What is the AWS Shared Responsibility Model?
While there is nothing inherently insecure about the cloud, the fact remains that responsibility is shared between service providers and their customers. In fact, AWS features what Amazon calls the Shared Responsibility Model, which means that AWS is responsible for the cloud facilities in general, the physical security of their hardware and the virtualization infrastructure — but not the apps that run on it.
To enact appropriate measures that ensure systems and data remain safe, establishing who is responsible for which aspects of security within an organization is key. In 2018, for example, it was demonstrated that misconfigured AWS accounts using Amazon’s Metadata Service could, in some cases, give an attacker access to AWS root account credentials.. In this case, the responsibility to properly configure AWS security settings lies not with Amazon, but with the provisioner. Blaming the service provider not an option; ultimately, security should be a constant consideration for everyone involved.
What does this mean for AWS users?
Security in the cloud is your responsibility
Cloud security is always a collective responsibility, no matter which IaaS vendor you choose.
- AWS users should put in some extra effort to ensure that their apps are properly configured for their cloud infrastructure.
- For users with multiple and/or shared AWS instances, security is both more complex and more important: for example, if even a single instance is compromised, several users’ data could be affected.
- If nothing else, AWS users should set up a monitoring tool that can answer key questions (“Who did this? When did they do it? How did they do it?”). The answers to these questions can serve as guides for strategy and security objectives.
Virtual systems need to be secured like physical systems
- No platform is 100% secure. From a security standpoint, cloud instances should be treated just like on-premise systems.
- A decision to transition to cloud services presents a genuine risk for enterprises. The infrastructure that supports cloud services tends to undergo security audits less frequently than on-premise systems do.
- It’s important to ensure that IT and security teams are involved in the decision-making process when it comes to adopting any new infrastructure or strategy, rather than merely being left to implement others’ decisions. These teams can test new platforms, keep them up to date, and fix any security issues they discover.
Security compliance for cloud services
- AWS is already compliant with the latest PCI DSS standards and many others. This means that its users can confidently use certified AWS services to meet security and compliance objectives from an infrastructure and business perspective, while themselves focusing only on application-level security.
- From an organization’s point of view, managing and implementing controls across individual cloud instances is a separate task. Separate provisions also need to be made to include cloud infrastructure in overall compliance strategies, together with on-premise infrastructure.
- Fortunately, strategy in enforcing compliance requirements for the cloud is fairly similar to that for physical or on-premise setups. AWS services have myriad features, including log forwarding, that enable organizations to exercise governance and security controls in a similar fashion as for physical setups. Most log management and SIEM solutions support integration to collect event data from cloud products and services as well.
We all know the benefits of moving to a cloud setup, but the risks involved aren’t from transitioning to the cloud; rather, they are the result of poor policies and strategic implementations that leave your business open to attack.
What’s your take? Let us know in the comments below.