Tuesday, April 16, 2013

Part 13: Amazon EBS Security Practices & Tips

Security Practice 1: IAM your EBS Volumes
Amazon EBS volume access can be restricted to the AWS Account that created the volume and only to the users under the AWS Account with AWS IAM controls and policies. For Example : You can use AWS IAM and grant access to an user with EBS operations and deny all other AWS Accounts/users, the permission to view or access that EBS volume. IAM is a very powerful and emerging feature of AWS and should be adopted wherever appropriate controls are needed.

Security Practice 2: Wiping Data from Amazon EBS Volumes: 

Amazon EBS volumes will be presented to you as raw unformatted block devices that had been wiped prior to being made available for your use. But some businesses have stringent data security policies and follow much more sophisticated guidelines for Media sanitization. For such cases, Amazon EBS provides you the ability to wipe the data in a specific method as well. For example : You can follow DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 methodology for wiping the data in EBS Volumes.  You should basically conduct a specialized wipe procedure prior to deleting the volume for compliance with your established requirements.

Security Practice 3: Sharing Amazon EBS snaphsots
We all know that, Amazon EBS volume snapshots can be made publicly available to other AWS Accounts as well.  Though Amazon EBS volume snapshots can be shared , it does not provide other AWS Accounts with the permission to alter or delete the original snapshot. The right is explicitly reserved for the AWS Account that created the volume as part of the security controls. Since Amazon EBS snapshot is a block-level view of an entire EBS volume , sometimes data that is not visible in the file system on EBS Volume, may be present in the EBS snapshot. 

To know more about how EBS snapshots work, refer article:  

If you want to create shared snapshots, you should ensure that sensitive data or files had been deleted in EBS volume properly. 

Security Practice 4: Storing AWS Credentials on an EBS Snapshot Securely
This is an important security practice to be carried in combination with Amazon IAM in EBS snapshots. The following article written by shlomo swidler illustrates the same in detail :

No comments:

Need Consulting help ?


Email *

Message *

All posts, comments, views expressed in this blog are my own and does not represent the positions or views of my past, present or future employers. The intention of this blog is to share my experience and views. Content is subject to change without any notice. While I would do my best to quote the original author or copyright owners wherever I reference them, if you find any of the content / images violating copyright, please let me know and I will act upon it immediately. Lastly, I encourage you to share the content of this blog in general with other online communities for non-commercial and educational purposes.