Breach, Security Program Controls/Technologies

Nine Amazon Web Services (AWS) Secrets to Know Before Moving to the Cloud

Author: Delta Risk Marketing Manager Lauren McKenna
Author: Delta Risk Marketing Manager Lauren McKenna

Cloud security is a hot topic lately, and for good reason. As more businesses have migrated to the cloud, there have been more data breaches. In our recent webinar, Flying Blind: 2017 Cloud Configurations Gone Wrong, cloud security experts John Hawley and Mike Piscopo detailed several of the worst misconfiguration disasters we’ve seen this year. Among the data breach incidents we covered in our webinar, there were several in the Amazon Web Services (AWS) Cloud.

For instance, our experts discussed an incident involving DevFactor in which AWS keys inadvertently pushed their code to their GitHub repository. In a matter of five minutes, cyber criminals had automated bots crawl GitHub and find authentication keys that gave them full control over an AWS account.

CISOs and IS/IT managers across every industry and workspace frequently ask us, “How do I make sure that doesn’t happen to me?” Our cloud security team came up with a list of AWS tools and resources to help you make sure that your cloud configuration is not at risk:

1. AWS Overview of Security Processes: This document is intended to answer questions such as “How does AWS help me ensure that my data is secure?” Specifically, AWS physical and operational security processes are described for the network and server infrastructure under the management of AWS.

2. AWS Well-Architected Framework: The AWS Well-Architected Framework enables you to review and improve your cloud-based architectures and better understand the business impact of your design decisions. This document addresses general design principles as well as specific best practices and guidance in five conceptual areas. The AWS Security Pillar in particular focuses on providing guidance to help you apply best practices in the design, delivery, and maintenance of secure AWS environments.

3. Introduction to Auditing the Use of AWS: AWS manages the underlying infrastructure, and you manage the security of anything you deploy in AWS. AWS as a modern platform allows you to formalize the design of security, as well as audit controls, through reliable, automated and verifiable technical and operational processes built into every AWS customer account. The cloud simplifies system use for administrators and those running IT, and makes your AWS environment much simpler to audit sample testing, as AWS can shift audits towards a 100 percent verification verses traditional sample testing.

4. AWS Risk and Compliance: This document is designed to assist AWS customers with integrating AWS into their existing control framework supporting their IT environment, including a basic approach to evaluating AWS controls and and information on integrating control environments.

5. AWS SEC (OCIE) Workbook: The document is to be used by AWS securities industry customers, their examiners, and advisors to understand the scope of the AWS services, guidance for implementation, and examination when using AWS as part of the financial institutions environment.

6. Technical Workbook: PCI Compliance in the AWS Cloud: This workbook provides guidance on building an environment in Amazon Web Services that is compliant with the Payment Card Industry Data Security Standard (PCI DSS).

7. CIS AWS Foundations: This document provides prescriptive guidance for configuring security options for a subset of AWS with an emphasis on foundational, testable, and architecture agnostic settings.

8. Deployment Guide: Standardized Architecture for NIST-based Assurance Frameworks on the AWS Cloud
This quick start reference deployment guide discusses architectural considerations and steps for deploying security-focused baseline environments on the Amazon Web Services (AWS) cloud.

9. Deployment Guide: PCI DSS Standardized Architecture on the AWS Cloud: This quick start deploys a standardized environment that helps organizations with workloads that fall in scope for Payment Card Industry (PCI) Data Security Standard (DSS) compliance.

 Lauren McKenna is marketing manager at Delta Risk. Read more Delta Risk blogs here.