What should you do to ensure the protection of your application’s Amazon EC2 instances, containers, AWS Lambda functions, databases, and so on?
Well, to start with, you want to design an AWS environment that has proper resource isolation. There are multiple means of achieving this isolation, as we have seen in Chapter 3, Designing a Multi-Account AWS Environment for Complex Organizations. This resource isolation provides the first level of defense by segregating resources that belong to different business domains or functions, teams, or applications, and placing them in separate networks (VPCs or subnets), or even separate accounts. Then, beyond the network protection that was discussed earlier, it is recommended that you provide a more granular level of protection on each resource by assigning it to a security group (a stateful firewall) in charge of restricting access to it from relevant sources only (for instance, Internet Protocol (IP) ranges or security groups) and through specific protocols and ports.
Performing Vulnerability Assessments
Regularly scan and patch your application’s code and its dependencies against any known vulnerability. Adopt best practices for software life cycle management such as CI and/or CD and integrate vulnerability scanning as part of your CI/CD pipelines.
Further, don’t forget to do the same for the infrastructure supporting your application. As part of the shared responsibility model, you are responsible for securing—and thus patching—your Amazon EC2 instances, the Amazon Machine Images (AMIs) used to launch those instances, your containers, the container images used to run those containers, and so on.
Some tools provided by AWS can assist you with patching automation, such as AWS Systems Manager Patch Manager, especially if you need to manage a large fleet of EC2 instances. Alternatively, you can also use EC2 Image Builder for maintaining your AMIs, including patching and security policy enforcement. You can also leverage Elastic Container Registry (ECR) Image Scanning to check your container images for known vulnerabilities.
Reducing the Attack Surface
Harden your application’s components as much as possible, limiting the software packages installed on your OSes and the libraries used in your application’s code. Leverage the industry best practices and recommendations for hardening OSes and software, such as the resources from the Center for Internet Security (CIS). Several organizations create their own hardened AMIs and container images in line with their own security best practices and standards. They may validate them using the CIS benchmarks or other industry standards. Check your application’s code for common vulnerabilities and exposures (CVEs), using tools such as Amazon CodeGuru or third-party code analyzers.
Leveraging Managed Services
Leverage the shared responsibility to your advantage by letting AWS do most of the heavy lifting for you. Using managed services—for instance, Amazon RDS or Amazon Elastic Container Service (ECS)—you can delegate as many of the administrative and security maintenance tasks to AWS as possible, reducing your maintenance tasks. The more managed AWS services you use, the less maintenance for you to do, and the more the time you can spend on improving your solution design following AWS best practices in terms of security.