× Home About Projects Services Blog Contact
All Articles >

Applying Your Company's Security Standards to Your AWS Infrastructure

Introduction

Security is of utmost importance when it comes to managing your AWS infrastructure. Failing to apply security standards can leave your company vulnerable to various risks, including data breaches, unauthorized access, and service disruptions. In this blog post, we will explore the significance of applying your company’s security standards to your AWS infrastructure and discuss the benefits of maintaining a secure environment.

Part 1: Understanding Your Company’s Security Standards

Before implementing security measures, it is crucial to comprehend your company’s security standards. These standards can vary but commonly include data encryption, user access controls, and network security protocols. By understanding these requirements, you can align your AWS infrastructure with your company’s security policies and ensure compliance.

One service that can help you quickly assess your security compliance score is Security Hub.

Security Hub

AWS Security Hub is a comprehensive security service provided by Amazon Web Services (AWS) that helps users centrally manage and gain insights into their security and compliance posture across their AWS accounts. It acts as a hub for aggregating and prioritizing security findings from various AWS services, partner solutions, and custom integrations, providing a unified view of security alerts and compliance status. With AWS Security Hub, users can quickly identify and remediate security issues, streamline compliance reporting, and proactively enhance their overall AWS security posture.

And here is a quick look on how the Security Hub interface would look like

alt

Part 2: AWS Security Basics

AWS offers a comprehensive set of built-in security features to help you protect your infrastructure. Familiarizing yourself with these basics is essential for maintaining a secure environment. AWS provides features such as Identity and Access Management (IAM), Security Groups, and Virtual Private Cloud (VPC).

IAM enables you to control user access by managing permissions and defining who can access specific AWS resources. Security Groups act as virtual firewalls, allowing you to control inbound and outbound traffic to your instances. VPC provides network isolation and segmentation, enhancing the security of your infrastructure.

However defining IAM policies and roles can be quite complicated task and huge source of misconfiguration. Fortunately, AWS provides a set of best practices that should be followed. IAM Best Practices

These best practices involves following the Least priviliged model while assigning permissions and using the IAM Access Analyzer to assess the security of given IAM policies.

Part 3: Applying Security Standards to AWS

Achieving and maintaining compliance with industry regulations and company policies is critical for organizations operating in the AWS environment. AWS provides powerful services such as AWS Config and AWS Audit Manager to assist in this process, offering visibility into the configuration of resources and simplifying compliance assessments. Let’s explore these services with examples and screenshots.

AWS Config

AWS Config helps you assess and evaluate the configuration of your AWS resources, track changes over time, and maintain compliance with desired configurations. It provides a detailed inventory of your resources, including configuration details and relationships.

AWS Config works by taking snapshots of your AWS Configuration and keeping track of the changes you have made. It’s not only that but it offers your the capability to create rules that your configuration should be complying to.

Let’s take an example the following rule, it verifies if ACM Certificates in our account are marked for expiration within the specified number of days.

alt

The type of rule is Detective which means the rule will be run after any configuration changes has taken effect. Having Detective rules doesn’t mean our account is secure as sometimes some misconfiguration can expose sensitive data or make our account vulnerable in another way which the attacker can take advantage of before we fix or rollback the changes.

We can create automatic remediation actions for violated rules that can help us quickly remediate misconfigs and stay compliant on the long run.

alt

Another which we find that it’s a better way to use the AWS Config and to protect our AWS Account and stay compliant especially in large teams is to use the Proactive rules. These type of rules are quite new, they were released 2022. They are run before the configuration takes effect and you can even integrate them in your CI/CD pipeline.

alt

Going back to one very powerful feature of AWS Config which is the conformance packs. You can deploy a set of conformance packs to stay compliant to a set of standards. Also, you create your own company compliance packs which you can use across multiple AWS accounts.

alt

We might describe more how to approach developing your compliance packs in a future blog post as we find that its really important for each company to define its own checks and now we can pass to a service that has a similar feature which is the AWS Audit Manager.

AWS Audit Manager

AWS Audit Manager simplifies the process of assessing and managing compliance by automating evidence collection, streamlining assessments, and generating audit-ready reports. It provides pre-built frameworks for various industry standards, such as SOC 1, SOC 2, ISO 27001, and HIPAA. It works in communication with the AWS Config to gather informations about the current AWS account configuration.

We highly recommend activating the service especially that it works in concordance with AWS Security Hub and AWS Config.

alt

The AWS Audit Manager can help you create your own assessment with specifying the frameworks you want to be compliant with. You can create your own company’s framework in which you specify a control set.

alt

The control set is a list of controls which you create separately. These controls can be reused across multiple custom frameworks

alt

You need to define the data sources then an action plan

alt

The action plan will have the set of instructions that will be run upon any findings. These instructions are valuable to cloud security engineers or AWS Account administrators to fix the issues after the audit.

After that, you can run an assessment with a specific scope. Make sure to only include production - staging environments as generally development environments / accounts can give you many false positives in the final report

Conclusion

In conclusion, it is crucial for your organization to apply your company’s security standards to your AWS infrastructure in order to protect your data and mitigate security threats. By understanding your company’s security requirements and utilizing tools such as AWS Config custom rules and AWS Audit Manager custom frameworks, you can establish a robust foundation for your company’s security.

At PCP, we assist our clients in implementing security controls throughout their CI/CD pipelines, managing their cloud accounts and infrastructure, and ensuring compliance across multiple AWS accounts. We work with our clients to develop their own company’s security standards and facilitate a secure migration to the cloud.