Meet Your Shared Security Responsibility on AWS with CIS
Gartner forecasts that global public cloud end user spending will grow 23% in 2021. With the continuous increase in cloud computing, cloud security is more important than ever.
In Amazon Web Services (AWS), there’s a shared security responsibility between AWS and the customer (you). Each AWS environment and service has different functions, and they also have different security needs. This shared responsibility model defines the division of responsibilities between the customer and AWS, and the grouping of these responsibilities by AWS environment/service. Conveniently, the chart below identifies where the responsibilities lie within different environments.
The AWS Shared Security Responsibility Model
The chart above shows that most of the AWS customer's accountability is for security within the cloud — like protecting the organization's data. Conversely, AWS is typically responsible for security of the cloud, including physical security of AWS infrastructure.
It's easier said than done to hold up the clients’ end of the bargain with the shared responsibility model. No matter which AWS Cloud service is used, protection of the organization's data is always up to the organization itself. That’s a big responsibility! According to Gartner, “Through 2025, at least 95% of cloud security failures will be the customer’s fault.” However, there are actions you can take to secure your cloud infrastructure with CIS resources.
A Path to Cyber Hygiene in the Cloud
Before diving into the details such as securely configuring encryption at rest for CloudTrail logs using AWS Key Management to increase protection against unauthorized log file access, your organization should assess its overall cyber hygiene. You can measure your organization against a security best practice.
There are a variety of tools available for the task, such as the CIS Controls. This is a free, internationally-recognized set of cybersecurity best practices. Prioritized and prescriptive in nature, they are the definition of "how" to achieve basic cyber hygiene.
For organizations to use CIS Controls on AWS, we offer the CIS Controls Cloud Companion Guide. The guide outlines the four main types of cloud services and maps them to the CIS Controls: Infrastructure as a Service (IaaS), Software as a Service (SaaS), Platform as a Service (PaaS), and Function as a Service (FaaS).
Secure Your Account on AWS Cloud
Whether you're operating on-prem or in the cloud, one thing remains constant: your systems operate software and hardware under different assumed security responsibilities than what’s actually expected of you. This is why it's important to review your system's configurations and implement secure recommendations, like the CIS Benchmarks. The CIS Benchmarks are vendor-agnostic cybersecurity configuration guidelines.
The CIS AWS Foundations Benchmark provides the security community with the account-level basics for configuring, deploying, and securing services in AWS environments with prescriptive configuration recommendations.
Secure Your VMs
Once you secure your AWS account with the CIS AWS Foundations Benchmark, you should configure your virtual machine (VM). CIS Hardened Images are pre-configured VMs built on the base image from AWS Marketplace. CIS hardens these VMs according to the security configuration guidelines of the CIS Benchmarks.
CIS AWS Shared Responsibility Model Resource
The shared responsibility model for compliance and security provides clarity on security expectations for customers and AWS. However, an understanding of the expectation is just the first step. Users must act on these responsibilities by creating policies and procedures for their portion of cloud security.
Used together or individually, the CIS Controls, CIS Benchmarks, and CIS Hardened Images can help organizations in the cloud meet the shared security responsibility more easily. In this guide, we provide a deep dive into the AWS Shared Responsibility Model and how CIS resources help meet those responsibilities.