Regularly inspect the security group settings via the AWS console to make sure nothing has changed unexpectedly. If you whitelist IP addresses -- a very good practice to restrict access to certain systems -- check the list to make sure nothing has changed without your knowledge.
While Security Groups and Network Access Control Lists don’t compare to full-fledged firewalls, they're still effective for limiting specific network access to applications. More important, they prevent anyone from breaking into different groups. Craft inbound and outbound rules to filter out unnecessary traffic and allow only necessary network communications.
“You need to consider whether you really need to allow 0.0.0.0/0 network traffic or only accept specific connections,” says Arsene.
Native AWS tools such as Elastic Load Balancers (ELBs) can be used -- somewhat -- to mitigate DoS or DDoS attacks, Arsene said. ELBs make applications resilient when faced with a high traffic load by directing traffic to multiple EC2 instances running the same application. In the case of a DoS or DDoS attack, the application remains up and available because the ELB scales up to multiple instances.
The genomics company GenomeNext takes full advantage of the cloud's fluid nature. The company randomly moves instances around in the region so that IP addresses are constantly in flux. This tactic forces potential attackers into a game of hide-and-seek, trying to find the servers long enough to launch an attack.
“We take advantage of everything Amazon offers for security, but you still have to architect your environment. You still have to plan for failure,” says James Hirmas, co-founder and CEO of GenomeNext.
Treat security like software development
Just as software undergoes extensive testing before going to production, cloud instances should be tested thoroughly. If a cloud instance in production has a critical vulnerability or is missing the appropriate security controls, then it should be treated as an outage, with the issue escalated so that it is addressed right away.
If a cloud instance has a vulnerability discovered before it’s deployed into production, it should be treated with the same priority as a critical software defect and the release should be halted.
“Software already goes through QA before it’s shipped. Why shouldn't security work this way too?” asks Govshteyn.
Don't forget Amazon's nonsecurity tools
Regularly back up your data so that recovery is possible, even in the case of an attack or a ransomware infection.
Code Spaces, which provided support for devops application management, offered a sobering lesson in how much damage a dedicated perpetrator can inflict on a company’s cloud environment. In this case, the attacker launched a DDoS attack and demanded a ransom. When Code Spaces officials logged into the AWS account to try to stop the attack, the attacker deleted data from the servers. The destruction was extensive enough that Code Spaces ceased operations.
Sign up for CIO Asia eNewsletters.