Skip to main content

New eBook: Security Service Edge (SSE) for dummies. Click here to download the eBook now.

How to deliver AWS security that guards data everywhere and stops elusive attacks

Step 1: Get an understanding of your risk posture

You need a snapshot of where you stand with regards to sensitive data in AWS S3 and misconfigurations in AWS that can leave you vulnerable to attacks.

Get an understanding of your risk posture

With Netskope, you can: Get an ongoing assessment that helps you identify and remediate compliance and security risks within your AWS environment. Find unauthorised use of AWS and stop unauthorised accounts from access.Follow cloud-specific security and compliance frameworks to inform your security posture. You can start with the CIS AWS Foundations Benchmark, which provides a framework for AWS security best practices. For organisations doing business with the federal government, Netskope incorporates the NIST Cybersecurity Framework. There are different compliance guidelines for payments and many other that can be the foundation you measure against. This will help guide how you secure your configurations.

Step 2: Protect data in S3 buckets

Many breaches have been caused by poorly configured S3 buckets that grant improper access to sensitive data like PII. A good best practice is to review any bucket with permissions granted to “Everyone,” especially when sensitive data is involved.

Protect data in S3 buckets

With Netskope, you can: View a report at any time showing S3 exposure against identified benchmarks and best practices, with recommendations on necessary remediation steps. Scan your S3 buckets for sensitive content and apply cloud DLP policies to prevent unauthorised activity. When a policy violation occurs, coach the application owner, notify the security admin or block certain users from downloading or uploading sensitive files stored in S3 based on location and device used.

Step 3: Scan S3 buckets for malware

Protecting the enterprise from cloud-based malware involves gaining visibility into all cloud traffic. Perhaps you can see across your SaaS applications, but cybercriminals can reach far beyond to IaaS applications as well. If your S3 bucket contains files coming in from public sources you are most susceptible to being exposed to malware. Even internal files being stored on S3 may have ransomware or botnets attached. Remember, the Shared Responsibility Model means protection of the data is a customer’s responsibility, and this includes protection against malware.

Scan S3 buckets for malware

With Netskope, you can: Get multi-layered threat protection in your IaaS environment that traditional malware scanning tools do not cover. Netskope uses multiple real-time and deep detection engines to protect against malware en route to and from your IaaS environment. You can scan traffic coming from rogue/unsanctioned accounts and block this activity. This protection extends not only to your corporate managed devices but also to unmanaged devices that may be used to access your IaaS environment.

Step 4: Provide real-time visibility and control of access to AWS Management Console

Users logging into the management console can have unfettered access to functions such as create, delete, start, and stop across AWS instances. This presents an opportunity to do major damage that you can equate to “taking down a data centre.” You need the ability to achieve real-time visibility and control of activities tied to AWS instances.

Provide real-time visibility and control

With Netskope, you can: Get real-time visibility of activities taking places against AWS instances and put real-time policy controls in place to block certain activities or restrict based on user, group, or OU. Since Netskope is continuously assessing your AWS environment, you can even see instances that may only be set up temporarily to perform a discrete activity.

Step 5: Continuously monitor your environment

You need a platform to rely on that can keep you abreast of security deviations. In an dynamic environment like AWS where the dev-ops team is making changes on a continuous basis whether deploying new resources, modifying existing, or spinning down resources, customers need to continuously monitor the AWS environment for misconfiguration and vulnerabilities.

Continuously monitor your environment

With Netskope, you can: Continuously monitor and audit your AWS configuration with Netskope’s Continuous Security Assessment. Use the CIS benchmark as a yardstick to make sure you are compliant and to mitigate the risk of misconfiguration. The CIS Benchmark supports many best practices for configuration in your AWS environment such as confirming that two factor auth is enabled, access keys are rotated every 90 days, or least access is enabled for VPCs. If violations are found, these items flagged as Critical, High, Medium, or Low. The admin can find detailed information about each violation and recommended remediation steps.

Secure your AWS workloads today with EveryCloud