Vulnerability Management for Amazon Web Services (AWS)
- Sep 06, 2013
- Guest Author
As the benefits of cloud computing drive increased adoption by businesses, the fastest growing area of public cloud computing appears to be Infrastructure-as-a-Service (IaaS).But with adopting an IaaS model, businesses are often leaving the safety of their applications to the service provider and blindly moving to the cloud with disregard for commonly held security practices.
The trouble is that businesses are not doing their security homework before choosing their IaaS provider. According to Ponemon Institute’s “Security of Cloud Computing Users 2013” study, less than half of the companies surveyed reported evaluating IaaS resources for security prior to deployment.
According to Amazon Web Services Security Center, “Because you’re building systems on top of the AWS cloud infrastructure, the security responsibilities will be shared: AWS manages the underlying infrastructure but you must secure anything you put on the infrastructure. This includes your AWS EC2 instances and anything you install on them, any accounts that access your instances, the security group that allows outside access to your instances, the VPC subnet that the instances reside within if you’ve chosen this option, the external access to your S3 buckets, etc.”
That means that the onus is on you to understand where your organization stands from a risk perspective.
Our experience and guidance for cloud security is to approach it similar to on-premises infrastructure and applications. Vulnerability assessments and penetration tests are worthwhile exercises. However, prior to commencement of scanning or testing against AWS instances, you need to fill out the AWS Vulnerability / Penetration Testing Request Form. When we perform services on behalf of our customers, it requires that they are logged into the portal using the credentials associated with the AWS instances, and we are informed once permission has been granted.
NopSec has first-hand knowledge of vulnerability management for Amazon Web Services. We host Unified VRM software-as-a-service using AWS infrastructure. We are proud to be listed in the AWS Marketplace as a verified security provider. View our listing here
Learn more about NopSec’s proactive approach to vulnerability management and the methodology we use to secure applications and infrastructure from security breaches.Best Practices Guide: Vulnerability Management.