Explaining security measures and services that should be implemented on AWS

AWS security measures are essential for companies and users who use AWS . Comprehensive AWS security measures are required to protect customer data and confidential information stored on AWS and prevent security incidents.

AWS is an abbreviation for Amazon Web Services, a general term for cloud services provided by Amazon.
Specifically, it provides virtual servers “Amazon Elastic Compute Cloud” (EC2), storage “Amazon S3,” database “Amazon Aurora,” and more.

However, as the use of AWS expands, security incidents such as unauthorized access and information leaks caused by cloud services are also increasing.

This article explains the security services provided by AWS that companies should be aware of, as well as the scope of security responsibilities that companies (users) have . If you are concerned about AWS security, be sure to read this article.

Since 2020, the number of users of cloud services, including AWS, has been steadily increasing.

With the spread of remote work and changes in working styles, demand for cloud services is increasing not only in Japan but around the world.

According to data released by the Ministry of Internal Affairs and Communications in 2023, the size of the global cloud service market is expected to continue to grow steadily.

In addition, in terms of “corporate cloud service usage in Japan,” 44.9% of companies use the cloud company-wide, while 27.3% use it in some offices or departments, meaning that more than 70% of companies use cloud services in some form.Information leaks from cloud services are also on the rise

As these cloud services become more widespread, there has been an increase in “information leaks” caused by the cloud and cyber attacks targeting holes in cloud services .

While cloud services have the advantage of being able to be used without having to build an in-house system environment, there are concerns that they tend to be dependent on the security environment of the provider.

Additionally, each cloud service requires various security settings, such as file access permissions and authentication settings, but many users say they are unsure whether they have configured the settings correctly or have left the settings as they were when the service was first installed.

In fact, there has been no end to cyber attacks and fraudulent address incidents using cloud services as a springboard, and many of these are caused by “insufficient security settings on the user’s side.”

Unlike on-premise, the cloud has a “shared security responsibility”

There is a difference in the “scope of security” for which users are responsible between traditional “on-premises environments” and cloud environments .

With on-premises systems, users are responsible for building the system and managing the servers themselves, so they have to be responsible for the security of the entire system, including physical resources, software, and data .

However, with cloud services, the underlying systems and servers are rented from vendors, so the company does not own the physical equipment. Therefore, the only security responsibility the user is responsible for is the software and data that the company builds and owns .

Therefore, with cloud services, users are less responsible for security than when they owned hardware in an on-premises environment, and can now focus on security measures in a narrower sense.

At AWS, we call this approach to security responsibility sharing the “shared responsibility model.”

AWS’s Shared Responsibility Model for Security

The “Shared Responsibility Model” advocated by AWS is, simply put, aimed at “ensuring the security level of customers’ AWS.”

This refers to indicators that clarify the scope of each responsibility.

According to the Shared Responsibility Model, AWS is responsible for security across the cloud infrastructure , while customers are responsible for security within the cloud .

In other words, security within cloud services

All of these items must be handled responsibly by the user .

AWS’s “Security of the Cloud” Responsibility

On the other hand, AWS (the vendor) has stated that it is responsible for “securing the infrastructure” that runs all services provided in the AWS cloud.

Specifically, AWS is responsible for ensuring the security of the hardware, software, networking, and facilities that it provides, and AWS implements these security measures based on international best practices.

How AWS handles security

The following are some of the things that users should do as “AWS security measures.”

etc.

AWS provides a variety of security services that users can use to protect their information assets from various security threats. For details on these services, see ” Security Services Provided by AWS .”

In addition, to build a strong AWS security system, you need to check the official white papers and guidelines and build the correct settings and security system in accordance with the requirements.

How to Check AWS Security Compliance Requirements

AWS has obtained multiple third-party certifications, including ISO 27001 and ISO 22301, as proof of appropriate security management.

For more information about the security measures AWS implements and how it maintains compliance, see the AWS Compliance Program page.

If you would like to check whether AWS meets the security and compliance requirements required by your company, you can check the white papers on the official website .

The eight main security services provided by AWS

AWS offers a variety of security services to help users meet high security standards.

These services are effective in managing access rights, compliance, and data protection , where users assume security responsibility under the aforementioned “responsibility model.”

Some of the most popular AWS security services include:

Here we introduce the eight main security services provided by AWS.

1. AWS Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) is a web service that allows you to securely manage user identities and resources on AWS systems . By using IAM, you can configure “authentication” and “authorization” for your AWS account.

in particular

It consists of functions such as

All permissions and authentication rules in IAM are managed by “policies,” which are granted to “groups” and “users (accounts).”

For example, if an employee (user) wants to upload a file to storage, the administrator grants the user the permissions written in the policy. The user can perform specific actions by being given specific permissions through IAM.

Even for the same file, it is possible to set up the system so that “User A” has no access rights, “User B” has view-only rights, and “User C” has operation rights.

2. Amazon GuardDuty

Amazon GuardDuty is a fully managed threat detection service.

Utilizing machine learning, it monitors API calls and communication logs to detect unauthorized access and malicious behavior.

There is no need for complicated configuration or installation; you can simply enable it on AWS. We officially recommend enabling Amazon GuardDuty in all supported regions.

The detection results allow you to check the severity of the threat and details of the detection required for remediation.

3. Amazon Inspector

Amazon Inspector is an automated vulnerability management service that continuously diagnoses AWS workloads to check for software vulnerabilities and unintended network information exposure.

It is used to assess the security compliance of applications and resources running within your AWS cloud environment, helping to identify vulnerabilities and resolve security issues.

It is possible to automatically diagnose vulnerabilities in Amazon EC2, a virtual server provided by AWS, Amazon ECR, which stores and shares container images, and AWS Lambda, which executes code.

4. AWS WAF (Web Application Firewall)

AWS WAF (Web Application Firewall) is a specialized firewall for web applications provided by Amazon. It protects applications from malicious attacks such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).

AWS WAF also allows you to control access to CloudFront, ALB, API Gateway, etc. By setting access “rules” within the WAF’s “WebACL,” you can determine which network communications to “allow” or “deny.”

You can start using AWS WAF immediately by simply enabling it on Amazon CloudFront, which accelerates web content such as image files, or on Application Load Balancer, a load balancer that distributes the load of web services.

5. Amazon Macie

Amazon Macie is a service that uses machine learning and pattern matching to automate the discovery, classification, and protection of sensitive data in your Amazon S3 buckets.

It automatically detects and classifies S3 objects containing personal information, allowing you to manage sensitive data safely and efficiently without incurring additional effort.

When using Amazon Macie, you need to enable it for each region (specific range). Once enabled in a region, you can view the detection results for all accounts in that region at once.

6. AWS CloudTrail

AWS CloudTrail is a service that records all user activity and API usage from the time you create an AWS account. It is useful for analyzing and repairing the cause of unauthorized operations or unexpected behavior.

It’s automatically activated when you create your account, so you don’t need to do anything yourself.

You can view the operation records for the past 90 days by accessing the AWS CloudTrail console or AWS CLI. Since records are deleted after 90 days, if you want to keep the operation records, you can move them to Amazon S3 for storage.

7. AWS Key Management Service (KMS)

AWS Key Management Service (KMS) is a service that allows you to create and manage keys for encrypting, decrypting, and digitally signing data across applications and AWS services. It can encrypt and decrypt text files stored in Amazon EC2, Amazon S3, etc.

The master key is stored on AWS KMS and cannot be saved locally, so there is no need to worry about it being lost, damaged, or having information stolen.

It is also integrated with AWS CloudTrail, which I mentioned earlier, allowing you to audit who used what key, when, and with which resource.

8. Amazon VPC (Virtual Private Cloud)

Amazon VPC (Virtual Private Cloud) is your own dedicated virtual network space that you can build within your AWS account.

Within Amazon VPC, you can communicate with AWS services such as the virtual server “Amazon EC2” and the database “RDS.” You can also allow Amazon EC2 instances to communicate internally with each other and manage connections to external networks.

Spaces built with Amazon VPC allow you to manage networks and resources all at once, which makes operation and maintenance more efficient.

If you want to consult a professional about AWS security settings, we recommend “Cloud Diagnostics”

If your company is concerned about AWS security, we recommend that you use the various AWS services introduced above, as well as take advantage of Cloud Diagnostics, which allows experts to identify AWS security flaws and provide advice.

By having professionals point out and correct inadequate settings in “access permissions” and “authentication,” which are the cause of AWS security incidents, it becomes possible to build a secure AWS environment.

We recommend our “AWS Security Assessment” to companies facing these challenges.

We identify potential security issues in your AWS environment and our security experts propose appropriate remediation measures to prevent incidents such as unauthorized use of AWS or information leaks due to misconfigurations.

We conduct detailed assessments based on CIS benchmarks, AWS Security Hub, and our own unique criteria, and our security experts will check the actual management screen and provide you with a detailed, easy-to-understand report.

For details of the service, please see the following page.

summary

In this article, we introduced the importance of security in AWS and official security services.

The number of users of AWS and other cloud services has been increasing in recent years, and their use will likely become essential in the future. We encourage you to consider implementing appropriate AWS security measures based on your company’s environment and needs.