Designing a secure AWS environment
Aug 1st, 2022
Author: Teza Wynn
Cloud Technical Specialist | Partner Success Centre
Cloud Security is a broad term, and there are many aspects that you will need to secure to protect your environment from vulnerabilities. It is crucial to secure your environment, especially when it includes private API keys, databases, dependencies, containers, etc. You need to make sure that these are not exposed to the public.
Depending on their environment, end users may need to protect their web apps and be able to analyse the logs and remediate automatically if there is deviation.
For example, for Web Application protection, you could utilise AWS Web Application Firewall (WAF), where you can utilise the rules that will block common attack patterns such as SQL injection or cross-site scripting. It can also protect your web applications or APIs against common web exploits and bots that may compromise the integrity of your website or applications. The best thing is that WAF rules can be propagated in under a minute and deployed across your environment.
HashiCorp’s Terraform Cloud is a SaaS platform that can provision infrastructure on demand or in response to various events. Westcon provides Terraform Cloud Saas and professional services to configure and provision to other cloud providers.
Another best practice is to have a good Disaster Recovery Plan. There are different disaster recovery options in the cloud, ranging from the simple low cost up to complex highly resilient redundant DR designs, which are automatic with rules. The strategy and approach depend on your workload, Recovery Time Objective RTO, and Recovery Point Objective RPO targets. For simplest use cases, you can manually take snapshots of your AWS services (EBS, RDS, etc.) and store your objects in the account’s AWS Simple Storage Service (Amazon S3). For a more complex recovery, you can deploy Infrastructure as a Code (IaaC) using services such as AWS CloudFormation or AWS Cloud Development Kit (AWS CDK).
Alerts and notifications with good monitoring systems are also important in creating secure environments for web and application workloads. AWS Simple Notification Service (SNS) and AWS Simple Email Service (SES) tools are in your arsenal for getting such notifications. Third-party tools such as Cloudcheckr have a fine-grained alerting system to detect anomalies in your cost spikes.
AWS Identity and Access Management (IAM) is fundamental in all security. You need to ensure that the people, roles, and policies across the organisations can access the resources and tools they require to do their jobs; at the same time, they should be set to least privileged. Root logins should never be used for daily operations, AWS Identity and Access Management (IAM) users should be used instead, and they should be added with Multifactor Authentication (MFA) as another layer of security.
AWS CloudTrail is one tool you should not miss to track all activities in your account. This is recommended to be activated with all AWS environments. Trails and logs should be secured; preferably, logs should be located at a centralised location where no workloads are running.
Overall, AWS architecture should be designed with Security in mind, as security is one of the pillars of AWS Well-Architected Framework.
The good news is Westcon have got you covered. We have AWS Certified Security Professionals with many years of Information Security experience at your disposal who can help you analyse and secure your AWS infrastructure using modern, leading-edge tools. We can help you analyse, get security reports, secure the environment, and add monitoring and alerting mechanisms so that you will always be one step ahead of security issues. If you have any questions or concerns on AWS cloud environment security, please do not hesitate to contact the Partner Success centre (PSC) at
NZ Cloud Sales: +64 9 477 7211 Email: [email protected]
AU Cloud Sales: +61 2 8412 1212 Email: [email protected]
SG Cloud Sales: +65 6424 0570 Email: [email protected]
ID Cloud Sales: +62 21 8062 1470 Email: [email protected]