{"id":7207,"date":"2019-09-08T11:22:48","date_gmt":"2019-09-08T04:22:48","guid":{"rendered":"http:\/\/54.151.235.32\/?p=7207"},"modified":"2021-03-03T18:00:26","modified_gmt":"2021-03-03T11:00:26","slug":"cloud-security-and-aws-part-1","status":"publish","type":"post","link":"https:\/\/renovacloud.com\/en\/cloud-security-and-aws-part-1\/","title":{"rendered":"Cloud Security and AWS: Part 1"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">As DevOps culture and the public cloud have become widely adopted, engineering teams in many companies have become faster and more agile than ever before. However, this very autonomy and agility that teams now enjoy also demand a bigger role in operational security. As such,\u00a0<\/span><span style=\"font-weight: 400;\">DevSecOps<\/span><span style=\"font-weight: 400;\">\u00a0and\u00a0<\/span><span style=\"font-weight: 400;\">Cloud Native Security<\/span><span style=\"font-weight: 400;\">\u00a0are essential topics that need to be addressed to ensure smooth sailing on every project and a proactive stance towards security.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In this article, we will cover some industry best practices in cloud security and give some tips and tricks that you can apply in your day-to-day operations. While these can be generally applied to any public cloud vendor, we\u2019ll use AWS as a reference due to their large market share.<\/span><\/p>\n<p><b>Overview of Cloud Security<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Previously, security was a shared responsibility between Development and Operations (Infra) teams. But today, the responsibility is split between an entire company (via its DevOps team) and its public cloud provider. AWS illustrates this topic very well in their\u00a0<\/span><a href=\"https:\/\/aws.amazon.com\/compliance\/shared-responsibility-model\/\" rel=\"noopener\"><span style=\"font-weight: 400;\">AWS Shared Responsibility Model<\/span><\/a><span style=\"font-weight: 400;\">. AWS is responsible for the Security \u201cof\u201d the Cloud, while its customers are responsible for the Security \u201cin\u201d the Cloud. In other words, AWS is responsible for protecting the underlying infrastructure (e.g., Hardware, Software, Network, Facilities) and managed services, while the customer is responsible for managing and configuring the services they build on top of AWS.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You can divide AWS services into three groups: Infrastructure, Container, and Abstracted.<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><b>Infrastructure<\/b><span style=\"font-weight: 400;\">: You have a bigger operational responsibility with these services, such as VPC or EC2. You are responsible for applying the Security Updates to your own instances and making sure that your VPC is properly configured.<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>Container<\/b><span style=\"font-weight: 400;\">: These services are the ones where AWS offers you a \u201csemi-managed\u201d service, such as RDS and EMR. Here, you still have the operational responsibility for the underlying resources that those services provision, including the EC2 instances associated with them.<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>Abstracted<\/b><span style=\"font-weight: 400;\">: Typically these services are associated with Serverless models, such as S3, SQS, and SES. With these, you have the least operational responsibility because you don\u2019t have underlying resources running in your account. However, you do have to make sure that these resources are properly configured.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Equally important to the responsibility split is understanding how to comply with standards and regulations in a cloud world. The major public cloud vendors opt to adhere to multiple compliance programs in order to allow their customers an easier way to achieve that status.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Using AWS as an example, customers can navigate its\u00a0<\/span><a href=\"https:\/\/aws.amazon.com\/compliance\/programs\/\" rel=\"noopener\"><span style=\"font-weight: 400;\">compliance portal<\/span><\/a><span style=\"font-weight: 400;\">\u00a0to see the many programs and certifications that AWS has attained, such as PCI DSS, HIPAA, FIPS, and ISO 27001.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">However, just because a cloud provider has achieved this status does not automatically qualify its customers to claim the same level of certification\/status. Any customer that wishes to comply with such programs and regulations for their services running on the public cloud is required to pursue them on their own.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The good news is that when the underlying infrastructure and platform of a given cloud provider are already certified, the process for you will become much easier and lightweight.<\/span><\/p>\n<p><b>An Introduction to AWS Services<\/b><\/p>\n<p><span style=\"font-weight: 400;\">First-time cloud users and companies transitioning from an on-premises data center to the public cloud might find the process to be quite daunting and intimidating, even if they are IT people with 20+ years of experience. This is because there is a paradigm shift between traditional IT infrastructure and the public cloud. This section will provide an overview of the key differences and similarities between both worlds.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">At its core, the public cloud has the same type of resources that can be found in a traditional on-premises data center. These foundational elements include\u00a0<\/span><b>compute<\/b><span style=\"font-weight: 400;\">,\u00a0<\/span><b>storage<\/b><span style=\"font-weight: 400;\">, and\u00a0<\/span><b>network resources<\/b><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><b>Foundational Elements<\/b><\/p>\n<p><b>Compute resources<\/b><span style=\"font-weight: 400;\">: These are similar to the virtual machines you have on-premises. AWS provides virtual instances (<\/span><a href=\"https:\/\/aws.amazon.com\/ec2\/\" rel=\"noopener\"><span style=\"font-weight: 400;\">AWS EC2<\/span><\/a><span style=\"font-weight: 400;\">), but EC2 is only one of multiple compute services that AWS has to offer. Others include\u00a0<\/span><a href=\"https:\/\/aws.amazon.com\/lambda\/\" rel=\"noopener\"><span style=\"font-weight: 400;\">AWS Lambda<\/span><\/a><span style=\"font-weight: 400;\">\u00a0(for serverless FaaS computing),\u00a0<\/span><a href=\"https:\/\/aws.amazon.com\/eks\/\" rel=\"noopener\"><span style=\"font-weight: 400;\">AWS EKS<\/span><\/a><span style=\"font-weight: 400;\">\u00a0(for managed Kubernetes), and\u00a0<\/span><a href=\"https:\/\/aws.amazon.com\/ecs\/\" rel=\"noopener\"><span style=\"font-weight: 400;\">AWS ECS\/Fargate<\/span><\/a><span style=\"font-weight: 400;\">\u00a0(for serverless containers as a service). These are services worth exploring when designing a cloud-native application because they reduce the operational overhead and truly allow you to take advantage of public cloud managed services.<\/span><\/p>\n<p><b>Storage resources:<\/b><span style=\"font-weight: 400;\">\u00a0There are two services in AWS that are equivalent to the traditional on-premises data center.\u00a0<\/span><a href=\"https:\/\/aws.amazon.com\/ebs\/\" rel=\"noopener\"><span style=\"font-weight: 400;\">AWS EBS<\/span><\/a><span style=\"font-weight: 400;\">\u00a0provides block storage to be used in services such as\u00a0<\/span><a href=\"https:\/\/aws.amazon.com\/ec2\/\" rel=\"noopener\"><span style=\"font-weight: 400;\">AWS EC2<\/span><\/a><span style=\"font-weight: 400;\">\u00a0(virtual instances), similar to a traditional SAN that provides block storage to virtual machines in a data center.\u00a0<\/span><a href=\"https:\/\/aws.amazon.com\/efs\/\" rel=\"noopener\"><span style=\"font-weight: 400;\">AWS EFS<\/span><\/a><span style=\"font-weight: 400;\">\u00a0provides a network file storage similar to a traditional NAS. And a third storage service that is available in AWS\u2013and not often found in a traditional on-premises data center\u2013is\u00a0<\/span><a href=\"https:\/\/aws.amazon.com\/s3\/\" rel=\"noopener\"><span style=\"font-weight: 400;\">AWS S3<\/span><\/a><span style=\"font-weight: 400;\">\u00a0(object storage). Object storage offers unlimited storage for objects (i.e., binary files) via a REST API. It is a key concept used to provide persistent data storage (i.e., statefulness) to cloud-native applications.<\/span><\/p>\n<p><b>Network resources<\/b><span style=\"font-weight: 400;\">: These resource types in the public cloud are similar (in theory) yet very different (in practice) to the ones found in an on-premises data center. Networks in the public cloud are SDNs (Software Defined Networks), so all the network resources can be fully created, managed, and terminated via API requests.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><b>Availability Zones<\/b><\/p>\n<p><span style=\"font-weight: 400;\">There are multiple AWS Regions around the globe, each with two or more Availability Zones. One could roughly compare an Availability Zone to an independent data center, meaning that one would expect to find at least two data centers in each AWS Region. A network subnet created in AWS is assigned to a specific Availability Zone. Multiple network subnets can belong logically together and grouped into a VPC (Virtual Private Cloud). A VPC is assigned to a specific AWS Region and provides an isolated network perimeter. This enables customers to have highly available networks in multiple Availability Zones, creating ideal scenarios for failover, disaster recovery, and high availability.<\/span><\/p>\n<p><span style=\"font-weight: 400;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-7199\" src=\"http:\/\/renovacloud.com\/wp-content\/uploads\/2019\/09\/Picture1.png\" alt=\"\" width=\"643\" height=\"335\" \/>Fig 1: Example AWS network layout with on-premises connectivity<\/span><\/p>\n<p><span style=\"font-weight: 400;\">An example of a typical network topology in AWS, using the native services and including connectivity to an on-premises data center, can be found in Figure 1 above.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The security considerations and more in-depth details for both the network and storage aspects of AWS will be the main theme of the second article of this series. For now, we will move on to the several aspects that need to be taken into account when considering migrating to the public cloud and planning the transition.<\/span><\/p>\n<p><b>Things To Consider Before Migrating<\/b><\/p>\n<p><span style=\"font-weight: 400;\">First and foremost, you should understand the business drivers behind your cloud migration. Cost usually comes to mind, but that shouldn\u2019t be the only nor the main consideration. It is true that the public cloud enables you to save on costs over the medium to long term by shifting from CapEx (Capital Expenditures) to OpEx (Operational Expenses) and benefiting from the economies of scale that public cloud providers provide. However, you should keep in mind that over the short term (during the transition) you will typically incur a higher cost for the organization.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">From a technical point of view, there are different strategies to consider while moving to the public cloud. The most popular ones are the \u201cLift-and-Shift\u201d approach, which encourages the migration of on-premises as is, and the \u201cRe-Architecting\u201d approach, which encourages the re-working of on-premises applications to become cloud-native. While both have their merits, they both also highly depend on the organization\u2019s available timeframe and technical talent and thus need to be carefully considered and planned.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For further guidance on migration, see\u00a0<\/span><span style=\"font-weight: 400;\">Securely Migrating to AWS<\/span><span style=\"font-weight: 400;\">. Also, the\u00a0<\/span><a href=\"https:\/\/aws.amazon.com\/cloud-migration\/\" rel=\"noopener\"><span style=\"font-weight: 400;\">AWS Cloud Migration portal<\/span><\/a><span style=\"font-weight: 400;\">\u00a0and the\u00a0<\/span><a href=\"https:\/\/aws.amazon.com\/professional-services\/CAF\/\" rel=\"noopener\"><span style=\"font-weight: 400;\">AWS Cloud Adoption Framework<\/span><\/a><span style=\"font-weight: 400;\">\u00a0provide a rich and in-depth analysis of what should be taken into account before migrating.<\/span><\/p>\n<p><b>Anatomy of AWS Accounts<\/b><\/p>\n<p><span style=\"font-weight: 400;\">An AWS account is a key element in your Cloud Security strategy. It can be seen as a logical way to group resources and provide some checks and balances since each account comes with separate service usage limits and billing. However, this does not mean that an account default configuration is at a good level (security-wise). Because of this, three key actions that must be implemented for any new account are the following:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Enable Multi-Factor Authentication for your root username\/password.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Enable CloudTrail to allow logging and auditing of any API requests with AWS Services.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Create IAM users and roles for every future action (i.e., don\u2019t use the root user\/password in your day-to-day activities).<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Depending on the size and complexity of their use cases, some companies\/teams opt for a multi-account strategy (see Fig. 2). This is a very effective way to limit the \u201cblast radius\u201d in case of a security incident due to the built-in isolation between AWS Accounts. Having multiple accounts per project (e.g., CI\/DEV, Staging, and Production) does bring an additional level of complexity from a management point of view. However, the\u00a0<\/span><a href=\"https:\/\/aws.amazon.com\/organizations\/\" rel=\"noopener\"><span style=\"font-weight: 400;\">AWS Organizations<\/span><\/a><span style=\"font-weight: 400;\">\u00a0service can simplify the process by allowing you to manage all accounts from a single view and apply security policies and restrictions from the same place.<\/span><\/p>\n<p><span style=\"font-weight: 400;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-7200\" src=\"http:\/\/renovacloud.com\/wp-content\/uploads\/2019\/09\/Picture11.png\" alt=\"\" width=\"514\" height=\"386\" \/>Fig 2: Example of a multi-account AWS strategy<\/span><\/p>\n<p><span style=\"font-weight: 400;\">On the other hand, a single account strategy is also rather popular (especially in smaller projects with limited resources) since management is far simpler. Still, it\u2019s important to take into consideration that this strategy often translates into more complex IAM roles to ensure that you follow the\u00a0<\/span><b>principle of least privilege\u00a0<\/b><span style=\"font-weight: 400;\">per service and environment.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You can also opt for a mixed approach, with multiple accounts throughout the organization paired with a single account or multi-accounts per each service\/use case depending on the complexity of each.<\/span><\/p>\n<p><b>Conclusion and Next Step<\/b><\/p>\n<p><span style=\"font-weight: 400;\">This article provided an introduction to the theme of security in the public cloud\u2013AWS, Microsoft Azure, and Google Cloud\u2013and some real-world examples in AWS. The main topics introduced were the different strategies that can be used for AWS accounts as well as the main building blocks that can be found in a public cloud provider such as AWS.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We also covered the foundational elements that can be found both in a traditional on-premises data center and in a public cloud (compute, network, and storage). Understanding these is an important first step towards having a solid security strategy in the public cloud. In part two of this series, we will venture deeper into two of these\u2013network and storage\u2013and cover their main security concerns and strategies worth exploring in AWS.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p>Source: Reblaze\/AWS<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As DevOps culture and the public cloud have become widely adopted, engineering teams in many companies have become faster and more agile than ever before. However, this very autonomy and agility that teams now enjoy also demand a bigger role in operational security. As such,\u00a0DevSecOps\u00a0and\u00a0Cloud Native Security\u00a0are essential topics that need to be addressed to [&#8230;]\n","protected":false},"author":7,"featured_media":6282,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[35,210,249],"class_list":["post-7207","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-data-and-analytics","tag-aws","tag-cloud-security","tag-devsecops"],"_links":{"self":[{"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/posts\/7207","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/comments?post=7207"}],"version-history":[{"count":0,"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/posts\/7207\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/media\/6282"}],"wp:attachment":[{"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/media?parent=7207"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/categories?post=7207"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/tags?post=7207"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}