Amazon Web Services (AWS) provides several security services to help its customers protect their cloud-based data assets from loss, corruption or exfiltration. These services are the basic building blocks of any data protection strategy, such as role-based access control, user authentication, event and traffic monitoring, logs and alerts, and so on.
With app architectures becoming more complex and the sheer volume of data continuing to skyrocket, security building blocks are often inadequate to gain actionable insights into a system’s performance and security status. The velocity and diversity of alerts and data streams from monitoring and logging services can make it difficult for IT teams to understand root causes of failures or vulnerabilities in real time. This makes it difficult to quickly remediate—or even preempt—them.
This article describes AWS’s advanced security services and how it provides a level of security for data and apps when used strategically with the AWS security building blocks.
App Protection: AWS WAF and AWS Firewall Manager
In order to address the security needs of today’s highly distributed apps, the AWS Web Application Firewall (AWS WAF) monitors HTTP/HTTPS requests at all the relevant incoming interfaces. These interfaces include Amazon API Gateway, Amazon CloudFront (a content delivery network), and Application Load Balancer.
Based on customer-specified rules such as IP addresses or query string characteristics to allow or block, AWS WAF determines whether to process or reject a request. You can extract real-time metrics to optimize the rules, which can then be applied to multiple apps.
AWS WAF costs are charged monthly based on the number of web access control lists (web ACLs), rules per web ACL and web requests. Currently, those charges are $5 per web ACL, $1 per rule per web ACL, and $0.60 per million web requests.
If you are using AWS WAF across more than one account/resource, AWS Firewall Manager simplifies rule deployment and maintenance. Once rules are set up, AWS Firewall Manager automatically applies them to new accounts and resources as they are added. There is a monthly fee of $100 for each AWS Firewall Manager protection policy. Additional charges apply for the web ACLs and rules that it creates.
DDoS Mitigation: AWS Shield
AWS Shield Standard is a free-of-charge Distributed Denial of Service (DDoS) protection service for all apps using AWS services. Services include Elastic Load Balancing (ELB), Application Load Balancer, Amazon CloudFront, and Amazon Route 53. It defends websites and apps from the most frequent DDoS attacks. Those attacks could be mounted on the network and transport infrastructure layers (Layers 3 and 4).
AWS Shield Advanced adds additional DDoS protection by detecting and mitigating attacks mounted through the app layer. AWS Shield Advanced incurs a monthly fee of $3,000, with a 12-month commitment. Fees also apply to data transfer out usage and vary depending on the service or network being used. The first 100TB of data transferred out of AWS Shield Advanced via Amazon CloudFront is $0.025/GB, but goes up to $0.050/GB on ELB.
Intelligent Threat Detection: Amazon GuardDuty
Amazon GuardDuty applies all the latest threat detection technologies—machine learning, artificial intelligence, behavior analytics, and more—as it continuously monitors AWS accounts and workloads for malicious activity and anomalous behavior. Rather than struggle with millions of events across multiple logs, security teams benefit from integrated threat intelligence and prioritized alerts. GuardDuty’s alerts can also be used to trigger automated response workflows when it is integrated with Amazon CloudWatch Events.
Pricing for GuardDuty is monthly and is based on two elements:
- The number of AWS CloudTrail Events analyzed: Charges vary per region. In Virginia, for instance, the cost is $4.00 per 1 million events.
- The volume of VPC Flow Logs and DNS log data analyzed: Charges vary per region. In Virginia, the cost is $1.00/GB for the first 500GB, $0.50/GB for the next 2,000GB, and $0.25/GB for anything over 2,500GB.
Automated Data Security: Amazon Macie
Amazon Macie is a fully managed intelligent data security service. It automatically discovers, classifies, and protects sensitive data such as personally identifiable information (PII) or intellectual property. It is currently available for Amazon S3 and will eventually be extended to other AWS data stores.
Amazon Macie’s dashboards and alerts make it easy to see how sensitive data is being accessed or moved. It first creates a baseline and then uses a behavior analytics engine to detect potentially risky or suspicious anomalies.
Amazon Macie sends its findings to Amazon CloudWatch Events, where they can trigger automated workflows to mitigate threats and vulnerabilities. It integrates seamlessly with SIEM (Security Information and Event Management) frameworks, along with MSSP (Managed Security Service Provider) solutions.
Pricing is based on three components. The amount of content classified is the first. How long metadata is to be retained is the second. The number of AWS CloudTrail events assessed for anomalies is the third. The first 1GB of content classified is free of charge, after which there is a cost of $5/GB. Metadata is stored for 30 days at no charge, after which there is a charge of $0.05/GB/month. Similarly, there is no charge for the first 100,000 events analyzed. However, afterwards, there is a fee of $4 per 1 million events.
Single-Pane Visibility: AWS Security Hub
AWS Security Hub collects, classifies and prioritizes security alerts and findings from Amazon GuardDuty, Amazon Inspector (an automated security assessment service), and Amazon Macie, as well as from AWS Partner Network solutions. It has a highly visual UI of integrated dashboards, graphs and tables. This makes it easy to identify and act on security threats and vulnerabilities. Security Hub also provides continuous compliance monitoring based on best practices and the industry standards relevant to the customer.
AWS has invested in advanced security and compliance solutions to help security teams protect their AWS accounts, apps, and data from unauthorized access and malicious attacks. By aggregating and analyzing events and user behavior across diverse data sources and workflows, these services provide the visibility, prioritization, and automation that are the hallmarks of next-generation security and compliance.
In short, AWS not only provides security building blocks, but also the glue that lets them work together for real-time, intelligent, security monitoring and remediation. With their on-demand and per-use pricing models, these services are also usually less expensive than equivalent on-premises deployments.
Please note: all AWS pricing mentioned are as of September 2018.
As an AWS Advanced Consulting Partner, Media Temple can help you get the most from your AWS cloud. Reach out anytime.