How cyber security professionals are leveraging AWS tools
With millions of businesses now using Amazon Web Services (AWS) for their cloud computing needs, it’s become a vital consideration for IT security teams and professionals. As such, AWS offers a broad range of cyber security tools to secure AWS-based tech stacks. They cover areas such as data privacy, access management, configuration management, threat detection, network security, vulnerability management, regulatory compliance and so much more.
Along with being broad in scope, AWS security tools are also highly scalable and flexible. Therefore, they’re ideal for high-growth organisations facing a fast-expanding and increasingly sophisticated cyber threat landscape.
On the downside, they can be complex to use, don’t always integrate well with multi-cloud environments, and become outdated and expensive quickly. These challenges underscore the importance of continual learning and effective cost management in the cyber security suite.
One of the best things AWS offers cyber security professionals is a centralised view of all their different virtual environments, including patch management, vulnerability scanning and incident response, to achieve “smoother operations”, according to Richard LaTulip, field chief information security officer at cyber threat intelligence platform Recorded Future.
Specifically, he says tools like AWS CloudTrail and AWS Config allow cyber security teams to accelerate access management, anomaly detection and real-time policy compliance, and that risk orchestration is also possible thanks to AWS’s support for specialist platforms such as Recorded Future.
This sentiment is echoed by Crystal Morin, cyber security strategist at container security firm Sysdig, who describes AWS CloudTrail and AWS GuardDuty as “the bedrock” for organisations with a multi- or hybrid cloud environment.
She says these tools offer “great insight” into cloud environment activity that can be used to identify issues affecting corporate systems, better understand them and ultimately determine their location for prompt removal.
Benefits for all kinds of cyber pros
Having made tons of cloud security deployments for Fortune 200 companies in his previous role as global AWS security lead at consulting giant Accenture, Shaan Mulchandani, founder and CEO of cloud security firm HTCD, knows a thing or two about AWS’s cyber security advantages.
Mulchandani says AWS implementations helped these companies secure their baseline configurations, streamline C-suite IT approvals to speed up AWS migration, eliminate manual post-migration security steps and seamlessly scale environments containing thousands of workloads. “I continue to help executives at organisations architect, deploy and maximise outcomes using AWS-native tools,” he adds.
As a senior threat researcher at cyber intelligence platform EclecticIQ, Arda Büyükkaya uses AWS tools to scale threat behaviour analysis, develop secure malware analysis environments, and automate threat intelligence data collection and processing.
Calling AWS an “invaluable” threat analysis resource, he says the platform has made it a lot easier to roll out isolated research environments. “AWS’s scalability enables us to process large volumes of threat data efficiently, whilst their security services help maintain the integrity of our research infrastructure,” Büyükkaya tells Computer Weekly.
At log management and security analytics software company Graylog, AWS usage happens across myriad teams. One of these is led by EMEA and UK lead Ross Brewer. His department is securing and protecting customer instances using tools like AWS GuardDuty, AWS Security Hub, AWS Config, AWS CloudTrail, AWS Web Application Firewall (WAF), AWS Inspector and AWS Identity and Access Management (IAM).
Its IT and application security department also relies on security logs provided by AWS GuardDuty and AWS CloudTrail to spot anomalies affecting customer instances. Brewer says the log tracking and monitoring abilities of these tools have been invaluable for security, compliance and risk management. “We haven’t had any issues with our desired implementations,” he adds.
Real business value
Cyber law attorney and entrepreneur Andrew Rossow is another firm believer in AWS as a cyber security tool. He thinks its strongest aspect is the centralised security management it offers for monitoring threats, responding to incidents and ensuring regulatory compliance, and describes the usage of this unified, data-rich dashboard as the “difference between proactive defence and costly damage control” for small businesses with limited resources.
But Rossow believes this platform’s secret sauce is its underlying artificial intelligence (AI) and machine learning models, which power background threat tracking, and automatically alert users to security issues, data leaks and suspicious activity. These abilities, he says, allow cyber security professionals to “stay ahead of potential crises”.
Another area where Rossow thinks AWS excels is its integration with regulatory frameworks such as the California Consumer Privacy Act, the General Data Protection Regulation and the Payment Card Industry Data Security Standard. He explains that AWS Config and AWS Security Hub offer configuration and resource auditing to ensure business activities and best practices meet such industry standards. “This not only protects our clients, but also shields us from the legal and reputational fallout of non-compliance,” adds Rossow.
AWS tools provide cyber security teams with “measurable value”, argues Shivraj Borade, senior analyst at management consulting firm Everest Group. He says GuardDuty is powerful for real-time monitoring, AWS Config for security posture management and IAM Access Analyzer for privilege sprawl prevention. “What makes these tools powerful is their interoperability, enabling a scalable and cohesive security architecture,” says Borade.
Challenges to overcome
Although AWS is a valuable tool for cyber security professionals, Borade emphasises that it’s “not without limitations”. He says the platform’s lack of depth and flexibility means it isn’t always suitable for modelling complex cyber security threats or handling specific compliance issues. Rather, cyber security professionals should use AWS as a foundational element of their wider tech stack.
Using the AWS Security Hub as an example, Borade says it can effectively serve the purpose of an “aggregation layer”. But he warns that incorrect configurations often result in alert fatigue, meaning people can become oblivious to notifications when repeatedly spammed with them.
Borade also warns of misconfigurations arising from teams’ lack of understanding of how cloud technology works. Consequently, he urges cyber security teams to “embed cloud-native security into the DevSecOps lifecycle” and “invest in continuous cross-functional training”.
For Morin, the biggest challenge of using AWS as a security tool is that it’s constrained by best practice gaps around areas like workload protection, vulnerability management, identity management and threat detection. She says one classic example is the difficulty cyber security teams face when monitoring access permissions granted over time, leaving organisations with large IT environments dangerously exposed.
Using multiple AWS security tools also increases the attack surface for cyber criminals to exploit. Morin warns that hackers may look for “visibility gaps” by sifting through different AWS planes, helping them “mask their activities” and “effectively bypass detection”. To stay one step ahead of cyber crooks, she advises organisations to invest in runtime solutions alongside AWS-native tools. These will provide real-time security insights.
Technical and cost issues may also impact AWS implementations in cyber security departments, warns Mulchandani. For instance, Amazon Macie may be able to create inventories for all object versions across different buckets, but Mulchandani says this creates a “mountain of medium-severity findings” to decipher.
“Without strict scoping, licence costs and analyst time balloon,” he adds. “Costs can also increase when an organisation requires a new AWS launch that isn’t available in their region and they subsequently invest in a temporary solution from a different vendor.
Getting started with AWS security tools
For those new to using AWS security tools, Morin says an important first step is to understand the cloud security shared responsibility model. She explains that the user is responsible for securing their deployments, correctly configuring them and closing any security visibility gaps. AWS, on the other hand, must ensure the underlying infrastructure provided is safe to use.
As part of the users’ role in this model, she says they should enable logging and alerts for AWS tools and services used in their organisation. What’s also key is detailing standard organisational operating behaviour in a security baseline. This, she claims, will let organisations tell suspicious user actions apart from normal ones.
Many tried-and-tested best practices can be found in professional benchmarks such as the AWS Well-Architected framework and the Center of Internet Security’s Benchmark for AWS. “Make use of the work of those who have been fighting the good fight,” says Morin.
Finally, she urges anyone working in cloud security to remember that real-time operations are essential. Runtime security can help by protecting all running applications and data from the latest cyber security threats, many of which are preventable through automated processes.
Starting small is a good idea, too. Mulchandani recommends that AWS newbies begin with AWS tooling, and if any gaps persist, they can then look for third-party offerings. “Do not try to procure and integrate 20-plus external tools upfront as this will cause numerous architectural, security and cost challenges,” he says.
With the rapid pace of innovation across the AWS ecosystem, Borade urges anyone using this platform to stay up-to-date with the latest releases by participating in certification programmes, attending re:Inforce sessions and tracking the latest release notes from AWS. In the future, he expects automation, AI-fuelled insights, “tighter” third-party integrations, and identity orchestration and policy-as-code frameworks to dominate the AWS cyber security ecosystem.
On the whole, understanding the AWS platform and its role in cloud security is a vital skill for cyber security professionals. And AWS certainly offers some great tools for managing the biggest risks impacting its popular cloud platform. But cyber security professionals looking to leverage AWS in their day-to-day roles must be willing to get to grips with some complex tools, keep up-to-date with the latest releases in the vast AWS ecosystem and ensure their department budget can accommodate spiralling AWS costs.
