AWS security | Helen Anderson<\/title>\n<meta name=\"description\" content=\"This post will take you through the security services AWS offers and best practices they recommend to keep what's in the Cloud safe.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.helenanderson.co.nz\/aws-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"AWS security | Helen Anderson\" \/>\n<meta property=\"og:description\" content=\"This post will take you through the security services AWS offers and best practices they recommend to keep what's in the Cloud safe.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.helenanderson.co.nz\/aws-security\/\" \/>\n<meta property=\"og:site_name\" content=\"Helen Anderson\" \/>\n<meta property=\"article:published_time\" content=\"2019-11-13T05:04:03+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-05-22T09:09:25+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/helenanderson.co.nz\/wp-content\/uploads\/2019\/11\/aws-security-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"853\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@helenanders26\" \/>\n<meta name=\"twitter:site\" content=\"@helenanders26\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\">\n\t<meta name=\"twitter:data1\" content=\"3 minutes\">\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/helenanderson.co.nz\/#website\",\"url\":\"https:\/\/helenanderson.co.nz\/\",\"name\":\"Helen Anderson\",\"description\":\"Data Analyst | Technical Writer\",\"publisher\":{\"@id\":\"https:\/\/helenanderson.co.nz\/#\/schema\/person\/4677a271385757403307fb29bd14d7bf\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/helenanderson.co.nz\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-NZ\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.helenanderson.co.nz\/aws-security\/#primaryimage\",\"inLanguage\":\"en-NZ\",\"url\":\"https:\/\/helenanderson.co.nz\/wp-content\/uploads\/2019\/11\/aws-security-1.jpg\",\"width\":1280,\"height\":853,\"caption\":\"aws-security\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.helenanderson.co.nz\/aws-security\/#webpage\",\"url\":\"https:\/\/www.helenanderson.co.nz\/aws-security\/\",\"name\":\"AWS security | Helen Anderson\",\"isPartOf\":{\"@id\":\"https:\/\/helenanderson.co.nz\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.helenanderson.co.nz\/aws-security\/#primaryimage\"},\"datePublished\":\"2019-11-13T05:04:03+00:00\",\"dateModified\":\"2020-05-22T09:09:25+00:00\",\"description\":\"This post will take you through the security services AWS offers and best practices they recommend to keep what's in the Cloud safe.\",\"inLanguage\":\"en-NZ\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.helenanderson.co.nz\/aws-security\/\"]}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/www.helenanderson.co.nz\/aws-security\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.helenanderson.co.nz\/aws-security\/#webpage\"},\"author\":{\"@id\":\"https:\/\/helenanderson.co.nz\/#\/schema\/person\/4677a271385757403307fb29bd14d7bf\"},\"headline\":\"AWS security\",\"datePublished\":\"2019-11-13T05:04:03+00:00\",\"dateModified\":\"2020-05-22T09:09:25+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.helenanderson.co.nz\/aws-security\/#webpage\"},\"publisher\":{\"@id\":\"https:\/\/helenanderson.co.nz\/#\/schema\/person\/4677a271385757403307fb29bd14d7bf\"},\"image\":{\"@id\":\"https:\/\/www.helenanderson.co.nz\/aws-security\/#primaryimage\"},\"keywords\":\"aws,cloudtrail,ec2,iam,redshift,s3,security,vpc\",\"articleSection\":\"AWS\",\"inLanguage\":\"en-NZ\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/helenanderson.co.nz\/#\/schema\/person\/4677a271385757403307fb29bd14d7bf\",\"name\":\"Helen Anderson\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/helenanderson.co.nz\/#personlogo\",\"inLanguage\":\"en-NZ\",\"url\":\"https:\/\/helenanderson.co.nz\/wp-content\/uploads\/2019\/11\/helen-anderson-profile-selects-FA-1000.jpg\",\"width\":1000,\"height\":1000,\"caption\":\"Helen Anderson\"},\"logo\":{\"@id\":\"https:\/\/helenanderson.co.nz\/#personlogo\"},\"description\":\"Hi, I'm Helen. I'm a data analyst, technical writer, and AWS Data Hero. I interpret the story behind the numbers, build data applications, and grow analyst and developer communities - currently at Kiwibank.\",\"sameAs\":[\"http:\/\/www.helenanderson.co.nz\/\",\"https:\/\/www.instagram.com\/helenanders26\/\",\"https:\/\/www.linkedin.com\/in\/helenanders26\/\",\"https:\/\/twitter.com\/helenanders26\",\"https:\/\/www.youtube.com\/channel\/UCttVhJizwkhgmMlDBMUE0wQ\"]}]}<\/script>\n","_links":{"self":[{"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/posts\/1813"}],"collection":[{"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/comments?post=1813"}],"version-history":[{"count":9,"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/posts\/1813\/revisions"}],"predecessor-version":[{"id":3293,"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/posts\/1813\/revisions\/3293"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/media\/2514"}],"wp:attachment":[{"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/media?parent=1813"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/categories?post=1813"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/tags?post=1813"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":1813,"date":"2019-11-13T18:04:03","date_gmt":"2019-11-13T05:04:03","guid":{"rendered":"http:\/\/www.helenanderson.co.nz\/?p=1813"},"modified":"2020-05-22T21:09:25","modified_gmt":"2020-05-22T09:09:25","slug":"aws-security","status":"publish","type":"post","link":"https:\/\/helenanderson.co.nz\/aws-security\/","title":{"rendered":"AWS security"},"content":{"rendered":"\n

Under the Shared Responsibility Model AWS is responsible for security ‘of the Cloud’<\/strong>, while the customer is responsible for what is ‘in the Cloud’<\/strong>.<\/p>\n\n\n\n

This means that while AWS take responsibility for the physical security of its data centres, database<\/a> patching, and firewall configuration, the customer needs to take responsibility for who has access to their content, access rights and authentication.<\/p>\n\n\n\n

This post will take you through the services that AWS offers and best practices they recommend to keep what’s in the Cloud safe and secure.<\/p>\n\n\n\n

\n\n\n\n
Identity Access Management<\/a>
VPC and GuardDuty<\/a>
S3 and Macie<\/a>
EC2 and Inspector<\/a>
RDS and Redshift<\/a>
CloudTrail and CloudWatch<\/a>
Useful Links<\/a><\/strong><\/p><\/blockquote>\n\n\n\n
\n\n\n\n
IAM<\/h2>\n\n\n\n
Identity and Access Management (IAM) helps you to securely control who has access to your resources and how they access them.<\/p>\n\n\n\n
Follow the best practice to\u00a0 enable MFA<\/a>, delete root account credentials and create new roles with Administrator permissions.<\/li>
Create Users, Roles and Groups to grant ‘least access’ and\u00a0 assign permissions<\/a>\u00a0to your users.<\/li>
Use Roles to allow access to services\u00a0like EC2<\/a>\u00a0rather than individual users.<\/li>
Users should create strong passwords which\u00a0 get rotated regularly<\/a>.<\/li>
IAM Access Analyzer<\/a> helps you identify resources in your organisation and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity.<\/li><\/ul>\n\n\n\n
\n\n\n\n
VPC and GuardDuty<\/h2>\n\n\n\n
Use\u00a0Network Access Control Lists<\/strong>\u00a0to control inbound and outbound traffic at the\u00a0subnet level<\/a>. NACLs support both allow and deny rules<\/a> and are stateless meaning that return traffic must be explicitly allowed.<\/li>
Use\u00a0Security Groups<\/strong>\u00a0to act as a firewall at the EC2 level to control inbound and outbound traffic. <\/li>
Set up\u00a0VPC Flow logs<\/a>\u00a0to capture information about how traffic is flowing.<\/li>
GuardDuty analyses data from VPC Flow Logs, and profiles them for anomaly detection. This service can detect a brute force attack on an EC2, suspicious API calls, malicious or unauthorised behaviour.<\/li><\/ul>\n\n\n\n
\n\n\n\n
S3 and Macie<\/h2>\n\n\n\n
Create IAM policies to control access to S3<\/a>, and bucket policies make sure buckets are kept private.<\/li>
Enable MFA Delete and\u00a0 Versioning<\/a>\u00a0to stop accidental deletion of objects and allow objects to be recovered using Cross-region replication.<\/li>
Lock objects to prevent them from being deleted during a fixed term or indefinitely using\u00a0 Amazon S3 Object Lock<\/a><\/li>
Use KMS keys or S3-Managed Keys for\u00a0 Server Side Encryption<\/a>.<\/li>
Consider using\u00a0 Macie<\/a>\u00a0to recognise the type of data stored in S3. Macie can identify personally identifiable information, API keys, and credentials.<\/li><\/ul>\n\n\n\n
\n\n\n\n
EC2 and Inspector<\/h2>\n\n\n\n
Limit access by creating Security Groups<\/a> and rules to control the inbound and outbound traffic to instances.<\/li>
Configure route tables with the minimal required network routes. For example, place only EC2 instances that need direct Internet access into subnets with routes to an Internet Gateway.<\/li>
Encrypt data stored in Elastic Block Store (EBS)<\/a> as an extra layer of security.<\/li>
Create a baseline server configuration and assess each server against the baseline to identify and flag any deviations.<\/li>
Enable Inspector<\/a> to check for access to your instances from the internet, remote root login being enabled, or vulnerable software versions installed.<\/li><\/ul>\n\n\n\n
\n\n\n\n
RDS and Redshift<\/h2>\n\n\n\n
Encrypt data using\u00a0 AES-256<\/a>\u00a0level encryption.<\/li>
Encrypt data in transit\u00a0 using SSL<\/a> to create and install the certificate when the instance is provisioned.<\/li>
When using Redshift, enable\u00a0Cluster Encryption\u00a0to encrypt user-created tables.<\/li><\/ul>\n\n\n\n
\n\n\n\n
CloudTrail<\/h2>\n\n\n\n
Enable CloudTrail<\/a> to provide a history of API calls made across your account.<\/li>
Integrate with CloudWatch<\/a> and SNS to support compliance and monitoring by setting up logs, metrics and alarms.<\/li><\/ul>\n\n\n\n
\n\n\n\n
Useful Links<\/h2>\n\n\n\n
IAM<\/a><\/li>
GuardDuty<\/a><\/li>
Trusted Advisor<\/a><\/li>
Macie<\/a><\/li>
Inspector<\/a><\/li>
AWS Security Best Practices Whitepaper<\/a><\/li><\/ul>\n\n\n\n
\n\n\n\n
Photo by Life of Pix on Pexels<\/p>\n","protected":false},"excerpt":{"rendered":"
This post will take you through the security services AWS offers and best practices they recommend to keep what’s in the Cloud safe.<\/p>\n","protected":false},"author":1,"featured_media":2514,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"Layout":""},"categories":[11],"tags":[173,193,176,191,175,186,174,192],"yoast_head":"\nAWS security | Helen Anderson<\/title>\n<meta name=\"description\" content=\"This post will take you through the security services AWS offers and best practices they recommend to keep what's in the Cloud safe.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.helenanderson.co.nz\/aws-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"AWS security | Helen Anderson\" \/>\n<meta property=\"og:description\" content=\"This post will take you through the security services AWS offers and best practices they recommend to keep what's in the Cloud safe.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.helenanderson.co.nz\/aws-security\/\" \/>\n<meta property=\"og:site_name\" content=\"Helen Anderson\" \/>\n<meta property=\"article:published_time\" content=\"2019-11-13T05:04:03+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-05-22T09:09:25+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/helenanderson.co.nz\/wp-content\/uploads\/2019\/11\/aws-security-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"853\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@helenanders26\" \/>\n<meta name=\"twitter:site\" content=\"@helenanders26\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\">\n\t<meta name=\"twitter:data1\" content=\"3 minutes\">\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/helenanderson.co.nz\/#website\",\"url\":\"https:\/\/helenanderson.co.nz\/\",\"name\":\"Helen Anderson\",\"description\":\"Data Analyst | Technical Writer\",\"publisher\":{\"@id\":\"https:\/\/helenanderson.co.nz\/#\/schema\/person\/4677a271385757403307fb29bd14d7bf\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/helenanderson.co.nz\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-NZ\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.helenanderson.co.nz\/aws-security\/#primaryimage\",\"inLanguage\":\"en-NZ\",\"url\":\"https:\/\/helenanderson.co.nz\/wp-content\/uploads\/2019\/11\/aws-security-1.jpg\",\"width\":1280,\"height\":853,\"caption\":\"aws-security\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.helenanderson.co.nz\/aws-security\/#webpage\",\"url\":\"https:\/\/www.helenanderson.co.nz\/aws-security\/\",\"name\":\"AWS security | Helen Anderson\",\"isPartOf\":{\"@id\":\"https:\/\/helenanderson.co.nz\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.helenanderson.co.nz\/aws-security\/#primaryimage\"},\"datePublished\":\"2019-11-13T05:04:03+00:00\",\"dateModified\":\"2020-05-22T09:09:25+00:00\",\"description\":\"This post will take you through the security services AWS offers and best practices they recommend to keep what's in the Cloud safe.\",\"inLanguage\":\"en-NZ\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.helenanderson.co.nz\/aws-security\/\"]}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/www.helenanderson.co.nz\/aws-security\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.helenanderson.co.nz\/aws-security\/#webpage\"},\"author\":{\"@id\":\"https:\/\/helenanderson.co.nz\/#\/schema\/person\/4677a271385757403307fb29bd14d7bf\"},\"headline\":\"AWS security\",\"datePublished\":\"2019-11-13T05:04:03+00:00\",\"dateModified\":\"2020-05-22T09:09:25+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.helenanderson.co.nz\/aws-security\/#webpage\"},\"publisher\":{\"@id\":\"https:\/\/helenanderson.co.nz\/#\/schema\/person\/4677a271385757403307fb29bd14d7bf\"},\"image\":{\"@id\":\"https:\/\/www.helenanderson.co.nz\/aws-security\/#primaryimage\"},\"keywords\":\"aws,cloudtrail,ec2,iam,redshift,s3,security,vpc\",\"articleSection\":\"AWS\",\"inLanguage\":\"en-NZ\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/helenanderson.co.nz\/#\/schema\/person\/4677a271385757403307fb29bd14d7bf\",\"name\":\"Helen Anderson\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/helenanderson.co.nz\/#personlogo\",\"inLanguage\":\"en-NZ\",\"url\":\"https:\/\/helenanderson.co.nz\/wp-content\/uploads\/2019\/11\/helen-anderson-profile-selects-FA-1000.jpg\",\"width\":1000,\"height\":1000,\"caption\":\"Helen Anderson\"},\"logo\":{\"@id\":\"https:\/\/helenanderson.co.nz\/#personlogo\"},\"description\":\"Hi, I'm Helen. I'm a data analyst, technical writer, and AWS Data Hero. I interpret the story behind the numbers, build data applications, and grow analyst and developer communities - currently at Kiwibank.\",\"sameAs\":[\"http:\/\/www.helenanderson.co.nz\/\",\"https:\/\/www.instagram.com\/helenanders26\/\",\"https:\/\/www.linkedin.com\/in\/helenanders26\/\",\"https:\/\/twitter.com\/helenanders26\",\"https:\/\/www.youtube.com\/channel\/UCttVhJizwkhgmMlDBMUE0wQ\"]}]}<\/script>\n","_links":{"self":[{"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/posts\/1813"}],"collection":[{"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/comments?post=1813"}],"version-history":[{"count":9,"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/posts\/1813\/revisions"}],"predecessor-version":[{"id":3293,"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/posts\/1813\/revisions\/3293"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/media\/2514"}],"wp:attachment":[{"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/media?parent=1813"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/categories?post=1813"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/helenanderson.co.nz\/wp-json\/wp\/v2\/tags?post=1813"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}