Best Practices for Container Security on AWS
Containers have changed how we deploy software. Learn how to better protect your containerized applications from external threats.
As businesses consider migrating their on-premises applications to the Cloud, data security is a critical concern. Can a cloud provider offer the same or better level of data security as a business provides in its own data center? What services are available to defend against the financial and reputational damage of a data breach?
In answer to these questions, cloud providers like Amazon offer a full range of services to manage data security in the Cloud. From infrastructure hardening to threat detection, AWS provides comprehensive services to maximize data security in cloud computing environments. An overview of several major services can help to understand the AWS approach and build confidence in migrating data and applications to AWS.
AWS addresses data security in cloud computing at four levels—encryption, infrastructure, access, and monitoring—to ensure your data is secure, grant access only to authorized people, and monitor for security threats.
Encryption is the foundation for data security at-rest and in-transit. AWS supports encryption across the storage and database services it offers and supports, including Simple Storage Service (S3), DynamoDB, DocumentDB, Elastic File System (EFS), Elastic Map Reduce (EMR), Elastic Block Store (EBS), Glacier, Oracle RDS, SQL Server RDS, and Redshift.
AWS provides two options to manage the encryption keys that secure data. AWS Key Management Service (KMS) supports the full encryption key lifecycle, giving you the option of having AWS manage the encryption keys or letting you have complete control over your keys. An alternative, AWS CloudHSM provides the widely-used dedicated hardware security module option for cryptographic key management for businesses that require FIPS 140-2 Level 3 certification to meet compliance requirements.
Network infrastructure is the foundation for secure data transmission in the Cloud. AWS protects data with network firewalls built into Amazon Virtual Private Cloud (VPC), as well as Web Application Firewall (AWS WAF) capabilities which help mitigate common attack vectors, denial of service attacks and known bad actors aimed at your publicly exposed resources for an added level of security.
AWS also offers private dedicated connections between AWS VPC and on-premises resources to bypass less secure Internet routing. Data traffic is automatically encrypted across the AWS global and regional networks that link AWS data centers.
Authorized access to data and applications is an equally critical factor in establishing and maintaining data security in cloud environments. AWS provides capabilities that make it easy to centrally establish and maintain access rights across many of the AWS services with the following capabilities:
AWS eases the process of data migration to the Cloud by allowing an enterprise to use existing corporate directories, providing a means to centrally manage individual access and enabling developers to integrate existing applications with AWS features and services.
Even with data securely encrypted and traffic protected by robust network architectures enterprises face continuing threats of data breaches, DDOS threats, and a multitude of attempts to disrupt operations and access confidential data. AWS provides visibility into your workload with Amazon CloudWatch to monitor infrastructure and applications, alert when specific events occur or thresholds are exceeded, and take automated actions. CloudWatch gathers logs, performance metrics, and event data and presents a unified view of AWS resources and the applications and services running on AWS as well as on-premises servers.
AWS CloudTrail provides insight into who is taking actions and how an AWS account is being used. Specifically, AWS CloudTrail maintains an event history of account activity for all AWS services and actions. This record can be used for security analysis in support of compliance, risk, and governance requirements.
Amazon GuardDuty applies machine learning, anomaly detection, and threat recognition to analyze billions of events across AWS data sources, including DNS logs, AWS VPC flow logs, and AWS CloudTrail. It continuously looks for malicious or unauthorized activities to protect AWS accounts and workloads against security threats
Although Amazon provides a wide range of services to ensure your data’s security at the levels of encryption, infrastructure, access, and monitoring, enterprises making their move into cloud computing can benefit greatly from the guidance of an AWS Consulting Partner who has already helped hundreds of companies make the transition. An AWS consulting partner can: