2 instances are the servers on which you run your workload.

A web service that provides secure, resizable compute capacity in the Cloud, EC2 allows businesses to run application programs in AWS public cloud. Using an application programming interface or the Amazon EC2 web interface, an AWS user can scale up or down ‘instance’ capacity as needed within minutes.

Following is how you can start using EC2. An Amazon Machine Image (AMI) containing an operating system, application programs and configuration settings is created by a develop. Next, the AMI is uploaded to Amazon S3 and registered with EC2. This creates an AMI identifier. Once this is done, you can request virtual machines on an as-needed basis. Following are some of the benefits of using EC2:

  • Increase or decrease capacity within minutes, not hours or days

  • Complete control of your ‘instances’

  • Choice of multiple instance types, operating systems and software packages

  • A high reliable cloud environment

  • A data center and network architecture built to meet the requirements of the most security-sensitive organizations

Securing EC2

Following are the general best practices to secure Amazon EC2 instances:

  • Least Access: Leverage host-based protection software, install only the required OS components and applications and restrict server access from both the network on the instance.

  • Least Privilege: Define the minimum privileges required by each server to perform its function.

  • Configuration Management: Track each server as a configuration item after creating a baseline server configuration. Identify and flag any deviations by assessing each server against the current recorded baseline. Finally, each server should be configured to generate and securely store relevant log and audit data.

  • Change management: Create processes to control changes to server configuration baselines.

Virtual Private Cloud (VPC)

One of the most used and popular services of the Amazon Web Services suite, Amazon VPC allows you to set up a private cloud (a logically isolated section) within the AWS cloud computing service. Using Amazon VPC, you can launch AWS resources in a virtual network that you define.

With Amazon VPC, you have complete control over the virtual networking environment including configuration of route tables and network gateways, creation of subnets, and selection of your own IP address range. AWS users can to Amazon VPC through several mediums including an on-premise data center through the Hardware Virtual Private Network (VPN) connection tool, through an internet gateway or through a variety of AWS tools and other vendor VPCs. Following is why signing up for Amazon VPC makes sense:

  • Security features such as security groups and network access control lists that enable inbound and outbound filtering at the instance level and the subnet level

  • Multiple connectivity options

  • Using an AWS Management Console, create a VPC quickly and easily

  • Scalability and Reliability

  • Ability to extend your corporate network into the cloud

  • Disaster Recovery

Securing VPC

Following are the steps to create a secure connection to AWS VPC:

  • Create a customer gateway

  • Create a virtual private gateway

  • Create a VPN connection

  • Get the VPN connection configuration and configure your customer gateway

Route 53

A scalable domain name system (DNS) service, Amazon Route 53 allows businesses and developers to reliably direct end users to applications. This AWS service translates website names like www.google.com into numeric IP addressed that computers use to connect to each other.

Whether it’s hosted on AWS or elsewhere, Route 53 handles domain registration and routes users’ internet requests to your application. But, that is something every DNS service is supposed to do. What makes Route 53 unique is that it intelligently directs traffic based on sophisticated routing policies, and via automated health checks, away from the server that might be failing.

Just like many other AWS service, Route 53 is a pay-as-you-go service, meaning you’ll be charged for the number of hosted zones created and maintained by you and by the number of requests routed. Some of the key features of Amazon Route 53 include:

  • Domain Registration

  • Private DNS

  • Health check

  • AWS service integration

  • Alias records

Securing Amazon Route 53

Following is how you can secure Route 53:

  • Attach Policies to IAM identities: Attach a permissions policy to a user or group in your account and attach a permissions policy to a role.

  • Grant Permissions for API actions:  API actions that you can use on each Amazon Route 53 resource are part of Amazon route 53. By controlling permissions to perform any or all of these actions, you can secure your Amazon Route 53.

Elastic Load Balancing

A load-balancing service for AWS deployments, AWS Elastic Load Balancing (ELB) automatically identifies and distributes inbound application traffic across Amazon EC2 resources, containers, and instances, according to their IP addresses. Based on incoming application and network traffic, an IT team use ELB to adjust capacity.

To maintain consistent application performance, users enable ELB within a single availability zone or across multiple availability zones. Following are some of the features offered by AWS ELB:

  • Support for both IPv4 and IPv6

  • Detection of unhealthy Elastic Compute Cloud (EC2) instances

  • Optional Public Key authentication

  • Flexible cipher support

  • Spreading instances across healthy channels only

  • Centralized management of Secure Sockets Layer (SSL) certificates

Securing Elastic Load Balancing

You can secure AWS Elastic Load Balancing (ELB) by:

  • Granting permissions using IAM policies

  • Activating resource-level permission for Elastic Load Balancing

API Gateway

A fully managed service, API gateway enables developers to API services to internet clients. Using Amazon API gateway, a developer can connect non-AWS applications to AWS back-end resources, such as code or servers.

Amazon API Gateway offers the common API gateway features such as traffic management, monitoring, authentication, and authorization. To help achieve greater functionality for a product, an application program interface (API) allows two or more software programs to communicate with each other. Amazon API gateway, which accepts and processed existing API calls, is where an AWS user creates, manages and maintains APIs. In addition to managing traffic, the service authorized end users and monitors performance. Following are the benefits of using this AWS service:

  • Integration with AWS Lambda, IAM and AWS Services

  • Elastic, self-service and pay-by-use facade in the cloud

  • API logging, caching, throttling, bursting and monitoring

  • API lifecycle management

  • Payload modeling and transformation

Securing API Gateway

Here’s how you can control access in API gateway and secure it:

  • Use IAM permissions to control access to API gateway

  • Enable cross-origin resource sharing (CORS) for an API gateway resource

  • Use Client-Side SSL certificates for authentication by the backend

  • Create and use API gateway usage plans

By procuring the aforementioned-AWS services in addition to the security, identity and compliance products of AWS, you can prevent threats from cyber criminals and stay secure for future.

STILL SPENDING TIME ON SUPPORT?

Outsource your helpdesk support to save time and money. We have technicians available for little over 5 USD per hour in order to assist your customers with their technical questions. Grow your business and concentrate more on your SALES!

Xieles Support is a provider of reliable and affordable internet services, consisting of Outsourced 24×7 Technical Support, Remote Server Administration, Server Security, Linux Server Management, Windows Server Management and Helpdesk Management to Web Hosting companies, Data centers and ISPs around the world. We are experts in Linux and Windows Server Administration, Advanced Server Security, Server Security Hardening. Our primary focus is on absolute client satisfaction through sustainable pricing, proactively managed services, investment in hosting infrastructure and renowned customer support.

Final Word

According to Amazon, there are more than a million active Amazon Web Services (AWS) users. Today, more and more companies are making the move to AWS and there are several reasons for this. First, with AWS, you pay for what you use. As site traffic tends to be unpredictable, this makes a lot of sense.

Generally, traditional hardware goes unutilized for 90% of its lifecycle. By keeping it cheap during the slow times, AWS helps deal this problem. Secondly, AWS offers incredible speed to users. It can bring servers online and offline very quickly as needed. Now comes the important part though: with services such as IAM, VPC, and others, AWS secures your business over the internet and in doing so, secures its future.

To expand your datacenter and increase your ability and speed in developing and delivering applications, AWS delivers flexible, self-managed, pay-as-you-go services. However, securing these services is your responsibility. A joint effort: securing AWS services requires both the cloud service provider and the customer to do their part.

For businesses, it’s extremely important to secure their AWS services and the applications being migrated to them.  To avoid significant additional investments in cost, resources and time, businesses should look to secure their AWS services. Just as they would do for on- premise servers, businesses need to secure their AWS services by controlling access, centralizing identity and privilege management, consolidating identities, and auditing all privileged activities.

By using the aforementioned-best practices for securing the various AWS services, you can achieve your objective quickly, cost-effectively, and with little disruption. You can find out more about AWS products and how you can secure them by visiting the Amazon Web Services site.