What is AWS Security Framework?

This blog provides a deep understanding of the AWS Security Framework, including key concepts, essential services, and how AWS approaches cloud security. We will read about how they work together to create a secure cloud environment.
By SentinelOne September 21, 2024

Cloud technology has taken over the world in the last few years. Technology-enabled companies have either migrated to the cloud or are in the process of migrating to the cloud. One of the biggest reasons for the swiftness is the ease of use, lesser tension to manage the infrastructure, no more scalability issues, and cost efficiency. Every coin has two sides, and cloud technology is no different. Cloud technology faces its own set of challenges. The biggest of them all is cloud security.

AWS, aka Amazon Web Services, is a cloud service provider and has the largest share in the market as of 2024. AWS currently holds 32% of the market share, and the reason for having the largest market share is not the benefits cloud technology offers but the number of tools and integration options it offers. AWS has services for almost everything you think of, including sending messages, managing users, creating virtual machines, etc.

In this blog post, we will discuss what AWS Security Framework is, how it works, and why companies need it in the first place. We will also discuss multiple ways how to secure your web and serverless applications along with different tools and technologies offered by AWS for automating the DevSecOps process.

AWS Security Framework - Featured Image | SentinelOneIdentity and Access Management in AWS

Companies with hundreds of employees need a proper tool to manage their identities and how they can access different resources. Employees need to have certain access levels based on what resource or data they need, and in order to achieve that, we need IAM. In this section, we will discuss how AWS IAM works.

  1. AWS Identity and Access Management (IAM): IAM is used by companies to control access to AWS resources or data stored in AWS for security reasons. IAM functionalities can be accessed using AWS UI or API. This tool helps admins manage the users, access keys, and permission centrally, enabling them to do more and reduce clutter.
  2. AWS Single Sign-On (SSO): AWS accounts and applications can also be managed from a single source by using the cloud base, the AWS Single Sign-On(SSO) service, which makes management of SSO AWS accounts easier.
  3. AWS Organizations for Multi-Account Security: An organization can have multiple AWS accounts under the root or the main account. AWS Organization service is provided to manage all these accounts. This is usually used when companies acquire small companies or some teams create separate accounts based on the use case.

Implementing AWS Network Security and Data Protection

Network security is a process used to protect sensitive information on networks (traveling from source to destination). Network security can be implemented in multiple ways, such as by using hardware, software, and protocols with the end goal of protecting data. Some of the tools provided by AWS for data protection are as follows:

Virtual Private Cloud

Amazon Virtual Private Cloud (VPC) helps in creating isolated sections within the cloud that will be isolated from the rest of the cloud. These isolated networks isolate the resources used in the network, providing both public and private subnets, which help protect sensitive resources from direct internet access.

Security Groups and Network Access Control Lists

AWS provides two tools to control the traffic within the VPC. The first one is Security Groups, in which AWS provides a type of virtual firewall that operates at the instance level and ensures it can be configured for incoming traffic and control the outgoing traffic using IP range, port, protocol, etc. The other one is Network Access Control Lists (NACLs). These rules operate at the network level, in this case, the subnet level, and they also control both inbound and outbound traffic.

AWS Private Link and VPC Endpoints

If an organization or customer wants to access AWS service without using the public internet, they can use AWS PrivateLink, which is one of the VPC Endpoints. PrivateLink enables customers to access services securely, and it also enables customers to access VPC resources from the AWS Services and VPC Endpoint Services.

Data Encryption

AWS Data Encryption is one of the most important security tools that helps protect sensitive data both in the resting stage (data at rest) and transit stage (data in motion). In order to protect the data at rest, AWS services such as Amazon EBS, S3, and RDS can be used, and they can be directly configured to automatically encrypt the data present in them (direct enabling encryption might not work for complex data storage use cases). For the other case, when the data is in transit, SSL/TLS protocols can be used along with VPN connections to avoid attackers intercepting data.

AWS Certificate Manager

For the encryption techniques to work smoothly in AWS, the AWS Certificate Manager (ACM) is used. ACM helps to provision, manage, and deploy SSL/TLS certificates and manage their certificate renewal as well. This is widely used by companies who use AWS to deploy web applications.

Types of AWS Security Framework

Some of the main types of security frameworks provided by AWS are as follows:

1. AWS Cloud Adoption Framework (CAF)

AWS CAF helps providers get a security point of view and define best practices for data security.  It is more focused on showing the companies how they can ensure the proper mix of security and business, IAM solutions should be implemented, and how companies can meet federal compliance with government bodies. The framework is more of a guide, which shows the businesses how they can implement and integrate security with their businesses.

2. Compliance Frameworks

AWS has a formal security and compliance program, and it has some defined requirements. AWS has designed a number of infrastructure services to ensure that the organizations meet their regulatory needs, such as PCI DSS (Payment Card Industry Data Security Standard for the Payment Card Industry), HIPAA, and SOC2.

3. AWS Control Tower

AWS Control Tower is a service that helps service providers set up a secure and compliant multi-account AWS environment. This can be used to set up major account roles and foundation of services that add capabilities to share accounts, cloud data access, and manage resolution to account setting problems.

4. Data Protection Framework

AWS provides guidance and services to help protect the company’s sensitive and PII data. This includes the protection of data while at rest and in motion. This can be done through data management, including encryption key management, monitoring, access controls, and device usage patterns.

5. Incident Response Framework

Incident response is a plan used by companies to manage, respond to, and recover from a security incident. AWS users can build a solid incident response plan with the help of AWS CloudTrail for auditing API usage, Amazon GuardDuty for threat detection, and AWS Systems Manager for automating response actions.

6. Shared Responsibility Model

This is not a framework but an important concept that should be understood in terms of AWS security. As per this mode, the responsibility of securing data is not just for the cloud provider but also for the end user.

AWS Tools for Security Monitoring, Logging, and Compliance

AWS offers multiple services for logging, monitoring, and compliance. Some of them are as follows:

#1. AWS CloudTrail

AWS CloudTrail is used for security monitoring and auditing. It provides a log trail for every action that might have happened to any AWS service by a user, role, or an AWS service itself.

#2. Amazon CloudWatch

Amazon CloudWatch helps monitor the resources and applications that the user runs on AWS. It is used to monitor AWS resources such as Amazon EC2 instances, Amazon Dynamo DB tables, and many more.

#3. AWS Config

AWS Config helps keep track of the configuration of AWS resources used by users in their accounts. It basically compares the user configurations against the desired settings, which helps maintain security and compliance as an end goal.

#4. AWS Artifact

In order to get compliance-related information from AWS’ security & compliance reports and online agreements, AWS offers AWS Artifact service. This service provides users with multiple compliance documents, including AWS ISO certifications, Payment Card Industry (PCI) reports, and Service Organization Control (SOC) reports.

#5. AWS Control Tower

AWS Control Tower provides a framework used by enterprises to set up a multi-account AWS environment. It ensures that you have a compliant and well-governed multi-account policy by maintaining a uniform policy across all accounts and organizational units.

#6. AWS Audit Manager

AWS Audit Manager is a service that monitors your AWS usage to make it easier for you to assess risk and compliance with regulations and industry standards. It automatically collects evidence, thereby reducing the manual effort it takes to prepare for an audit.

Threat Detection and Incident Response in AWS Environments

The ability to quickly detect and respond to security threats is important. Some of the tools offered by AWS for this purpose are as follows:

  • Amazon GuardDuty

AWS provides users with an intelligent threat detection service known as Amazon GuardDuty. This tool continuously monitors for any threat activity or unauthorized behavior in the AWS account. This service is able to analyze any number of records from the AWS data sources by making use of machine learning, anomaly detection, and integrated threat intelligence.

  • AWS Security Hub

Multiple security issues might arise in your AWS environment. In order to get the most critical ones, the admin can make use of AWS Security Hub, which provides an overall view of the security posture and organizes and prioritizes the alert for critical threats.

  • Amazon Detective

For much faster security investigations, organizations can use Amazon Detective, which uses machine learning and graph theory to build a linked set of data from the AWS resources.

  • Amazon Macie

Data protection is an absolute necessity for any organization. Amazon provides Amazon Macie, which uses machine learning and pattern matching to protect the sensitive data in AWS. It can also provide a list of Amazon S3 buckets that might contain the data and are unencrypted or publicly accessible (aka misconfigured).

  • AWS IoT Device Defender

While using IoT devices, organizations must be careful of issues like identity certificates shared across multiple devices or devices with abnormally high outbound traffic that might indicate they’re participating in a DDoS attack. These issues are automatically taken care of by AWS IoT Device Defender, hence securing the hardware infra.

How to Secure Web & Serverless Applications in AWS

Web services are common nowadays, where developers use a Web Server to deploy applications, but serverless is a new concept. In serverless environments, developers don’t have to manage or maintain the infrastructure; it’s all done by the cloud provider. Let’s discuss key services and their roles that can be used to protect your web and serverless applications:

1. AWS WAF (Web Application Firewall)

Common web exploits can affect your application availability, compromise its security, or it might cause excessive resource consumption as well. AWS WAF protects our application from all these threats. It allows users to create security rules to control bot traffic and block common attack patterns, such as SQL injection or cross-site scripting.

2. Amazon Inspector

One of AWS’s services that help us make sure we are compliant is the Amazon Inspector, which analyzes the application’s exposure, vulnerabilities, and best practices. Amazon Inspector provides a detailed report of all these and their level of severity. These reports also have suggestions on how to resolve the issues.

3. AWS Shield

AWS Shield is a Distributed Denial of Service (DDoS) protection service that aims to minimize application downtime and latency. It secures applications running on AWS from all types of DDOS attacks.

4. AWS Firewall Manager

AWS Firewall Manager makes it easier to centrally configure and manage AWS WAF, AWS Shield Advanced, and Amazon VPC security groups across your accounts and applications. AWS Firewall Manager makes it simpler to manage multiple security rules and protect workloads continuously.

5. AWS Network Firewall

AWS Network Firewall makes it easy to deploy network protections for all Amazon Virtual Private Clouds. With AWS Network Firewall, you can build security policies with firewall rules that provide fine-grained control over network traffic across your VPCs.

Different Tools to Implement Security Automation and DevSecOps

It is important to integrate security automation into the DevOps process for a higher level of robust security posture. Some of the AWS tools that help us in doing so are such as:

  • AWS Systems Manager

AWS Systems Manager is a management service that helps you automatically collect software inventory, apply operating system patches, create system images, and configure Windows and Linux operating systems.

  • AWS CloudFormation

AWS CloudFormation provides a common language for you to define and provision AWS and third-party application resources in your Cloud environment. In terms of security, CloudFormation enables you to define security controls as part of your infrastructure templates and enforce them with no requirement for additional work.

  • Integration with CI/CD pipelines

Companies use CI/CD pipelines to build, test, and deploy applications. The following AWS services and capabilities can be integrated with your existing CI/CD pipelines to help enhance the overall security of the build cycle.

  1. AWS CodePipeline helps manage the release process and integrates security checks at various stages.
  2. Amazon CodeGuru Reviewer can perform automated code reviews to identify security vulnerabilities and suggest fixes accordingly.
  3. AWS CodeBuild can be configured to run security scans and tests as part of the build process.
  4. Amazon ECR scan on push feature can automatically scan container images for vulnerabilities when they’re pushed to the satisfactory or container registry.
  • AWS Security Hub Automated Response and Remediation

Automatic Response and Remediation of AWS Security Hub allows you to respond to security findings by taking action automatically. It is based on AWS Systems Manager Automation documents to resolve common security issues. For example, if Security Hub detects an overly permissive security group rule, it can automatically edit the rule to restrict access.

Best Practices for AWS Security

AWS, being widely used, is a prime target for attackers. Let’s discuss some of the best practices that should be implemented while using AWS Security.

#1. Implementing Least Privilege Access

The principle of least privilege states that minimum permission, which is absolutely necessary for users and services to complete their work, should be provided. AWS provides AWS Identity and Access Management (IAM)  for the creation of policies that will help restrict access based on specific conditions. However, these policies should be reviewed and audited from time to time to make sure they are appropriate and up to date with the latest standards.

#2. Securing Network Infrastructure

Virtual Private Clouds(VPCs) should be properly checked and configured in order to maintain the security of the user’s infrastructure. AWS administrators can use security groups and network access control lists(NACLs) to control incoming and outgoing traffic. To protect sensitive resources, network segmentation should be implemented by making use of public and private subnets and placing resources in private subnets as per resource criticality and business use case.

#3. Data Protection and Encryption Strategies

Data should be encrypted at both stages when it is at rest and in transit. Companies can use AWS Key Management service to create and manage encryption keys. Default encryption should be enabled so that data is encrypted at rest in Amazon S3 buckets and EBS. Moreover, developers can use the SSL/TLS protocols to encrypt data in transit. To control who can access S3 data, AWS provides bucket policies and access control lists.

#4. Monitoring and Incident Response

Organizations can enable detailed logging and monitoring through AWS CloudTrail, Amazon CloudWatch, and AWS Config. Moreover, the organization should be alerted when suspicious activity is automatically detected, and Amazon GuardDuty should be used for intelligent threat detection.

#5. Continuous Security Assessment and Compliance

AWS recommends scheduling regular security assessments within the organization. The company can use Amazon Inspector, a security assessment service for vulnerability assessment. Moreover, the company may want to use AWS and third-party tools to continuously audit AWS usage, which includes AWS Audit Manager, to comply with the organization’s security policies and standards.

Why SentinelOne for AWS Security?

SentinelOne is a leading solution used by companies across the globe to protect AWS infrastructure. It can help companies fill in security gaps by using advanced threat detection tools along with automated response capabilities across various AWS services. This includes EC2 instances, containers or containerized applications, and serverless functions using AWS Lambda.

SentinelOne uses advanced machine learning models and behavioral analysis to identify and stop sophisticated security attacks or data breaches. The tool can be easily integrated with AWS services such as AWS CloudTrail and AWS GuardDuty. The easy-to-integrate part makes it easier for companies to adopt the tool.

SentinelOne can detect zero-day exploits along with fileless malware (malware that does not need executable files on the system) in the cloud infrastructure, which adds an extra layer of defense to the existing security controls. As the tool uses cloud-native architecture, the performance of AWS is barely impacted.

Conclusion

AWS Security is not a fancy word used by engineers; it is a security solution offered by AWS to ensure that the data and applications stored/hosted in AWS are secure from threat actors. AWS Security Framework is a multi-level process that helps companies find and resolve security issues in the AWS infrastructure. This is not done just by a couple of tools but by a variety of tools and multiple guidelines to ensure sensitive data don’t go into the wrong hands.

AWS Security Framework takes care of the automation and scalability needs of organizations as well. It provides services such as AWS Config, CloudFormation, and Systems Manager that help organizations integrate security as an Infrastructure as a Code service. It also helps in managing the uniformity of security policies across multiple AWS accounts under the same organization.

Faqs:

1. What is included in the AWS security control framework?

The AWS security framework is made up of multiple security tools and services with a single goal to secure AWS cloud infrastructure. Some of the controls of the framework include identity and access management (IAM) to take care of user authentication and authorization, network controls to manage security groups and VPCs, and data protection controls to ensure encryption and key management.

2. What is a framework in AWS?

In the AWS environment, a framework is a structured way or set of recommendations that help the end users (developers or enterprises) achieve outcomes (this may vary from company to company). In general, such systems address best practices, design principles, and a series of questions to evaluate existing architecture or processes.

3. What are the six pillars of the AWS Well-Architected Framework?

The six pillars of the AWS Well-Architected Framework are Security, Reliability, Performance Efficiency, Operational Excellence, and Cost Optimization. Each of these pillars contributes to creating more efficient cloud systems. Operational Excellence can be defined as running and monitoring systems that enable the development of business and personal value propositions.

Your Cloud Security—Fully Assessed in 30 Minutes.

Meet with a SentinelOne expert to evaluate your cloud security posture across multi-cloud environments, uncover cloud assets, misconfigurations, secret scanning, and prioritize risks with Verified Exploit Paths.