Amazon Web Services (AWS) is the currently reigning king of public cloud services giving cloud security professionals a huge ( and ever increasing ) list of AWS Security Services to play around with in 2022. The variety of security service however can also become quite intimidating for newcomers and leave them unsure of where to start. Below diagram captures just a tiny amount of services that are available to use in the AWS security Eco-system ( more probably would have been added by time this article is read ! )

A sample of AWS security services

So where does one start if you are looking after AWS cloud security ? I wrote about AWS control tower a while back but that is not the first place you want to jump into without a solid foundation in place ! To help out newcomers I have made my list of AWS Security services and what sequence you should start learning them.

DISCLAIMER: This is based on my own subjective experiences of course and on a lot of pain based trial and error in my own cloud security career ! I have tried to cover those services which can be applicable in any environment regardless of its size. This is not a tutorial on these services but rather which ones you should start learning ASAP to get a good foundation in place.

This is by no means an exchaustive list

Lets take a look at what foundational AWS security services you should start playing around with and how to build upon that. I hope this AWS security services list helps you out in your cloud journey and let me know in the comments section what I could have added !

Foundational AWS security services

1. AWS Identity and Access Management (IAM)

Whether you are a small single-account tech startup or a massive Fortune 500 with thousands of AWS accounts; there is no escaping AWS IAM. It touches every single AWS service out there as the focus of security in the cloud shifts to an identity-based model. Ignoring IAM and not making it the foundation of your cloud security will lead to a weak cloud security framework right from the start. At a minimum you need to know how to author IAM policies and how they are structured. A lot of security people seem to have an allergic reaction to understanding JSON based policies but they are quite easy to understand once you get the hang of it. . Believe me when I say understanding policy structure and logic will make life considerably easier for you in the long run.

JSON is the key to IAM

Do these steps to get started:

  1. Create a simple user in IAM
  2. Create a simple policy in IAM and assign it to the user. Test if the policy works e.g. allowing the user access to S3
  3. Setup up an IAM condition on your policy e.g. access from a specific location , IP address, tags etc.
  4. Create a resource policy in S3 and assign it to the user. Does it work differently.

Understand the policy logic, how it gets evaluated. One of the very best tutorials on the same can be viewed here:

2. AWS CloudTrail

Everything in the cloud is an API call whether you are using the management console , the CLI or the AWS SDK. AWs cloudtrail records the API calls and a common mistake is just turn on cloud trail and let other services use it. As a security professional you need to know who CloudTrail works and how to read the events it is capturing. This becomes very useful in both incidents and troubleshooting why some security service is not working. Logging is a critical foundation of any security strategy but do not just turn CloudTrail on and forward the logs soemwhere. Learn how to read the evetns and quickly filter and locate what you are searchign for. This can be done both via its console and via toher services AWS athena which let you query Cloudtrail through SQL like commands

Do these steps to get started:

  1. Turn on Cloudtrail ( I know I am being Captain Obvious here )
  2. Create an IAM user with limited privileges ( e.g. can access Ec2 but not S3 )
  3. Analyze the events in CloudTrail for this user creation. Can you understand what is being shown ?
  4. Try doing something which your IAM policy does not allow ( accessing S3 when you can only create Ec2 )
  5. Look at how the events look for this failed event

3. AWS security hub

The Cloud can become very complex very fast and visibility into your cloud security posture is key. AWS Security Hub is a cloud security posture management service that provides a single dashboard of your cloud security risks in one nice location. It is a great way to aggregate findings from all the different security services we will discuss later like GuardDuty, Config, Macie etc.

A lot of people might prefer to get started with AWS config first but I prefer going straight into AWS Security hub as it has a far quicker learning curve and already has config running in the background.

AWS Security Hub

Do these steps to get started:

  1. Enable AWS config in your AWS account
  2. Enable Security Hub
  3. Let the Security Hub run for a while and then see any findings
  4. Analyze how the settings work and what standards are available. Turn on the CIS foundational ones
  5. Look at what partner integrations are present and apply to your environment
  6. Look at AWS custom events and try to send findings to Slack or email

AWS security hub is a great way to locate β€œquick wins” in your environment which you can remediate to immediately see an improvement in your security posture and provide tangible updates to management.

4. Amazon GuardDuty

Along with getting complex quickly, AWS cloud can have thousands to millions of events happening daily and there is no way to track that manually for potential threats. While the old way of dumping the logs into an SIEM solution and having your 24/7 SOC monitor CAN work, a faster way is needed and this is where Amazon GuardDuty comes in. It is a threat detection service powered by Machine Learning that can warn you about unauthorized activity in your AWS accounts, workloads, S3 buckets etc. While not free, It provides a 30 day trial period during which you turn on and let it monitor your account for potential violations and build up its baseline.

Do these steps to get started:

  1. Enable Amazon GuardDuty
  2. It takes some time for GuardDuty to analyze your environment so you can generate some test findings if you want to test how the console will look.
  3. Look at what partner integrations are present and apply to your environment
  4. Look at integrating GuardDuty with services like email or slack for automated notifications

3. AWS Security Groups

AWS Virtual Private Cloud (VPC) is where your workloads will reside and it is a huge topic worthy of its own post. However you dont have to wait to become a VPC master and one β€œquick-win” is to get hands on with AWS security groups. These are the gate keepers for the traffic into your cloud server instances and are min-firewalls that can be configured to allow traffic as per the least privilege principles only.

Securty Groups

Moving forward

The above was a quick summary of which services you should start with to start gaining hands on knowledge of securing your AWS cloud environment. This is by no means an exhaustive list but I tried to keep it as open as possible so the maximum number of AWS environments can be covered. In part 2 , we shall take a look at the more intermediate services like AWS Key Management Service and CloudWatch.

Good luck on your cloud security journey.