試してみませんか?
AWS security: Complete guide to Amazon cloud security
Securing AWS deployments
What is AWS security?
AWS security is the comprehensive protection of the infrastructure, data, applications, and workloads related to Amazon’s public cloud platform. Securing AWS requires infrastructure security measures from Amazon as well as the security obligations of the AWS customer under the cloud security shared responsibility model. In short, effective AWS security solutions need to include both cloud infrastructure and cloud services security policies.
The AWS security model
Companies that leverage public cloud platforms like AWS need to be aware of their role in security. AWS has a shared responsibility model, where the cloud provider manages the security of its own cloud infrastructure and the customers are responsible for securing their data and workloads.
AWS implements firewalls, encryption, interservice transport layer security (TLS), and other techniques to secure the infrastructure layer. For some of AWS’s managed services options, its security responsibilities also extend to the service layer. As we’ll see in the next section, AWS provides services and features to help organizations implement security for their applications and workloads, but the responsibility for this ultimately falls on the customer. Check out our top 8 AWS Security best practices to learn more.
AWS security services and features
Since organizations using AWS must take ownership of cloud security as well, Amazon offers numerous services and security features to help with security policy implementation. Some of these cloud security options include:
Network security: AWS gives customers options for securely connecting to its infrastructure through private or dedicated connections. Communication between different AWS services is also secured using TLS for encryption in transit, which customers have the flexibility to configure. These options – and many others – enable customers to increase privacy and control network access.
Encryption: AWS provides built-in encryption for its various database services and any other data at rest on the platform. In addition, AWS offers APIs to integrate encryption and data protection with any services deployed in an AWS environment. AWS Key Management Service also makes it easier to manage cryptographic keys used for encryption across AWS services and applications.
Configuration management: AWS offers tools to help organizations more easily and quickly configure resources that comply with organizational standards and best practices. This includes deployment tools for creating and decommissioning AWS resources as well as inventory and configuration management tools to track them over time.
Identity and access management (IAM): AWS provides features for defining user accounts and roles. Combined with secure login options like AWS multi-factor or AWS IAM Identity Center (successor to AWS SSO), organizations can manage and enforce user access to cloud resources, service APIs, and the AWS console.
Monitoring and logging: Through AWS CloudTrail, organizations can track actions taken through the AWS APIs and the AWS console. In addition, AWS GuardDuty can monitor for malicious activity and notify the organization through AWS CloudWatch, which is a solution for standardized logging across all AWS services.
AWS security issues and concerns
The cloud and its shared responsibility model create unique cloud security challenges. One challenge, in particular, is implementing strong application security for software that will be deployed on the AWS platform.
More specifically, organizations that run software on AWS need to be concerned with the risks related to the various components of their AWS deployments – from its source code and open source dependencies to the containers and infrastructure as code (IaC) configurations used to deploy them.
A key aspect of securing AWS, therefore, is vulnerability scanning. For example, scanning Terraform files for misconfigurations is crucial for hardening Amazon EKS security. This enables organizations to discover potential vulnerabilities in configuration files before they’re used to generate actual AWS infrastructure resources.
Snyk is an Advanced Technology Partner with AWS and has achieved AWS Security Competency status to help secure applications deployed on the AWS platform. In fact, Snyk has integrations with AWS services across the entire software development lifecycle (SDLC).
At the earlier stages of the SDLC, Snyk integrates with AWS managed services related to source control management (AWS CodeCommit), continuous integration (AWS CodeBuild), and continuous delivery (AWS CodePipeline) to detect issues during development.
In terms of container image security, Snyk integrates with the managed container orchestration (Amazon EKS) and managed container registry (Amazon ECR) services. This helps development teams detect container vulnerabilities to reduce the risks associated with containerized applications.
Snyk can scan the YAML and JSON template files for the platform’s IaC service (AWS CloudFormation) – which allows organizations to provision and manage AWS resources – to detect potential misconfigurations. Snyk also integrates with the serverless compute (AWS Lambda) and serverless container (AWS Fargate) services to detect vulnerabilities in open source code deployed on this infrastructure.
We’ve only just scratched the surface of the integrations Snyk has with AWS to improve cloud-native application security. To learn more about how to build applications securely across your AWS application stack, visit our AWS partner page or sign up for a free Snyk account.
AWS security FAQ'S
Is AWS secure?
Amazon uses cloud security best practices to secure its infrastructure, but organizations also need to implement security for their data and AWS workloads deployed on the cloud platform. This shared responsibility model gives organizations the flexibility to implement security controls that meet their specific business needs while remaining confident that the underlying cloud infrastructure is reliable and secure.
How to secure AWS?
Securing AWS requires implementing security measures from the underlying infrastructure layer up to the specific data, workloads, and applications running on the AWS cloud platform. This includes the security of the hardware and software that AWS manages to make its cloud platform available as well as the software, applications, and data that customers operate in the cloud.
Up Next
Top 8 AWS Security Best Practices for 2023
Implement our list of 8 best practices to improve your overall AWS Security posture. Secure your AWS deployments to prevent data breaches.
続きを読む