Harden your AWS setup in 10 simple steps

‍Step1 - Hardening of AWS organizations

The first step to securing your deployment is to understand and divide it. With AWS Organizations, a free AWS service, you can divide your organization's accounts into organizational units (OU). For each OU, permissions can be customized to be used by different people and for different purposes with Service Control Policies (SCP). This type of policy acts as a framework that the user's authorization can never exceed.

In addition, the AWS organization offers "consolidated billing", which combines the use of all your accounts so that you can benefit from graduated discounts.

Step 2 - Root user

The initial login is always as the root user, as no other user has been created in IAM. Hardening the root user account is crucial as it has administrator rights for the account.

According to AWS security best practices, this account must not have any access keys and therefore no programmatic access. What does this mean?

When you create a new user, you can choose how they can interact with AWS: via the console or with an access key ID and a secret access key for the API, CLI, SDK or other development tools. To deactivate this access key, go to IAM and click on "Make Inactive" under "Security Credentials".

This user should only be used for creating our first users and groups and for very detailed administration activities. The password must be secure and changed frequently, and MFA must be active. Continue to step 3.

Step 3 - Multi-factor authentication (MFA)

Identity Access Management (IAM) is the service that AWS offers for managing users, groups, roles and policies in AWS. From here you can create, delete, group and assign roles (permissions) to users, among many other functions. A single password is no longer considered secure. Therefore, AWS offers the activation of multi-factor authentication. To do this, navigate to the user and go to "Security Credentials". There, click on Manage MFA device. This feature is really easy to use with applications like Google Authenticator and is a must to secure your setup.

Step 4 - Private subnets

Regardless of what type of infrastructure you build in the cloud, it will be housed in VPCs. A VPC is a logically isolated area of the AWS cloud where AWS resources are launched in a virtual network.

There are subnets within this VPC. Subnets are a part of the VPC with 2 different types: public subnets and private subnets. In terms of security, it is very important to talk about private subnets. The components used within private subnets can only be accessed from within the VPC. (no internet connection)

From a technical point of view, this means that the associated route table does not have a public route to 0.0.0.0/0. This property makes this type of subnet ideal for operating components such as databases that we do not want to access from the Internet.

However, what can we do if, for example, one of our databases needs an operating system update but cannot connect to the Internet.... to the Internet? Let's jump to step 3.

Step 5- NAT gateways

A NAT gateway is a virtual device in a public subnet that enables resources in private subnets to connect to the Internet, but does not allow incoming traffic from the Internet.

In other words: If your database needs an operating system update, it can connect to the Internet to download that update (traffic from the VPC to the outside), but someone connected to the Internet cannot talk to our database (from the Internet into our VPC).

Setting up a NAT gateway is free and to configure it technically, you just need to attach a route with the destination 0.0.0.0/0 and point your NAT gateway to the route table of your private VPC.

‍

Step 6 - Security groups

Security groups are a basic function if you want to secure your architecture. You can find them under EC2 and they are connected to the Elastic Network Interface (eni). The most common applications are securing EC2 instances and Elastic Load Balancers.

They work like a classic firewall: you define rules that specify what type of traffic, protocol and range you want to accept and from which source IP or security group (logical referencing). An important feature is that they are stateful, i.e. if you configure a certain inbound traffic as allowed, the outbound traffic from it (the response) is also automatically allowed. You can say that they are intelligent in their own way.

Step 7 - Network access control lists

Network Access Control Lists (NACLS) are another free feature offered by AWS to increase the security of our infrastructure. They are very similar to security groups, with 3 main differences:

   -application at subnet level.

   - Deny' rules are possible (security groups only accept 'Allow' rules)

   -They are stateless: If you allow incoming traffic, you must also explicitly allow it on the "Outgoing" tab. Otherwise, the resource receiving the traffic can receive it, but the NACl will block the response.

In both security groups and NACLs, everything that is not expressly permitted is denied.

Step 8 - Harden VPC endpoints

From a security perspective, it is important to know that every time an AWS service is accessed from our VPC (S3, IAM, CloudWatch...), the request goes over the Internet.

This can lead to security issues as someone could intercept our communications using hacking techniques such as "man-in-the-middle". For this type of scenario, VPC endpoints come to our rescue.

A VPC endpoint is a way to connect from your VPC to any AWS service without leaving the Amazon backbone network, i.e. without traversing the Internet.

To create one, navigate to VPC and select "Endpoint" in the left-hand column. Then select the service for which you want to create the endpoint and click on "Create".

Once the endpoint is created, you can route traffic through it to a specific service by simply adding a new route in the appropriate route table with the DNS name of the service as the destination and the vpce-id as the destination.

H2 Step 9- S3 Cross Region Replication (CRR)

Since most of the data in AWS is stored in S3, all the hardening and backup steps explained above would be nonsensical if we were to lose it all.

By default, S3 (Standard) replicates all your data stored in at least 3 Availability Zones to ensure durability. However, if a region fails, there may be a total loss of data in the cloud, which can have serious consequences.

Cross-region replication is a free S3 feature that allows us to automatically replicate any object uploaded to a specific bucket to another region to ensure data consistency.

To activate it, select the S3 bucket you want to replicate and click on "Administration" -> "Replication". Follow the steps to select the target bucket in another region, permissions, encryption and change ownership if required.

Even if this function itself is free of charge, you must of course also pay for the storage capacity in the other region.

Step 10- Harden the AWS Web Application Firewall

If all the previously mentioned steps are not secure enough for you, then do it right. To conclude this list, I will talk about WAF, a basic security feature that is placed outside your VPC and allows you to filter all types of traffic before it reaches your VPC.

With AWS WAF, you can create custom rules or get predefined rules from Amazon that comply with international security standards, define IP sets and decide whether to allow or block traffic from them, protect you from SQL injection, detect suspicious headers in requests, and much more.

To do this, navigate to the WAF and select "Create Web ACL". Give the rule a name, assign it to the resources from which it is to be protected and let us continue with the configuration.

Select "Create your own rule" and explore all possible configurations.

It shouldn't take much time to create specific and powerful firewall rules, which would be hard work with a normal firewall.

Although this service is not free, the estimated cost for a small to medium sized business is approximately $40-50/month with a total of approximately 19 rules managed and customized by AWS.

I hope you find these basic steps interesting and can follow them one by one. Remember that there is no successful infrastructure deployment without the right security measures.

Swipe to the left and enjoy.

‍