5 building blocks of security and governance on AWS Cloud

Successful cloud migration involves understanding the responsibilities shared between an organization and its cloud service provider. With the alarming rise in data breaches and cybersecurity threats, the need to adopt and implement security and governance is one of the key considerations for enterprises journeying to the cloud.

Due to high scalability, reliability, and robust infrastructure, the Amazon Web Services (AWS) Cloud is a popular choice for enterprises. As the top cloud provider, AWS witnessed a market share of 33% and growth rate of 37% in FY 2019. AWS offers customers a wide choice of storage, access, and security options, along with authorized access, data protection, and training support.

This blog takes a close look at the five essential building blocks of security and governance on AWS:

  1. Identity and access management
  2. Continuous monitoring and logging
  3. Network and edge security
  4. Data security and encryption
  5. Auditing and compliance

Identity and access management

The essential security requirement for any enterprise when moving to the cloud is to govern which resources can be accessed, who can access these and how. AWS provides a wide range of services to effectively manage users as well as access permissions. Here’s a glimpse:

Service Use case
AWS Identity and Access Management (IAM) Managing identities and access to resources and services
AWS Organizations Multi-account management
Consolidated billing
AWS Single Sign-On (SSO) Centrally manage SSO access to multiple accounts
AWS Cognito Manage identities and user pools for web and mobile apps
AWS Directory Service Enable directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud

Continuous monitoring and logging

Logging and monitoring involve collecting data for measurement and governance. They play an important role in modern enterprises, as they measure the health of hardware devices and software applications. Building an effective monitoring solution requires a lot of effort and management. To simplify this, AWS provides an end-to-end monitoring solution which helps to monitor everything deployed on the cloud - from infrastructure to applications.

Service Use case
AWS CloudWatch Managing logs from multiple disparate sources through centralized monitoring
Monitor and track metrics
Alarms to notify in case of anomalies
AWS Elasticsearch Centralized log storage and analysis
AWS Config Resource configuration snapshots and compliance
AWS Inspector Automated security assessment
AWS GuardDuty Intelligent threat detection

Data security and encryption

Encryption is the process of making data unreadable using two components – encryption key and encryption algorithm. To ensure that the encrypted data is secure, enterprises need to develop a key management system, which can keep the keys secure, durable, and highly available. However, this can be a cumbersome and complicated process. To manage keys and encryption seamlessly, AWS offers a Key Management Service which is deeply integrated with its other services.

Service Use case
AWS Key Management Service (KMS) Manage encryption keys
AWS CloudHSM Cryptographic service for creating and managing hardware security modules
AWS Certificate Manager (ACM) Provision and manage certificates
AWS Secrets Manager Manage secrets and passwords

Network and edge security

Network and edge security involve controlling how a request flows through different components, and who can send requests to resources. This is vital to maintain a healthy infrastructure as it can help prevent unauthorized access and network attacks like denial-of-service, malware, and spam. AWS provides various services to help users build a secure networking infrastructure.

Service Use case
AWS VPC Ability to provision and manage a private network
AWS Direct Connect Ability to connect on-premise data centers to the cloud for realizing a hybrid cloud solution
AWS Web Application Firewall Acts as a web application firewall enabling creation of security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns defined by the user
AWS Shield Helps protect services against distributed denial-of-service attacks

Auditing governance and compliance

A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Audit reports evaluate the strength and thoroughness of compliance preparations, security policies, user access controls, and risk management procedures over the course of a compliance audit. This is an important requirement, as customers migrating to the cloud have many apprehensions concerning adherence to regulatory guidelines. AWS provides a wide range of services for auditing, compliance of resources, and building reports.

Service Use case
AWS CloudTrail Record API events for all AWS resources and services through the AWS console, command line, or SDKs
AWS IAM User access and usage report
AWS SSM Automate management tasks such as collecting system inventory, applying operating system patches, automating the creation of Amazon Machine Images (AMIs), and configuring operating systems, and applications at scale
AWS Config Ability to take snapshots of resources and govern resource compliance
AWS Trusted Advisor Provide recommendations to optimize the AWS environment for cost, performance, security, fault tolerance, and service limits
AWS Inspector Automatically assess applications for exposure, vulnerabilities, and deviation from best practices

A deep understanding of the major building blocks of security and governance enables organizations to tap the benefits of the cloud successfully. In addition, adopting an automated approach to various components of security and governance can help avoid risks like security lapses, high maintenance costs, and idle resources. While planning to build a cloud infrastructure, it is equally essential to understand the architectural best practices, as these help to create a highly available, robust, secure, and cost efficient ecosystem.

Over the last two decades, Impetus has helped several Fortune 100 enterprises successfully move their data-driven businesses to AWS and other cloud platforms. Leveraging deep domain expertise and a robust cloud governance framework, Impetus can help you address the nuances of IT governance on the cloud, in line with your organization’s goals.

Hussain Saify
Module Lead Software Engineer