Cost, Performance, and Security Optimization for the Public Cloud

Aaron Klein

Subscribe to Aaron Klein: eMailAlertsEmail Alerts
Get Aaron Klein: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Related Topics: Cloud Computing, Infrastructure On Demand, Infrastructure 2.0 Journal, Amazon Cloud Journal, Cloud Computing for SMBs

Amazon Cloud Journal: Blog Post

Five Tips to Improve Your AWS Security

Follow these best practices for better security

A key advantage of AWS and the cloud is that it is dynamic and can be scaled according to need. That advantage, however, can cause security nightmares. With that in mind, here are five easy tips to ensure that you keep up your end of the bargain.

1. Use ‘least privileging' when permissioning. What does this mean? It means use either the templates AWS provides or create your own to insure that users are not given more access than they require. Use AWS' resource level controls. This is equally critical when considering programs that are gaining API access. Do not over permission and carefully control privileges.

2. Create strong IAM policies and continually monitor them. AWS allows MFA. Use it for privileged accounts. Similarly, create and enforce policies to insure that passwords are appropriately complex and secure for all accounts. Ensure that your security groups are properly configured and permissioned.

3. Secure your S3 buckets. At CloudCheckr, we conducted a random review of 400 accounts and found that over 30% of all users had S3 buckets with ‘view', ‘edit', or ‘upload/delete' permissions set to everyone. This allows malicious users easy access.

4. Monitor your resource usage. Effective security requires vigilance. You should set CloudWatch alerts and pay attention to your regular utilization metrics. CloudWatch offers basic utilization metrics that are appropriate for small deployments. Advanced users typically require more in-depth analytics (available from a 3rd party) that looks deeper into utilization and extends beyond CloudWatch's 2 week reporting period. Without comprehensive analytics and awareness, it is far more difficult to accurately assess CloudWatch alerts and detect unusual activity.

5. Track changes to your deployment. Given AWS' dynamic nature, even a medium size deployment undergoes numerous changes on a daily basis. Each change needs to be monitored to insure that proper configuration, IAM, and security protocols are followed. The tracking can be done either manually or with an automated tool.

Following these five tips will quickly and dramatically improve your security posture. The issues raised represent the most common issues surrounding AWS usage. The list is not, however, the last word on security. There are, of course, a multitude of other concerns that must be followed.

Unlisted, but perhaps most importantly, security requires vigilance. AWS presents a dynamic environment and its users need to adapt to that reality. This means that you should be monitoring and reviewing your deployment, its resources, and its changes regularly. Whether conducted manually or automatically, this review is essential to maintaining your security posture.

As a note of disclosure: I am a Founder and the COO of CloudCheckr Inc. We specialize in this space and devote our solution to addressing all core infrastructure cost, monitoring, and control issues. Obviously, I am biased in favor of our leading product: CloudCheckr Pro. However, do not take my word for which solution is optimal. I encourage you to try CloudCheckr Pro along with solutions from vendors such as Cloudyn and others. Use the free trials and judge for yourself.

More Stories By Aaron Klein

Aaron Klein is Co-Founder and COO of CloudCheckr Inc. CloudCheckr Inc. provides a comprehensive solution (CloudCheckr Pro) that addresses the infrastructure reporting, monitoring, and control needs of AWS users through automated and customizable reports, alerts, and recommendations. Its cost, security, resource, best practice, and change monitoring analytics and features allow users otherwise unavailable insight into their deployments and usage. CloudCheckr Pro is designed to help users optimize their deployment.