How to Secure your AWS Infrastructure
The key advantages of cloud computing can be leveraged to support network services which have been traditionally located on-site. However, the benefits of the public cloud are not awarded without cost. This technology creates challenges to retain the required level of security; since the inclusion of cloud computing resources expands the enterprise bounds beyond the traditional definitions. Obtaining a reasonable level of security while implementing cloud-based directory information services is obtainable using existing technologies.
Moving the key computer infrastructure components to the cloud is an interesting proposition for many enterprise environments. Organizations may be enticed by the benefits of cloud computing and decide to migrate some services to this technology. Any radical change to a key component of an organization infrastructure will require a copious amount of research and analysis to satisfy stakeholders and concomitantly produce a successful transition. Therefore, it should be the goal of a cloud-based system implementation to minimize the attack surface to the best ability of the talent, and budget available.
The purpose of this guide is to aid system designers in this goal. This will be achieved through an overview of the technologies utilized and the security risks addressed with a focus on directory service implementations.
What is the “Hybrid Cloud”?
A hybrid cloud solution has two primary goals: integrate the public cloud resources in a manner that is almost indistinguishable from an on-site system, and, achieve a level of security comparable to an on-site system. The unavoidable physical gap — the internet-separating the cloud resources and the on-site network only make these goals more challenging.
One of the most important documents regarding the system configuration is the network topology. A network topology is the arrangement of a network, including its nodes, depicted as a geometric layout of devices and their respective connections. When utilizing public cloud computing in one’s computing infrastructure, a site-to-site VPN will have to be introduced into the design.
A VPN component in the network topology provides the link between the on-premise and off-site computing resources. This tunneled link will be instrumental in the achievement of the goals for network extension, and security.
Securing Access to AWS Management
Centralized access management systems are imperative for the user management of the computer resources of an organization to be efficient and secure. Luckily, the Identity Access Management (IAM) service of AWS is the perfect solution. IAM manages access and policies for all users across an organization’s AWS account.
When utilizing IAM to manage secure shared access to their account, system designers have two choices: they can either create users and groups within IAM, or they can extend their existing access management solution using identity federation services.  This guide will not cover the latter because, although it may be highly effective, it is out of scope for our purposes.
When an AWS account is first created by an organization, the default user account that is generated is the “root” account. The root user has the highest privilege that cannot be reduced, and thus it is bad practice to give out the root account credentials to employees to undertake trivial tasks on the AWS account. To solve this issue, the organization must design and implement a secure user hierarchy in the AWS IAM.
To implement these use hierarchies, IAM provides two mechanisms: users and groups. A user is self-explanatory: an individual with a certain level of access. A group in IAM is a mechanism to collect multiple users together and apply AWS specific security policies. The organization of these groups should be determined using standard user hierarchy methodologies, such as users being grouped together according to specific needs they might have for access to the system resources.
Well-designed user groups in the IAM user hierarchy is extremely important due to how IAM assigns user privileges. AWS account policies are used by IAM to assign users specific and granular privileges on components and are assigned in a per group basis. These policies define the actions and the information that a user has access to and are imperative to the security of your organization. As such, these policies should ensure that each user only has access to the actions and information that they require to successfully complete their specific job.
Securing Network Access to An EC2 Instance
After ensuring that the AWS management console is secure, the next step to protect your infrastructure is to secure network access to the cloud computing resources. Thankfully, AWS offers several tools out of the box that can be used in conjunction to provide a reasonable level of security to the resources on the EC2 public cloud service.
Each EC2 instance is provided network connectivity through an Elastic Network Interface (ENI). ENIs function very similarly to a conventional NIC, but with one major enhancement: they have built-in stateful firewalls and the access control lists (ACLs) for these firewalls are defined within a Security Group. All security groups have an implicit drop-all rule for inbound traffic as well as for outbound traffic. As a result, allow rules must be created to allow traffic in order to reach the EC2 instance. When creating Security Groups for EC2 instances, traditional firewall design methodologies should be followed. For example, only traffic that is critical for the compute resource to function correctly should be allowed, while all other traffic should be blocked.
Since Security Groups can only be applied in a per-instance basis, AWS provides the option to define an ACL to define access to an entire subnet. These firewalls can be utilized to secure network access of EC2 instances for generalized protection of all the instances located on a similar subnet. Subnet ACLs should be utilized to complement instance, specific security groups, when implemented in a multiple layer network firewall design.
Finally, network security can be achieved through network design. In AWS, networking is implemented through a product called a Virtual Private Cloud (VPC). VPCs are virtual networks that are logically isolated from other VPCs. They are a single, large private network which can be broken down into smaller individual subnets. This segmentation of the virtual AWS network can be leveraged to increase the level of security of the EC2 instances. If two EC2 instances have no legitimate need to communicate, the instances should be placed on their own individual subnets. Thus, preventing any communications between the two instances and alleviating the chance of pivoting between systems.
Securely Linking an EC2 Instance to a Local Network
A Virtual Private Network (VPN) connection is the most secure way to bridge link the EX2 compute resources to local infrastructure. To aid with this process, AWS has a Virtual Private Gateway (VPG) product that makes creating tunnels very easy. The VPG simply links the subnet it has been attached to, with the encryption tunnel of the VPN. To implement this, the Virtual Private Gateway must be configured with two VPN tunnels linking the public cloud to the local network. AWS requires this type of configuration to ensure high availability of the VPN and the public cloud resources.
Once the Virtual Private Gateway has been created in the public cloud subnet, the next task is to configure a VPN gateway on the internal network. This can be any software or hardware appliance that can function as a VPN gateway, including many modern business grade routers. For example, routers with Cisco, Juniper, or PfSense firmware installed would be sufficient. The choice of the appliance is highly dependent on the existing infrastructure, and the IT budget.
Migrating your corporate infrastructure to the cloud may provide more flexibility for growing bandwidth, disaster recovery at a reduced cost, and reduced capital-expenditure costs for hardware. These advantages are a major reason for many organizations to migrate their computer infrastructure to cloud computing resources. A well-implemented cloud computing solution integrates all of the components listed in this guide. And as with anything in the realm of information security, securing computer systems is very challenging, and system administrators must constantly be on the lookout for ways to improve.