How Secure Is Your AWS Network?
Let our team of experts assess your cloud networks to identify any security weaknesses. An AWS Security Audit is an invaluable tool to get and stay secure.
Our experienced team of CREST & OWASP engineers perform a cost-effective and comprehensive assessment. Providing you with clear results on what you are doing well and where problems lie.
- Certified Network & App Security, OWASP Specialist.
- Secure Data, Authentication, Service Configuration, Monitoring.
- Connectivity, Segmentation, Remote Access.
- Focus On Clear Reports and Advice.
- Cost Effective & Results Driven.
We continue to find Ambersail and its penetration test team professional and capable. Costs are obviously a factor when choosing suppliers, so to use a company that provides such a high quality service with competitive pricing, is a real advantage.Network Manager, Counter Solutions.
Ambersail is a specialist in Security Compliance.
Why Perform an AWS Security Audit?
AWS and cloud solutions like it are the future for many companies’ networks. Many support business critical data and services. Often trusted to be secure due to the inherent nature of AWS.
This is true in many cases. Though imperfect, a simple network with default configurations is unlikely to have any major security flaws.
However, with increasing reliance on AWS services comes more complexity. As more appliances are connected and more services are exposed to the Internet the attack surface becomes much larger. AWS might even be the primary store for data and network backups, effectively becoming a single point of failure.
All this means that gaining access to a network hosted in AWS may result in even greater impact than breaching a traditional network. Should an attacker gain access to privileged credentials for AWS itself, the damage may cause long lasting outages, assuming it can be recovered from at all.
Close attention to security is even more important.
It Is Easy To Get Your AWS Security Audit Started
Our team of friendly security experts have been reviewing the security of complex networks for many years. When you contact us, we can guide you on how to plan your audit. What to include and what areas of your network might be vulnerable.
- Our goal is for you to get a comprehensive AWS security audit within your budget.
- Our CREST team has been auditing and testing clients from all over the world for many years.
- We will pay particular attention to key areas such as data storage and external access.
- Audit packages can easily be tailored to meet your requirements. To address any areas of concern.
- Our advice is easy to understand and act on. We cut through tech-speak to help you understand what we have found and how to apply fixes.
- Our experienced team is ready to perform the AWS security audit to suit you. We can work at short notice and respond to the most urgent of requests.
- You will get thorough results reports that include what you do well, areas of concern and clear advice on what to do next.
Contact us to get started.
What Gets Reviewed In The AWS Security Audit?
No two networks are the same. Our audits follow a through review structure that ensures we consider all network configuration, supporting services and data storage.
Here are some key areas we focus on:
Authentication and Access Control. AWS allows user rights and permissions to be defined in great detail through Identity and Access Management (IAM). You can create users and access keys, with each being assigned different rights on different systems. For example, you may wish to have a user that can access customer data without being able to access company accounts. When configured correctly this can prevent an attacker who has gained a foothold from rapidly spreading through the entire environment.
Example checks we perform are:
- Are there multiple roles in use, so that root IAM privileges are not used for all actions? The overuse of root privileges significantly increases the risk of lateral movement should credentials be compromised. This can turn a minor breach into a disaster situation.
- High privilege roles should be protected with Multi-Factor Authentication. This is to ensure that should high privilege credentials be compromised (due to reused passwords, phishing, etc.) an attacker will not be able to compromise the AWS environment.
- Roles should follow the principle of least privilege to a suitable degree. This includes ensuring roles have access only to specific appliances and data stores as needed. This defence-in-depth measure can massively limit the extent of any data breaches, by ensuring an attacker needs to compromise multiple accounts to gain access to critical infrastructure.
- Ensure limited access to KMS (Key Management Service) for non-root roles. The KMS is used to store any number of critical cryptographic keys – used from everything for user authentication to data encryption.
- Ensure a strong password policy is in place. As with any infrastructure relying on user authentication – a strong password can be the difference between no breach and catastrophic data loss.
Data security. S3 buckets are one of the most commonly used AWS services. They provide cloud-based data storage which can be used for any number of things – everything from simple log storage and website content to huge CRM databases. They have also been the source of numerous data breaches in recent years, resulting in the exposure of private data like medical records, bank details and so on. Our AWS Security audit will check that they are not accessible publicly and are configured to keep data stored in a secure, encrypted format.
Example checks are:
- Ensuring data stores such as S3 buckets and RDS (Relational Database Service) are not publicly accessible. This is to ensure that sensitive data is not unknowingly exposed to the wider Internet.
- Data stores such as S3 buckets are protected with data-at-rest encryption by default. If server-side encryption is used, key generation, storage, and rotation should be correctly configured. This verifies that should access to the underlying storage hardware be gained, data will not be compromised.
- Making sure that TLS encryption is required for all data transfers. This is to ensure a man-in-the-middle attacker cannot intercept transmissions and read the data as it is sent over-the-wire.
Service visibility. There are often a large number of sensitive services hosted in an AWS environment. It is critical to implement access controls which prevent external access to them, in much the same way a firewall would protect a traditional network. AWS allows fine-grained access control rules to be configured to properly restrict public visibility. It is important that these rules are regularly audited, and that any modifications are tracked.
Our checks include:
- That default rules restrict external access to appliances. This includes data stores and EC2 instances. This is where AWS acts like a firewall. Preventing access to internal resources from the wider Internet.
- We check that any exceptions to rules are correct and are as limited as possible. As with a traditional firewall, there are often reasons for services to be exposed. for example web servers, VPN endpoints and mail servers.
- Internal access should be restricted, to prevent lateral movement between appliances. This could be compared to traditional network segmentation. Keeping every appliance on the same Virtual Private Cloud (VPC) can simplify implementation. However, it can also simplify an attack path. We check to see if improvements can be made, separating sensitive data from public services.
Logging. AWS has extensive logging capabilities under the CloudTrail banner, allowing monitoring of a huge number of events and configuration changes. As far as security goes, it is crucial that these are enabled, their integrity is validated, and they are monitored . In the event of a breach these logs can help determine how far an attacker has been able to go, what actions they have performed and what data they have gathered. Our AWS Security audit will review whether:
- CloudTrail is enabled for all regions. This is the bare minimum as far as AWS logs go. CloudTrail significantly improves the chances of recovery from a security incident and may help in day-to-day use in other ways.
- CloudTrail integrity protection should be enabled. Integrity protection is critical as, in the event of a breach, an attacker may target the CloudTrail logs to hide their tracks. Integrity protection validates the logs, ensuring they have not been modified.
- Logs should be stored in a secure location, preferably using strong encryption. This will help prevent an attacker gaining access to the logs and modifying/deleting them. Again, the availability and accuracy of log files can be critical.
- Importantly, S3 access logging is enabled. If there is a data breach, logs of which data was accessed and by whom may be required for the purposes of data protection. This can also aid in the discovery of a breach. Any unusual access to S3 buckets can be quickly noticed if these logs are enabled.