AWS Public Sector Blog
AWS and the Australian Signals Directorate Essential Eight
Security is a top priority for our public sector customers around the world, and security is best addressed through preventative measures before a compromise occurs. With the Australian Signals Directorate (ASD)’s development of eight key strategies for cybersecurity risk and threat mitigation, our customers can now implement the ASD Essential Eight with our services and support. The ASD Essential Eight is set of cyber security best practices that, when implemented successfully, will provide your agency with a baseline cybersecurity posture.
This post covers compliance with these best practices from three angles: 1) What you can do now in your existing environment; 2) How AWS solutions can help; 3) How a cloud-native approach can further improve your security posture.
ASD Essential Eight
Below are ASD’s eight prioritised mitigation strategies that are essential for government agencies to implement as a security baseline starting point.
- Application whitelisting
- Patch applications
- Disable untrusted Microsoft Office macros
- User application hardening
- Restrict administrative privilege
- Patching operating systems
- Multi-factor authentication
- Daily backup of important data
The following “how to” walks you through how to achieve compliance goals faster and more cost effectively.
Application Whitelisting
Application whitelisting is a security approach designed to protect against unauthorised or malicious code execution, and to ensure that only authorised applications can be executed on a system.
What you can do in your on-premises environment
Security professionals can choose to leverage existing solutions for application whitelisting – whether from Windows AppLocker, a Linux environment, or another third-party solution. The U.S. National Institute of Standards and Technology explains such options in more detail, as products will vary by application file and folder attributes, supported application resources, and techniques for whitelist generation.
How AWS solutions can help
Customers can leverage AWS services to automate the deployment of whitelisting tools, and add layers of control.
AWS Directory Service facilitates the setup and running of directories in the AWS Cloud, and enables users to connect AWS resources with an existing on-premises Microsoft Active Directory. Once your directory is created, you can use it to manage users and groups, provide single sign-on to applications and services, create and apply group policy, join Amazon EC2 instances to a domain, and simplify the deployment and management of cloud-based Linux and Microsoft Windows workloads.
AWS Systems Manager is a management service that helps you automatically collect a software inventory, apply OS patches, create system images including installation of software such as application whitelisting tools, and configure Windows and Linux OS. These capabilities help you define and track system configurations, prevent drift, and maintain software compliance of your EC2 and on-premises configurations. See this example of how to combine Amazon EC2 Systems Manager State Manager with PowerShell DSC to combat configuration drift in a collection of servers.
For further control of your fleet, AWS Systems Manager integrates with AWS Config to offer visibility into OS configurations, system-level updates, installed applications, network configuration, and more. AWS Config provides a history of OS and system-level configuration changes that you can use for assessing security risks, troubleshooting, and tracking license usage. Additionally, it enables users to assess whether the software on instances and on-premises systems are compliant with their guidelines using AWS Config Rules, as well as allowing the development of custom compliance rules.
Note: While not a specific application whitelisting control, you can use AWS network-based controls as part of your layered defence strategy. Amazon VPC provides advanced security features, such as security groups and network access control lists, to enable inbound and outbound filtering at the instance and subnet levels. If you know the required ports and IP ranges for your applications, you can adopt a minimum set of access in your VPC security group and Network Access List rules. You can also consider additional network controls such as firewall rules using AWS WAF and proxy solutions for egress traffic.
How a cloud-native approach can improve your security posture
Fixed resources can require upfront costs and lead time to introduce new hardware, whereas the cloud enables the dynamic provisioning of cloud computing solutions. You can think of servers as temporary resources, allowing you to launch as many as you need and only pay for their time in use. Cloud-native solutions include:
Disposable resources instead of fixed servers
With the immutable infrastructure pattern, once a server is launched, rather than updating, it is replaced with a new server containing the latest configuration. When combined with patterns to remove or at least limit the need for administrative login, the opportunity for ad-hoc or unauthorised use of software is limited. This also addresses the issue of configuration drift by keeping a consistent and tested state, making rollbacks easier to perform.
Using services rather than servers
With serverless approaches such as AWS Lambda, you only have access to deploy your function code and associated libraries. This again limits opportunities for unauthorised software installation.
Application streaming allows those without OS-level access to leverage additional software, lowering risks from attack vectors. Namely, Amazon AppStream 2.0 enables users to stream desktop applications from AWS to a web browser running on Windows and Linux PCs, Macs, and Chromebooks, without rewriting them. Amazon AppStream 2.0 provides users instant-on access to the applications they need, and a responsive, fluid user experience on the device of their choice.
Patching
Patching the OS and applications is a fundamental security best practice that we highlight further in the AWS Security Best practices whitepaper and the Center for Internet Security benchmark for AWS.
What you can do now
AWS allows you to run most existing x86-based software that you would be using in your on-premises environment, including patch management software. This way, you can continue to leverage your existing patch management products in your AWS environments.
How AWS solutions can help
AWS Systems Manager lets you remotely and securely manage the configuration of your managed instances, including Amazon EC2 or non-AWS instances that have the Systems Manager agent deployed. This means you can leverage AWS Cloud-style management for off-cloud infrastructure. Its Patch Manager feature automates the process of patching managed Windows and Linux instances, allowing you to scan for and apply missing patches individually or to large groups of instances by using Amazon EC2 tags. This walkthrough shows how to get started with Patch Manager.
AWS Elastic Beanstalk facilitates the deployment and scaling of web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS. Upload your code and Elastic Beanstalk automatically handles the deployment – from capacity provisioning and load balancing to auto-scaling and application health monitoring.
Linux-based Elastic Beanstalk solutions enable you to configure your environment for automatic minor and patch version updates during a configurable weekly maintenance window with Managed Platform Updates.
How a cloud-native approach can improve your security posture
For cloud-native workloads using ephemeral compute, options include disposable resources instead of fixed servers, and the option to use services rather than servers.
Disposable resources instead of fixed servers
The Architecting for Cloud: Best Practices whitepaper discusses the immutable infrastructure pattern for automatically provisioning compute resources and replacing resources when needed rather than patching. Here the focus moves from maintaining a patch state of individual servers to maintaining an environment configuration.
Using services rather than servers
AWS Lambda lets you run code without patching, provisioning, or managing servers. It leverages highly available, fault-tolerant infrastructure, freeing you to focus on building differentiated back-end services. With Lambda, you never have to update the underlying OS when a patch is released, or worry about resizing or adding new servers as your usage grows. You can set up your code to automatically trigger from other AWS services, or call it directly from any web or mobile app.
Disabling Untrusted Microsoft Office Macros & User Application Hardening
Macro lock-down and application hardening are security measures designed to protect against unauthorised or malicious code executing on a system.
What you can do now
With server instances on Amazon EC2 and Amazon WorkSpaces instances, you have full administrative access to your instances so that you can continue to leverage your existing server and application lockdowns. You control the configurations of your instances and should continue to follow hardening best practices for OS and applications. Other lockdowns can include restricting browser plugins and blocking untrusted code in browsers, and third-party products can serve as layered defence.
How AWS solutions can help
AWS Systems Manager in concert with State Manager for consistent, standardized application installation and configuration capabilities.
The AWS Marketplace provides a channel for third parties to provide standardized installations of OS and applications. For example, the Centre for Internet Security provides a collection of hardened images for multiple versions of Linux and Windows OS.
How a cloud-native approach can improve your security posture
AWS services such as Amazon AppStream 2.0, which can be made available in a preconfigured and harden form, minimizes the scope for configuration modification.
Restricting Administrative Privilege & Multi-factor Authentication
What you can do now
In addition to securing access to AWS, you should continue controlling access to any server OS layers or applications in your solution, whether on-premises or on Amazon EC2. For example, with Microsoft Windows servers running on AWS, you can join the servers to an Active Directory (AD) domain and then leverage standard AD mechanisms to restrict administrative privilege and enable multi-factor authentication (MFA).
How AWS solutions can help
AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. IAM can federate with an SAML 2.0 identity provider if you wish to enable a single source of identity at both the AWS and OS level, as described here.
AWS Multi-factor Authentication (MFA) is a security capability that provides an additional layer of authentication on top of your user name and password. It requires you to provide an additional piece of information that only you have physical access to, which can come from a dedicated MFA hardware device or an app on a phone. To learn more about MFA, watch this video, and see Securing Access to AWS Using MFA and Enabling a Virtual Multi-Factor Authentication (MFA) Device.
AWS Systems Manager Automation also functions to constrain administration operations to only the tasks developed in controlled automation documents, as further illustrated in this blog post.
How a cloud-native approach can improve your security posture
When using higher-level managed services you have the opportunity to leverage IAM for fine grained access control rather than needing to manage at the OS level. For example with Amazon S3 you can define IAM policy to control access to objects and with Amazon DynamoDB you can use IAM policies to control row and column level access in database tables.
Backing Up Important Data
What you can do now
Customers can continue to leverage their backup software solutions in conjunction with AWS storage services, such as Amazon S3 as a backup target. Check out the AWS Partner Network partners who have adapted their services and software to work with S3 for solutions like Backup & Recovery, Archiving, and Disaster Recovery. Data written to S3 is redundantly stored across three Availability Zones, and multiple devices within each AZ, to achieve 99.999999999% durability.
How AWS solutions can help
Amazon EBS provides the ability to protect your data by creating point-in-time snapshots of EBS volumes, which are backed up to Amazon S3 for long-term durability. To help improve data protection and recovery, it is a best practice to regularly back up Amazon EC2 instances using EBS snapshots. Read on to learn how to set this up as an automated processes, and discover how we support Microsoft Volume Shadow Copy Service-enabled snapshots.
Backup features are also included as part Amazon database services such as Amazon Relational Database Service, Amazon RedShift, or Amazon DynamoDB. Check out our Backup and Recovery Approaches Using AWS whitepaper for more.
How a cloud-native approach can improve your security posture
As in the case of the immutable infrastructure pattern, storing the server image template in S3 and all infrastructure configuration templates in source control can reduce the need to continuously image servers for backup. By focusing instead on the secure storage of server images, infrastructure templates, and actual data, you can potentially reduce backup times and costs.
S3’s versioning capability, combined with enabling MFA Delete, provides even further protection for your stored data, which may impact you storage and backup strategies.
For more on how the AWS Cloud helps customers strengthen their security posture, check out the AWS Security Best Practices whitepaper. For further guidance on meeting ASD guidance, read about Understanding the ASD’s Cloud Computing Security for Tenants in the Context of AWS.
A post by John Hildebrandt, Principal Solutions Architect, AWS