Easy to implement

Easy to implement best practices to improve your AWS Cyber resilience

Easy to implement best practices to improve Cyber resilience of your AWS Infrastructure

Encryption

Encrypt sensitive data both in transit and at rest using AWS Key Management Service (KMS) and SSL/TLS certificates.

Impact on CIA: High confidentiality impact, medium integrity impact, and low availability impact.

By using both AWS KMS and SSL/TLS certificates, you can ensure that sensitive data is encrypted both in transit and at rest, which helps to protect it from unauthorized access or tampering.

ย 
How to Encrypt sensitive data both in transit and at rest using AWS Key Management Service (KMS) and SSL/TLS certificates?

Encrypting sensitive data both in transit and at rest is a critical step in ensuring data security. Here's how you can use AWS Key Management Service (KMS) and SSL/TLS certificates to encrypt sensitive data in AWS:

Encrypting data at rest:

  • You can use AWS KMS to encrypt data stored in Amazon S3, Amazon EBS, Amazon RDS, Amazon Redshift, and other storage services.
  • To encrypt data using KMS, you create a customer master key (CMK) and use it to encrypt the data.
  • When you store data in S3, you can set the default encryption for all objects in a bucket to be encrypted using KMS.
  • For RDS, you can encrypt the data stored in the database instances using KMS.
  • You can manage encryption and decryption using the AWS KMS API, AWS CLI, or the AWS Management Console.

Encrypting data in transit:

  • You can use SSL/TLS certificates to encrypt data in transit between your application and clients, or between services within your infrastructure.
To use SSL/TLS certificates with AWS, you can deploy Amazon CloudFront, an AWS global content delivery network (CDN), or use AWS Certificate Manager (ACM) to manage SSL/TLS certificates for your applications.

To use SSL/TLS certificates with Amazon Web Services (AWS), you can either deploy Amazon CloudFront, an AWS global content delivery network (CDN), or use AWS Certificate Manager (ACM) to manage SSL/TLS certificates for your applications.

  1. Deploying Amazon CloudFront:
      • Sign in to the AWS Management Console and navigate to the Amazon CloudFront console.
      • Choose "Create Distribution" and select "Web" delivery method.
      • Fill in the details for the CloudFront distribution, such as the origin domain name and the SSL certificate.
      • Choose the desired certificate from the list of available certificates, or upload a custom certificate.
      • Fill in the other details for the CloudFront distribution and choose "Create Distribution."
  1. Using AWS Certificate Manager (ACM) to manage SSL/TLS certificates:
      • Sign in to the AWS Management Console and navigate to the AWS Certificate Manager (ACM) console.
      • Choose "Request a certificate."
      • Fill in the details for the certificate, such as the domain name and subject alternative names.
      • Choose "Review" and then "Confirm and request."
      • Complete the validation process for the certificate, which may include email validation or DNS validation.
      • Once the certificate is issued, you can use it with your applications by providing the certificate ARN.

By deploying Amazon CloudFront or using AWS Certificate Manager (ACM) to manage SSL/TLS certificates, you can help ensure that sensitive data transmitted between your applications and end users is protected from eavesdropping or tampering.

You can configure CloudFront or a load balancer to terminate SSL/TLS connections and encrypt data in transit.

To configure Amazon CloudFront or a load balancer to terminate SSL/TLS connections and encrypt data in transit, you need to follow these steps:

  1. Configuring CloudFront:
      • Sign in to the AWS Management Console and navigate to the Amazon CloudFront console.
      • Choose the desired CloudFront distribution.
      • Go to the "Distribution Settings" section and choose "Edit."
      • Under "Default Cache Behavior Settings," choose "Edit."
      • Under "Viewer Protocol Policy," choose "Redirect HTTP to HTTPS."
      • Choose "Yes, Edit" to save the changes.
  1. Configuring a load balancer:
      • Sign in to the AWS Management Console and navigate to the EC2 console.
      • Choose "Load Balancers" from the navigation panel.
      • Choose the desired load balancer.
      • Go to the "Listeners" tab and choose "Edit."
      • Under "Protocol," choose "HTTPS."
      • Under "SSL Certificate," choose the desired certificate from the list of available certificates, or upload a custom certificate.
      • Choose "Save."

By configuring Amazon CloudFront or a load balancer to terminate SSL/TLS connections and encrypt data in transit, you can help ensure that sensitive data transmitted between your applications and end users is protected from eavesdropping or tampering.

ย 
How to use AWS KMS to encrypt data stored in Amazon RedShift?

You can use AWS Key Management Service (KMS) to encrypt data stored in Amazon Redshift. Here's how:

  1. Create a customer master key (CMK) in AWS KMS:
      • Sign in to the AWS Management Console and navigate to the AWS Key Management Service (KMS) console.
      • Choose "Create key" and select "Customer managed key."
      • Fill in the details for the CMK, such as the key alias and description.
      • Define the key administrative permissions for your CMK.
      • Choose "Create key."
  1. Create an encrypted Redshift cluster:
      • In the Redshift console, choose "Clusters" and select "Create cluster."
      • Fill in the details for the Redshift cluster and choose the "Encryption" option.
      • Choose the CMK created in step 1.
      • Choose "Create cluster."

By encrypting data stored in an Amazon Redshift cluster using a CMK in AWS KMS, you can help ensure that sensitive data is protected from unauthorized access, even if the Redshift cluster is lost or stolen.

How to use AWS KMS to encrypt data stored in Amazon S3?

You can use AWS Key Management Service (KMS) to encrypt data stored in Amazon S3. Here's how:

  1. Create a customer master key (CMK) in AWS KMS:
      • Sign in to the AWS Management Console and navigate to the AWS Key Management Service (KMS) console.
      • Choose "Create key" and select "Customer managed key."
      • Fill in the details for the CMK, such as the key alias and description.
      • Define the key administrative permissions for your CMK.
      • Choose "Create key."
  1. Set the default encryption for an S3 bucket:
      • In the S3 console, choose the bucket that you want to set the default encryption for.
      • Choose "Properties," and then "Default encryption."
      • Choose "AWS Key Management Service (SSE-KMS)" as the encryption type.
      • Select the CMK that you created in Step 1.
      • Choose "Save."
  1. Store data in the S3 bucket:
      • In the S3 console, choose the bucket that you want to store data in.
      • Choose "Upload" and select the files you want to upload.
      • The data will be encrypted using the default encryption set for the bucket.

By setting the default encryption for an S3 bucket, all objects stored in the bucket will be encrypted using the specified CMK. This helps to ensure that sensitive data is encrypted at rest and protected from unauthorized access.

How to use AWS KMS to encrypt data stored in Amazon RDS?

You can use AWS Key Management Service (KMS) to encrypt data stored in Amazon Relational Database Service (RDS). Here's how:

  1. Create a customer master key (CMK) in AWS KMS:
      • Sign in to the AWS Management Console and navigate to the AWS Key Management Service (KMS) console.
      • Choose "Create key" and select "Customer managed key."
      • Fill in the details for the CMK, such as the key alias and description.
      • Define the key administrative permissions for your CMK.
      • Choose "Create key."
  1. Create an encrypted RDS instance:
      • In the RDS console, choose "Instances" and select "Create database."
      • Choose the desired engine and version, and then choose the "Encryption" option.
      • Choose the CMK created in step 1.
      • Fill in the other details for the RDS instance and choose "Create database."

By encrypting data stored in an Amazon RDS instance using a CMK in AWS KMS, you can help ensure that sensitive data is protected from unauthorized access, even if the RDS instance is lost or stolen.

How to use AWS KMS to encrypt data stored in Amazon EBS?

You can use AWS Key Management Service (KMS) to encrypt data stored in Amazon Elastic Block Store (EBS). Here's how:

  1. Create a customer master key (CMK) in AWS KMS:
      • Sign in to the AWS Management Console and navigate to the AWS Key Management Service (KMS) console.
      • Choose "Create key" and select "Customer managed key."
      • Fill in the details for the CMK, such as the key alias and description.
      • Define the key administrative permissions for your CMK.
      • Choose "Create key."
  1. Create an encrypted EBS volume:
      • In the EC2 console, choose "Volumes" and select "Create volume."
      • Choose the desired size, availability zone, and volume type for the EBS volume.
      • Under "Encryption," choose "Encrypt this volume" and select the CMK created in step 1.
      • Choose "Create volume."
  1. Attach the encrypted EBS volume to an EC2 instance:
      • In the EC2 console, choose "Volumes," select the encrypted EBS volume, and choose "Actions," "Attach volume."
      • Choose the instance that you want to attach the volume to and fill in the desired device name.
      • Choose "Attach."
  1. Mount the encrypted EBS volume to the EC2 instance:
      • Connect to the EC2 instance using SSH.
      • Run the following command to format the EBS volume: sudo mkfs -t ext4 /dev/xvdf
      • Create a directory to mount the EBS volume: sudo mkdir /mnt/data
      • Mount the EBS volume: sudo mount /dev/xvdf /mnt/data

By encrypting the data stored in an Amazon EBS volume using a CMK in AWS KMS, you can help ensure that sensitive data is protected from unauthorized access even if the volume is lost or stolen.

How to do decryption using the AWS KMS API, AWS CLI, or the AWS Management Console?

You can use the AWS Key Management Service (KMS) API, AWS CLI, or the AWS Management Console to perform decryption of encrypted data. Here's how:

  1. Decryption using the AWS KMS API:
      • Use the "Decrypt" API operation to perform decryption.
      • Provide the encrypted data and the encryption context, if applicable, as input to the "Decrypt" API operation.
      • The API returns the plaintext data.
  1. Decryption using the AWS CLI:
      • Use the "aws kms decrypt" command to perform decryption.
      • Provide the encrypted data and the encryption context, if applicable, as input to the "aws kms decrypt" command.
      • The command returns the plaintext data.
  1. Decryption using the AWS Management Console:
      • In the AWS KMS console, choose the key that was used to encrypt the data.
      • Choose "Decrypt" and enter the encrypted data.
      • Choose "Decrypt."
      • The console displays the plaintext data.

In order to perform decryption, you must have the appropriate key administrative permissions for the customer master key (CMK) that was used to encrypt the data.

ย 

You can check a detailed video on how to do it.

Access control

Implement multi-factor authentication (MFA) for privileged access and define least privilege access policies for AWS resources using IAM.

Impact on CIA: High confidentiality and integrity impact, and low availability impact.

ย 
How to implement multi-factor authentication (MFA) for privileged access and define least privilege access policies for Amazon Web Services (AWS) resources using AWS Identity and Access Management (IAM)?

You can follow these steps:

  1. Implementing MFA for privileged access:
      • Sign in to the AWS Management Console and navigate to the IAM console.
      • Choose "Users" from the navigation panel.
      • Choose the desired user.
      • Go to the "Security Credentials" tab and choose "Activate MFA."
      • Follow the on-screen instructions to set up an MFA device, such as a virtual MFA or a hardware token.
      • Choose "Activate Virtual MFA" or "Activate."
      • Once the MFA device is set up, choose "Close."
  1. Defining least privilege access policies:
      • Sign in to the AWS Management Console and navigate to the IAM console.
      • Choose "Policies" from the navigation panel.
      • Choose "Create policy."
      • Choose "JSON" as the policy language.
      • Provide a policy that defines the least privilege access required for the desired AWS resources, using the IAM policy language.
      • Choose "Review policy."
      • Fill in the details for the policy and choose "Create policy."
      • Once the policy is created, you can attach it to the desired users, groups, or roles.

By implementing MFA for privileged access and defining least privilege access policies, you can help ensure that only authorized users can access your AWS resources, and that they can only access the resources they need to perform their job functions.

The below video helps you setup MFA for your AWS account.

Backups

Regularly backup your data and configure cross-region replication for disaster recovery using AWS Backup and AWS Storage Gateway.

Impact on CIA: Low confidentiality impact, high integrity impact, and high availability impact.

ย 
How to Regularly backup your data and configure cross-region replication for disaster recovery using AWS Backup and AWS Storage Gateway?

To regularly backup your data and configure cross-region replication for disaster recovery using Amazon Web Services (AWS) Backup and AWS Storage Gateway, you can follow these steps:

  1. Regularly backing up data:
      • Sign in to the AWS Management Console and navigate to the AWS Backup console.
      • Choose "Backup plans" from the navigation panel.
      • Choose "Create Backup Plan."
      • Fill in the details for the backup plan and choose "Create Backup Plan."
      • You can schedule the backup plan to run at a desired frequency, such as daily, weekly, or monthly.
      • Once the backup plan is created, AWS Backup will automatically backup your data as specified in the plan.
  1. Configuring cross-region replication:
      • Sign in to the AWS Management Console and navigate to the AWS Storage Gateway console.
      • Choose "Gateways" from the navigation panel.
      • Choose the desired gateway.
      • Go to the "Details" tab and choose "Edit."
      • Under "Regions," choose "Add Region."
      • Choose the desired region and choose "Add Region."
      • Choose "Save."
      • AWS Storage Gateway will automatically replicate your data to the chosen region, providing a disaster recovery solution.

By regularly backing up your data and configuring cross-region replication, you can help ensure that your data is protected in the event of a disaster, and that you can quickly recover your data if needed.

See the below video to create AWS backups.

ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
Did this answer your question?
๐Ÿ˜ž
๐Ÿ˜
๐Ÿคฉ

Last updated on August 4, 2021