AWS security: Complete guide to Amazon cloud security

The AWS security model

Companies that leverage public cloud platforms like AWS need to be aware of their role in security. AWS has a shared responsibility model, where the cloud provider manages the security of its own cloud infrastructure and the customers are responsible for securing their data and workloads.

AWS implements firewalls, encryption, interservice transport layer security (TLS), and other techniques to secure the infrastructure layer. For some of AWS’s managed services options, its security responsibilities also extend to the service layer. As we’ll see in the next section, AWS provides services and features to help organizations implement security for their applications and workloads, but the responsibility for this ultimately falls on the customer. Check out our top 8 AWS Security best practices to learn more.

AWS security services and features

Since organizations using AWS must take ownership of cloud security as well, Amazon offers numerous services and security features to help with security policy implementation. Some of these cloud security options include:

• Network security: AWS gives customers options for securely connecting to its infrastructure through private or dedicated connections. Communication between different AWS services is also secured using TLS for encryption in transit, which customers have the flexibility to configure. These options – and many others – enable customers to increase privacy and control network access.

• Encryption: AWS provides built-in encryption for its various database services and any other data at rest on the platform. In addition, AWS offers APIs to integrate encryption and data protection with any services deployed in an AWS environment. AWS Key Management Service also makes it easier to manage cryptographic keys used for encryption across AWS services and applications.

• Configuration management: AWS offers tools to help organizations more easily and quickly configure resources that comply with organizational standards and best practices. This includes deployment tools for creating and decommissioning AWS resources as well as inventory and configuration management tools to track them over time.

• Identity and access management (IAM): AWS provides features for defining user accounts and roles. Combined with secure login options like AWS multi-factor or AWS IAM Identity Center (successor to AWS SSO), organizations can manage and enforce user access to cloud resources, service APIs, and the AWS console.

• Monitoring and logging: Through AWS CloudTrail, organizations can track actions taken through the AWS APIs and the AWS console. In addition, AWS GuardDuty can monitor for malicious activity and notify the organization through AWS CloudWatch, which is a solution for standardized logging across all AWS services.

AWS security issues and concerns

The cloud and its shared responsibility model create unique cloud security challenges. One challenge, in particular, is implementing strong application security for software that will be deployed on the AWS platform.

More specifically, organizations that run software on AWS need to be concerned with the risks related to the various components of their AWS deployments – from its source code and open source dependencies to the containers and infrastructure as code (IaC) configurations used to deploy them.

A key aspect of securing AWS, therefore, is vulnerability scanning. For example, scanning Terraform files for misconfigurations is crucial for hardening Amazon EKS security. This enables organizations to discover potential vulnerabilities in configuration files before they’re used to generate actual AWS infrastructure resources.

Snyk is an Advanced Technology Partner with AWS and has achieved AWS Security Competency status to help secure applications deployed on the AWS platform. In fact, Snyk has integrations with AWS services across the entire software development lifecycle (SDLC).

How Snyk fits with AWS

At the earlier stages of the SDLC, Snyk integrates with AWS managed services related to source control management (AWS CodeCommit), continuous integration (AWS CodeBuild), and continuous delivery (AWS CodePipeline) to detect issues during development.

In terms of container image security, Snyk integrates with the managed container orchestration (Amazon EKS) and managed container registry (Amazon ECR) services. This helps development teams detect container vulnerabilities to reduce the risks associated with containerized applications.

Snyk can scan the YAML and JSON template files for the platform’s IaC service (AWS CloudFormation) – which allows organizations to provision and manage AWS resources – to detect potential misconfigurations. Snyk also integrates with the serverless compute (AWS Lambda) and serverless container (AWS Fargate) services to detect vulnerabilities in open source code deployed on this infrastructure.

We’ve only just scratched the surface of the integrations Snyk has with AWS to improve cloud-native application security. To learn more about how to build applications securely across your AWS application stack, visit our AWS partner page or sign up for a free Snyk account.

AWS security FAQ'S