Security does not have to be cumbersome, expensive, and complex. When working with AWS there are some simple and cost effective actions that can be taken to improve your overall security posture.
Delete Default VPCs
Deleting default VPCs is both good for security and cost management. Removing unused networks removes the ability for compute resources to be deployed malicious or accidentally. Default VPCs are created in all regions available in an account. These all need to be removed.
Update Security Groups
Validating security groups is a low effort high impact action that we can take. We should scrutinize any security groups using IP based rules for necessity. We can rewrite most rules to use security group ids as either source or destination. Open ports should be reviewed and limited to those that are used. Infrastructure as Code is useful here to manage lengthier port lists.
Update Permissions in Roles
It is common to grant all permissions to remove any friction from performing actions when working with a cloud provider. While this is convenient it is not highly secure if there is a breach. Users should be granted minimal rights and be required to AssumeRole to perform actions. These roles should be limited in scope to required actions when possible. A least permissions model should be used. While it can be cumbersome, especially during an active development phase, whitelisting permissions as the need arises allows for tighter control and ensures only required actions can be taken.
Enable Single Sign On (SSO) for AWS Management Console
We can enhance the security of the AWS Management Console and overall access to AWS resource by enabling SSO. This allows us to enable AWS to use our current users and groups in securing access to AWS accounts. Where using Okta, Microsoft, or even Google, we can utilize our existing log in processes, hopefully involving Multi Factor Authentication (MFA), to further harden access to AWS.
Optimize Subnet Size
As with deleting default VPCs, subnets that are oversized are at risk for accidental compute deployments or exploitation for malicious purposes. Subnets can be added to VPCs so there is low risk with being conservative with sizing. We limit the potential runaway cost risk by reducing the subnet size and reducing the amount of unused CIDR space that can be consumed.
Enable Systems Manager Session Manager
Accessing EC2 instances securely can be complex with managing keys and bastion hosts to get into the network. We can avoid all of this by setting up Session Manager. This allows us to use the AWS Management Console to connect to instances without having to manage a separate key file or maintain another network path to the instances. By using an EC2 Instance Role, AWS will manage the connectivity for us and secure it using the AWS Management Console.
The following actions have some cost implications but should be minimal.
Enable Guard Duty
We can enable Guard Duty for threat detection at a minimal cost. Guard Duty will provide alerts for common security risks around the AWS account and certain workloads in the account. Guard Duty will provide both informative and actionable alerts that can be remediated.
Secure Connectivity using VPN or SASE
We can use AWS Client VPN or SASE to securely connect to the network and not rely on public connectivity. Resources in public subnets should be limited to Load Balancers, NAT Gateways, and other managed services when possible. The AWS shared responsibility model makes this preferable.
Enable Data Protection Features
Enabling encryption using Amazon or Customer Managed Keys should be done for a quick win. While enabling all Data Protection features may seem reasonable, this one actually requires more thought. As ransomware becomes as big of an issue as data theft, care needs to be taken with storage services. Replication, versioning, and backups should be based on RTO and RPO guidelines. Utilizing data protection services such as Rubrik may be required for large scale S3 environments based on business requirements. Native S3 replication can potentially be slow and counterproductive during an active breach, whereas Rubrik can help manage a full recovery with less downtime. It actually may be counterintuitive to enable native functionality and should be considered carefully.