{"id":7136,"date":"2022-12-08T07:59:52","date_gmt":"2022-12-08T07:59:52","guid":{"rendered":"https:\/\/demo.slitigenz.io\/top-10-security-tools-for-your-aws-environment\/"},"modified":"2024-05-16T05:49:11","modified_gmt":"2024-05-16T05:49:11","slug":"top-10-security-tools-for-your-aws-environment","status":"publish","type":"post","link":"https:\/\/old.slitigenz.io\/vi\/top-10-security-tools-for-your-aws-environment\/","title":{"rendered":"Top 10 Security Tools for Your AWS Environment"},"content":{"rendered":"<div data-elementor-type=\"wp-post\" data-elementor-id=\"7136\" class=\"elementor elementor-7136\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-85afeb1 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-column-slider-no wpr-equal-height-no\" data-id=\"85afeb1\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-5f9733a\" data-id=\"5f9733a\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-22280ff elementor-widget elementor-widget-text-editor\" data-id=\"22280ff\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Amazon Web Services (AWS) enables organizations to build and scale applications quickly and securely. However, continuously adding new tools and services introduces new security challenges. According to reports, 70 percent of enterprise IT leaders are\u00a0concerned about how secure they are in the cloud\u00a0and 61 percent of small- to medium-sized businesses (SMBs) believe their\u00a0<a href=\"https:\/\/dzone.com\/articles\/61-of-smbs-believe-that-their-data-is-unsafe-in-th\">cloud data is at risk<\/a>.<\/p><p>AWS provides many different security tools to help customers keep their AWS accounts and applications secure. In fact, there was significant focus on AWS security best practices at re:Invent 2020. See the\u00a0Best practices with Amazon S3\u00a0recap and Jeremy Cowan&#8217;s\u00a0Securing your Amazon EKS applications: Best practices\u00a0session for some of the details.<\/p><p>In this article, we\u2019ll review the top ten AWS security tools you should consider using to improve your security posture in 2021 and beyond. Before we do that, we will briefly explain AWS account security versus application and service security.\u00a0 Organizations must focus on keeping both secure to protect against different types of attacks.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-78b49ec elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-column-slider-no wpr-equal-height-no\" data-id=\"78b49ec\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-55f9fa2\" data-id=\"55f9fa2\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-6c20028 elementor-widget elementor-widget-heading\" data-id=\"6c20028\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Account Security Versus Application And Service Security<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b6692d1 elementor-widget elementor-widget-text-editor\" data-id=\"b6692d1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>AWS provides security tools designed to improve both account security and application and service security.<\/p><p>An AWS account is an attack vector, as resources and data are accessible through the public application programming interface (API). Implementing a secure identity and access management strategy helps prevent leaking data \u2014 such as in S3 buckets \u2014 to the public. AWS\u2019s many tools provide insights into your configured permissions and access patterns, and record all actions for compliance and audit purposes.<\/p><p>Applications and services hosted in AWS are susceptible to different kinds of threats from the outside. Cross-site scripting (XSS), SQL injection, and brute-force attacks target public endpoints. Distributed denial-of-service (DDoS) attacks may attempt to bring down your services, potentially compromising your architecture security. Without proper management, sensitive information \u2014 such as database credentials \u2014 may leak.<\/p><p>Therefore, it&#8217;s critical that organizations migrating to the cloud focus on minimizing risk and improving their overall security posture by addressing both account security as well as application and service security. The following AWS services lock down your cloud security, helping keep your customer data and systems safe from attack.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-381fc52 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-column-slider-no wpr-equal-height-no\" data-id=\"381fc52\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-0d05b85\" data-id=\"0d05b85\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-6745fca elementor-widget elementor-widget-heading\" data-id=\"6745fca\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Top 6 AWS Account Security Tools<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-782d322 elementor-widget elementor-widget-heading\" data-id=\"782d322\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">1. AWS Identity and Access Management (IAM)<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-b8f07ce elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-column-slider-no wpr-equal-height-no\" data-id=\"b8f07ce\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-b684ad7\" data-id=\"b684ad7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-567c9eb elementor-widget elementor-widget-text-editor\" data-id=\"567c9eb\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<article><p>AWS Identity and Access Management (IAM) is a web service for securely controlling access to AWS resources. It enables you to create and control services for user authentication or limit access to a certain set of people who use your AWS resources.<\/p><p>The IAM workflow includes the following six elements:<\/p><ol><li>A principal is an entity that can perform actions on an AWS resource. A user, a role or an application can be a principal.<\/li><li>Authentication is the process of confirming the identity of the principal trying to access an AWS product. The principal must provide its credentials or required keys for authentication.<\/li><li>Request: A principal sends a request to AWS specifying the action and which resource should perform it.<\/li><li>Authorization: By default, all resources are denied. IAM authorizes a request only if all parts of the request are allowed by a matching policy. After authenticating and authorizing the request, AWS approves the action.<\/li><li>Actions are used to view, create, edit or delete a resource.<\/li><li>Resources: A set of actions can be performed on a resource related to your AWS account.<\/li><\/ol><p>Let us explore the components of IAM in the next section of the AWS IAM tutorial.<\/p><p>To review, here are some of the main features of IAM:<\/p><ul><li>Shared access to the AWS account. The main feature of IAM is that it allows you to create separate usernames and passwords for individual users or resources and delegate access.<\/li><li>Granular permissions. Restrictions can be applied to requests. For example, you can allow the user to download information, but deny the user the ability to update information through the policies.<\/li><li>Multifactor authentication (MFA). IAM supports MFA, in which users provide their username and password plus a one-time password from their phone\u2014a randomly generated number used as an additional authentication factor.<\/li><li>Identity Federation. If the user is already authenticated, such as through a Facebook or Google account, IAM can be made to trust that authentication method and then allow access based on it. This can also be used to allow users to maintain just one password for both on-premises and cloud environment work.<\/li><li>Free to use. There is no additional charge for IAM security. There is no additional charge for creating additional users, groups or policies.<\/li><li>PCI DSS compliance. The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes. IAM complies with this standard.<\/li><li>Password policy. The IAM password policy allows you to reset a password or rotate passwords remotely. You can also set rules, such as how a user should pick a password or how many attempts a user may make to provide a password before being denied access.<\/li><\/ul><p>In the last section of the AWS IAM tutorial, let us go through a demo on how to create an S3 bucket using the multifactor authentication (MFA) feature.<\/p><\/article><article><\/article>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-c930797 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-column-slider-no wpr-equal-height-no\" data-id=\"c930797\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3422ddb\" data-id=\"3422ddb\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-50dd9d5 elementor-widget elementor-widget-heading\" data-id=\"50dd9d5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">2. Amazon GuardDuty<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c8dde55 elementor-widget elementor-widget-text-editor\" data-id=\"c8dde55\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"is it iu iv iw\"><p>Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. These include use of compromised credentials, simplified forensics and continuous monitoring of all security events seen in an AWS customers environment. With the announcement of new Malware Production, GuardDuty will scan EBS-backed EC2 instances with malicious behavior based on GuardDuty\u2019s existing findings and report malware detected on EC2 and containers running on EC2 and instantly send data to Trellix Helix.<\/p><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-43120a0 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-column-slider-no wpr-equal-height-no\" data-id=\"43120a0\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-49e70d0\" data-id=\"49e70d0\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7b1dd4e elementor-widget elementor-widget-heading\" data-id=\"7b1dd4e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">3. Amazon Macie\n<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-94ef3b4 elementor-widget elementor-widget-text-editor\" data-id=\"94ef3b4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"is it iu iv iw\"><div class=\"is it iu iv iw\"><p>Amazon Macie is a security service that uses machine learning to automatically discover, classify and protect sensitive data in the Amazon Web Services (AWS) Cloud<strong>. It currently only supports Amazon Simple Storage Service (Amazon S3)<\/strong>, but more AWS data stores are planned.<\/p><p>Macie can\u00a0<strong>recognize any PII or Protected Health Information (PHI)<\/strong>\u00a0that exists in your S3 buckets. Macie also monitors the S3 buckets themselves for security and access control. This all can help you meet regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and General Data Privacy Regulation (GDPR) or just continually achieve the security you require in the AWS Cloud environment.<\/p><p>Within a few minutes after enabling Macie for your AWS account, Macie will generate your\u00a0<strong>S3 bucket list<\/strong>\u00a0in the region where you enabled it. Macie will also begin to monitor the security and access control of the buckets. When it detects the risk of unauthorized access or any accidental data leakage, it generates\u00a0<strong>detailed findings<\/strong>.<\/p><p>The dashboard provides you with a summary that shows you how the data is accessed or moved. This dashboard gives you a view of the total number of buckets, the total number of objects, and the total number of S3 storage consumed.<\/p><p>It also breaks down S3 buckets by whether they are shared publicly, encrypted or not, and buckets shared inside and outside your AWS account or AWS Organization.<\/p><p>Create and run sensitive data discovery jobs to automatically discover, record, and report sensitive data in Amazon S3 buckets.<\/p><p>You can configure the job to run only once for on-demand analysis, or periodically for periodic analysis and monitoring.<\/p><p>A finding is a detailed report of potential policy violations for sensitive data in S3 buckets or S3 objects. Macie provides two types of findings: policy findings and sensitive data findings.<\/p><p>Macie can also send all findings to\u00a0Amazon CloudWatch\u00a0Events so you can build custom remediation and alert management.<\/p><\/div><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-483234d elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-column-slider-no wpr-equal-height-no\" data-id=\"483234d\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3bd15b8\" data-id=\"3bd15b8\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f0e99b0 elementor-widget elementor-widget-heading\" data-id=\"f0e99b0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">4. AWS Config<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c262565 elementor-widget elementor-widget-text-editor\" data-id=\"c262565\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"is it iu iv iw\"><div class=\"is it iu iv iw\"><p>AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance.<\/p><p>With AWS Config you can discover existing AWS resources, export a complete inventory of your AWS resources with all configuration details, and determine how a resource was configured at any point in time.<\/p><p>These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.<\/p><p>Allow you to assess, audit and evaluate configurations of your AWS resources.<\/p><p>Very useful for Configuration Management as part of an ITIL program.<\/p><p>Creates a baseline of various configuration settings and files and can then track variations against that baseline.<\/p><\/div><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-a2fe14f elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-column-slider-no wpr-equal-height-no\" data-id=\"a2fe14f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-29f6ed2\" data-id=\"29f6ed2\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-dff4fca elementor-widget elementor-widget-heading\" data-id=\"dff4fca\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">5. AWS CloudTrail<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-535e5b4 elementor-widget elementor-widget-text-editor\" data-id=\"535e5b4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"is it iu iv iw\"><div class=\"is it iu iv iw\"><p>AWS CloudTrail\u00a0is an application program interface (API) call-recording and log-monitoring Web service offered by Amazon Web Services (AWS).<\/p><p>AWS CloudTrail allows AWS customers to record API calls, sending log files to\u00a0Amazon S3\u00a0buckets for storage. The service provides API activity data including the identity of an API caller, the time of an API call, the source of the IP address of an API caller, the request parameters and the response elements returned by the AWS service.<\/p><p>CloudTrail can be configured to publish a notification for each log file delivered, allowing users to take action upon log file delivery &#8212; a process that according to AWS should only take about 15 minutes. It can also be configured to aggregate log files across multiple accounts so that log files are delivered to a single S3 bucket.<\/p><p>The service can facilitate\u00a0regulatory compliance\u00a0reporting for organizations that use AWS and need to track the API calls for one or more AWS account. CloudTrail can also be configured to support security information (SIEM) and event management platforms and and resource management.<\/p><\/div><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-0d206ed elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-column-slider-no wpr-equal-height-no\" data-id=\"0d206ed\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-4040e0f\" data-id=\"4040e0f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8ef5c18 elementor-widget elementor-widget-heading\" data-id=\"8ef5c18\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">6. Security Hub<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2ca8b5c elementor-widget elementor-widget-text-editor\" data-id=\"2ca8b5c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"is it iu iv iw\"><div class=\"is it iu iv iw\"><p>AWS Security Hub\u00a0combines information from all the above services in a central, unified view. It collects data from all security services from multiple AWS accounts and regions, making it easier to get a complete view of your AWS security posture. In addition, Security Hub supports collecting data from third-party security products. Security Hub is essential to providing your security team with all the information they may need.<\/p><p>A key feature of Security Hub is its support for industry recognized security standards including the CIS AWS Foundations Benchmark and Payment Card Industry Data Security Standard (PCI DSS).<\/p><p>Combine Security Hub with\u00a0AWS Organizations\u00a0for the simplest way to get a comprehensive security overview of all your AWS accounts.<\/p><p>Now that we have addressed the top account security tools, let\u2019s focus on the top four AWS application sSecurity tTools you should consider.<\/p><\/div><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-0588d1a elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-column-slider-no wpr-equal-height-no\" data-id=\"0588d1a\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-c5e0ca7\" data-id=\"c5e0ca7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-fb76fc7 elementor-widget elementor-widget-heading\" data-id=\"fb76fc7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Top 4 AWS Application Security Tools<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2584783 elementor-widget elementor-widget-heading\" data-id=\"2584783\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">1. Amazon Inspector<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b6c73ed elementor-widget elementor-widget-text-editor\" data-id=\"b6c73ed\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"is it iu iv iw\"><div class=\"is it iu iv iw\"><p>Amazon Inspector is an AWS software tool that automatically assesses a customer&#8217;s AWS cloud deployment for security vulnerabilities and deficiencies. Amazon Inspector evaluates\u00a0cloud applications\u00a0for weak points or deviations from best practices before and after they are deployed, validating that proper security measures are in place. The service then provides and prioritizes a list of security findings, including detailed descriptions of issues and recommendations to fix problems.<\/p><p>Amazon Inspector is available through the\u00a0AWS Management Console\u00a0and is installed as an agent on the operating system of\u00a0Elastic Compute Cloud instances. Amazon Inspector requires an\u00a0AWS Identity and Access Management\u00a0(IAM) role, which grants the service permission to itemize instances as well as tags to assess before evaluating the security of a cloud deployment. The service can create an AWS IAM role, if needed.<\/p><p>An IT administrator defines an assessment template, which includes the rules packages to follow, the duration of the assessment run, the topics that result in notifications from\u00a0Amazon Simple Notification Service\u00a0and other attributes. The analysis of the target environment is called the assessment run, which analyzes behavioral data within a target, including network traffic on running processes and communication between\u00a0cloud services.<\/p><p>Amazon Inspector pulls best practices from a knowledge base consisting of hundreds of rules (individual security practices or tests) that are updated by AWS security researchers. Amazon Inspector provides public-facing\u00a0APIs\u00a0that allow a user to incorporate the service on non-cloud technologies, such as email or security dashboards.<\/p><p>Amazon Inspector is billed based on the number of assessment runs and systems assessed, combining those elements into a metric called agent-assessments. Amazon provides a free trial before billing a customer per agent-assessment.<\/p><\/div><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-d724556 elementor-section-boxed elementor-section-height-default elementor-section-height-default wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-column-slider-no wpr-equal-height-no\" data-id=\"d724556\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a460a14\" data-id=\"a460a14\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c3279d6 elementor-widget elementor-widget-heading\" data-id=\"c3279d6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">2. AWS Shield<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2e8b409 elementor-widget elementor-widget-text-editor\" data-id=\"2e8b409\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"is it iu iv iw\"><div class=\"is it iu iv iw\"><p>AWS Shield protects AWS components against\u00a0DDoS attacks. These attacks produce huge numbers of artificially generated requests to disrupt public applications. Shield is available in two presentations: Standard and Advanced.<\/p><p>AWS Shield Standard is enabled by default in\u00a0<a href=\"https:\/\/www.techtarget.com\/searchaws\/definition\/Amazon-CloudFront\">CloudFront<\/a>\u00a0and\u00a0<a href=\"https:\/\/www.techtarget.com\/searchaws\/definition\/Amazon-Route-53-Traffic-Flow\">Route 53<\/a>\u00a0at no extra cost. AWS Shield Advanced is available for those two services plus several others: Elastic Load Balancing, EC2, Elastic IPs and Global Accelerator.<\/p><p>AWS Shield Standard offers protection\u00a0against certain attacks but lacks flexibility for custom configurations. Shield Advanced integrates with the AWS WAF service to configure specific protection rules. Additionally, Shield Advanced provides access to the AWS Shield response team, a 24\/7 support group available for emergencies. It also protects against extra AWS charges that could incur as a result of increased usage due to a DDoS attack; affected customers can request credits.<\/p><p>AWS Shield Advanced costs $3,000 per month. There is an additional data transfer fee, which varies depending on the protected resource type and the amount of data transferred (e.g., &lt;100 TB, 400 TB, 500 TB). The Shield Advanced data transfer fee could be between $25 to $50 for 1 TB of data transferred within the initial 100 TB bracket, depending on the protected resource type. This is in addition to the data transfer fees applicable to each protected resource. The monthly fee is applicable per AWS Organization. Therefore, deployments across multiple AWS accounts within one Organization would pay only a single fee.<\/p><\/div><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>Amazon Web Services (AWS) enables organizations to build and scale applications quickly and securely. However, continuously adding new tools and services introduces new security challenges. According to reports, 70 percent of enterprise IT leaders are\u00a0concerned about how secure they are in the cloud\u00a0and 61 percent of small- to medium-sized businesses (SMBs) believe their\u00a0cloud data is at risk. AWS provides many different security tools to help customers keep their AWS accounts and applications secure. In fact, there was significant focus on AWS security best practices at re:Invent 2020. See the\u00a0Best practices with Amazon S3\u00a0recap and Jeremy Cowan&#8217;s\u00a0Securing your Amazon EKS applications: Best practices\u00a0session for some of the details. In this article, we\u2019ll review the top ten AWS security tools you should consider using to improve your security posture in 2021 and beyond. Before we do that, we will briefly explain AWS account security versus application and service security.\u00a0 Organizations must focus on keeping both secure to protect against different types of attacks. Account Security Versus Application And Service Security AWS provides security tools designed to improve both account security and application and service security. An AWS account is an attack vector, as resources and data are accessible through the public application programming interface (API). Implementing a secure identity and access management strategy helps prevent leaking data \u2014 such as in S3 buckets \u2014 to the public. AWS\u2019s many tools provide insights into your configured permissions and access patterns, and record all actions for compliance and audit purposes. Applications and services hosted in AWS are susceptible to different kinds of threats from the outside. Cross-site scripting (XSS), SQL injection, and brute-force attacks target public endpoints. Distributed denial-of-service (DDoS) attacks may attempt to bring down your services, potentially compromising your architecture security. Without proper management, sensitive information \u2014 such as database credentials \u2014 may leak. Therefore, it&#8217;s critical that organizations migrating to the cloud focus on minimizing risk and improving their overall security posture by addressing both account security as well as application and service security. The following AWS services lock down your cloud security, helping keep your customer data and systems safe from attack. Top 6 AWS Account Security Tools 1. AWS Identity and Access Management (IAM) AWS Identity and Access Management (IAM) is a web service for securely controlling access to AWS resources. It enables you to create and control services for user authentication or limit access to a certain set of people who use your AWS resources. The IAM workflow includes the following six elements: A principal is an entity that can perform actions on an AWS resource. A user, a role or an application can be a principal. Authentication is the process of confirming the identity of the principal trying to access an AWS product. The principal must provide its credentials or required keys for authentication. Request: A principal sends a request to AWS specifying the action and which resource should perform it. Authorization: By default, all resources are denied. IAM authorizes a request only if all parts of the request are allowed by a matching policy. After authenticating and authorizing the request, AWS approves the action. Actions are used to view, create, edit or delete a resource. Resources: A set of actions can be performed on a resource related to your AWS account. Let us explore the components of IAM in the next section of the AWS IAM tutorial. To review, here are some of the main features of IAM: Shared access to the AWS account. The main feature of IAM is that it allows you to create separate usernames and passwords for individual users or resources and delegate access. Granular permissions. Restrictions can be applied to requests. For example, you can allow the user to download information, but deny the user the ability to update information through the policies. Multifactor authentication (MFA). IAM supports MFA, in which users provide their username and password plus a one-time password from their phone\u2014a randomly generated number used as an additional authentication factor. Identity Federation. If the user is already authenticated, such as through a Facebook or Google account, IAM can be made to trust that authentication method and then allow access based on it. This can also be used to allow users to maintain just one password for both on-premises and cloud environment work. Free to use. There is no additional charge for IAM security. There is no additional charge for creating additional users, groups or policies. PCI DSS compliance. The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes. IAM complies with this standard. Password policy. The IAM password policy allows you to reset a password or rotate passwords remotely. You can also set rules, such as how a user should pick a password or how many attempts a user may make to provide a password before being denied access. In the last section of the AWS IAM tutorial, let us go through a demo on how to create an S3 bucket using the multifactor authentication (MFA) feature. 2. Amazon GuardDuty Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. These include use of compromised credentials, simplified forensics and continuous monitoring of all security events seen in an AWS customers environment. With the announcement of new Malware Production, GuardDuty will scan EBS-backed EC2 instances with malicious behavior based on GuardDuty\u2019s existing findings and report malware detected on EC2 and containers running on EC2 and instantly send data to Trellix Helix. 3. Amazon Macie Amazon Macie is a security service that uses machine learning to automatically discover, classify and protect sensitive data in the Amazon Web Services (AWS) Cloud. It currently only supports Amazon Simple Storage Service (Amazon S3), but more AWS data stores are planned. Macie can\u00a0recognize any PII or Protected Health Information (PHI)\u00a0that exists in your S3 buckets. Macie also monitors the S3 buckets themselves<\/p>","protected":false},"author":6,"featured_media":7138,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"postBodyCss":"","postBodyMargin":[],"postBodyPadding":[],"postBodyBackground":{"backgroundType":"classic","gradient":""},"footnotes":""},"categories":[8],"tags":[],"class_list":["post-7136","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tech-stack"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/old.slitigenz.io\/vi\/wp-json\/wp\/v2\/posts\/7136","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/old.slitigenz.io\/vi\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/old.slitigenz.io\/vi\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/old.slitigenz.io\/vi\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/old.slitigenz.io\/vi\/wp-json\/wp\/v2\/comments?post=7136"}],"version-history":[{"count":3,"href":"https:\/\/old.slitigenz.io\/vi\/wp-json\/wp\/v2\/posts\/7136\/revisions"}],"predecessor-version":[{"id":10737,"href":"https:\/\/old.slitigenz.io\/vi\/wp-json\/wp\/v2\/posts\/7136\/revisions\/10737"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/old.slitigenz.io\/vi\/wp-json\/wp\/v2\/media\/7138"}],"wp:attachment":[{"href":"https:\/\/old.slitigenz.io\/vi\/wp-json\/wp\/v2\/media?parent=7136"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/old.slitigenz.io\/vi\/wp-json\/wp\/v2\/categories?post=7136"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/old.slitigenz.io\/vi\/wp-json\/wp\/v2\/tags?post=7136"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}