“Developers are trying to get things done as fast as possible,” Sutton says. “It’s a built-in guarantee that developers can’t make mistakes."
If separate accounts are not possible, each environment should use a different key to prevent cross-connectivity. Development keys should never wind up in production code, and vice versa.
Take away user accounts
User accounts are the Achilles’ heel of information security, because attackers can take over the entire environment by stealing account credentials. So make it easy -- avoid user accounts wherever you can. Amazon offers various APIs to handle provisioning and scaling; choose them when working with instances instead of creating new accounts to manage them.
Have applications use specially created service accounts with low privileges to access systems. An example is to create a specific account an application when it needs to make database calls, rather than going with a normal database user account.
Service accounts typically are restricted in what they can do. With a database service account, for example, privileges might be limited to the ability to select and possibly update certain tables. If someone tries to log in, the potential for damage would be much lower because the attacker can't view other tables or objects, let alone make any changes. And if the logs show a login attempt using the service account, that is a surefire sign someone is trying to break in.
“Security with AWS is all about being proactive and reducing the attack surface by limiting the damage an attacker could cause in case of an eventual breach,” says Liviu Arsene, senior e-threat analyst at BitDefender.
For user accounts that have already been created or need to exist for specific purposes, deleting them can cause more problems. Perhaps the team is not even sure if anyone is using an account. Instead of deleting those accounts, assign the lowest set of privileges possible. If the account is legitimately in use, someone will complain. As with service accounts, if someone tries logging in with one of these accounts, that will show up in the records. Administrators will then have a starting point for investigation to determine whether the attempt is legitimate.
“If you see [user accounts] surface, chances are someone has compromised your cloud infrastructure,” says Misha Govshteyn, chief strategy officer and founder of AlertLogic.
Use Amazon’s built-in tools
Amazon offers several security services, including certificate management, encryption tools, Hardware Security Modules for storing private keys, and Web application firewalls. Take advantage of these built-in tools -- or one of the many offerings in Amazon Marketplace.
Security Groups let administrators split instances by service types and assign them to specific groups. A set of security policies could then be applied to all the hosts assigned to the group. The database should be in its own group, separate from the load balancer and the Web application firewall, for example. By restricting ports and defining access rules, administrators can prevent lateral movement across the network, where attackers get a foothold on the Web server and try to move onto the database.
Sign up for CIO Asia eNewsletters.