AWS Security Checklist: Essential Steps for SMBs
Protect your SMB from cyberattacks with essential AWS security measures, ensuring compliance and safeguarding sensitive data.
Cyberattacks are a growing threat to UK small and medium-sized businesses (SMBs), with 43% of breaches targeting them. Recovery is tough - 83% of SMBs lack the financial resources to bounce back. To protect your AWS environment and meet GDPR requirements, follow these key steps:
- Enable Multi-Factor Authentication (MFA): Secure all accounts, starting with the root account.
- Use Least-Privilege Permissions: Limit user and role access to only what’s necessary.
- Strengthen Password Policies: Require strong, unique passwords with regular updates.
- Encrypt Your Data: Apply encryption for data in transit and at rest using AWS KMS.
- Automate Backups: Schedule daily, weekly, and monthly backups for critical systems.
- Secure Your Network: Use security groups, NACLs, and VPC configurations to restrict access.
- Set Up Logging and Monitoring: Enable AWS CloudTrail, GuardDuty, and automated alerts for tracking and response.
These measures reduce risks, ensure compliance, and protect sensitive data. SMBs can use AWS tools to cut security incidents by 43.4% and downtime by 69%. Start building a secure, resilient AWS environment today.
Beginner's Guide to AWS Security - @CloudSecurityPodcast
Basic AWS Security Setup
Setting up security measures in AWS focuses on three main areas: authentication, access control, and password management.
Set Up Multi-Factor Authentication
Multi-factor authentication (MFA) is a critical step in preventing unauthorised access. AWS offers several MFA options, including passkeys, security keys, virtual authenticator apps, and hardware TOTP tokens.
Make sure to enable MFA for both the root account and all IAM users. For example, in March 2023, the AWS IAM team introduced passkey support, which led to a 40% drop in phishing attempts and a 25% increase in MFA adoption.
Here’s how to implement MFA effectively:
- Enable MFA for the root account
- Set up MFA for all IAM users with console access
- Register multiple MFA devices as backups
- Safely store QR codes and configuration keys
"For increased security, we recommend that you configure multi-factor authentication (MFA) to help protect your AWS resources." - AWS Documentation
Once MFA is in place, focus on restricting access with least-privilege permissions.
Configure Access Permissions
Least-privilege access ensures users and roles only have the permissions they need, reducing the risk of unauthorised resource use. AWS Identity and Access Management (IAM) lets you create precise permission sets for different roles.
Begin with AWS-managed policies for common tasks, then move to custom policies as your needs grow. Use IAM Access Analyzer to review actual usage patterns, helping you refine policies and remove unnecessary permissions.
| Permission Level | Best Practice | Implementation Method |
|---|---|---|
| Root Account | Minimal usage | Enable MFA, restrict access |
| IAM Users | Least privilege | Custom policies, regular reviews |
| Temporary Access | Time-limited | IAM roles with expiration |
| Cross-account | Controlled sharing | Service control policies (SCPs) |
Strengthen access control further by enforcing a robust password policy.
Create Password Rules
A strong password policy reduces the likelihood of compromised credentials. Although AWS's default policy requires a minimum of 8 characters, organisations should adopt stricter rules.
Customise your password policy to include:
- Passwords between 12 and 128 characters
- A mix of uppercase, lowercase, numbers, and symbols
- Mandatory password rotation every 90 days
- Prevention of password reuse
- Administrator reset for expired passwords
Keep in mind that these rules don’t apply to root account credentials or IAM access keys. Combining strong password policies with MFA offers a solid defence against unauthorised access.
Data Security Methods
To strengthen your data security, focus on protecting both your credentials and sensitive information. Once access is secured, prioritise methods like encryption, regular backups, and compliance with GDPR regulations.
Set Up Data Encryption
AWS offers tools to encrypt data both during transfer and storage using AES-256 encryption. Apply encryption to these key areas:
| Data State | Encryption Method | AWS Service |
|---|---|---|
| In Transit | SSL/TLS | AWS Site-to-Site VPN |
| At Rest | Server-side | AWS KMS |
| Cross-Region | Physical Layer | AWS Global Network |
Key encryption steps:
- Configure KMS Keys: Use customer-managed keys for RDS encryption. These keys are permanent once set, so plan carefully.
- Enable Transport Encryption: For PostgreSQL and SQL Server, set the
rds.force_sslparameter to1in your parameter group to enforce SSL connections. - Validate Encryption: Use AWS Config with the
rds-storage-encryptedrule to confirm encryption standards are consistently applied to all RDS instances.
"We only process customer data – that is any personal data you upload to your AWS account – under your documented instructions and do not access, use, or share your content without your agreement, as described in our AWS Customer Agreement and AWS GDPR Data Processing Addendum (AWS GDPR DPA)." - Amazon Web Services
Schedule Data Backups
Automated backups are a reliable way to secure data, with many organisations using Amazon S3, EBS snapshots, and S3 Glacier for this purpose.
Develop a backup strategy that includes:
- Daily incremental backups for critical systems
- Weekly full backups for all data
- Monthly archives for long-term storage
- Automated lifecycle policies to optimise storage costs
Meet GDPR Standards
If you're an SMB in the UK, ensure your AWS setup aligns with UK GDPR and the Data Protection Act 2018. Focus on these areas:
-
Access Control:
Implement MFA for accounts handling personal data and keep detailed access logs for audits. -
Data Processing:
Document all processing activities, store data in UK AWS Regions when needed, and encrypt personal data. -
Compliance Monitoring:
Use AWS Security Hub for continuous compliance checks, conduct regular audits, and maintain records of all security measures.
AWS supports GDPR compliance through its UK GDPR Addendum to the AWS GDPR DPA, ensuring proper handling of UK customer data.
Network and Server Protection
Strengthen your data protection strategy by securing your AWS network and servers. This involves implementing layered defences with security groups, NACLs, and VPC configurations.
Set Up Network Security Rules
Security groups and Network Access Control Lists (NACLs) work together to protect your network. Here's how they differ:
| Feature | Security Groups | Network ACLs |
|---|---|---|
| Scope | Instance level | Subnet level |
| State | Stateful | Stateless |
| Rule Types | Allow only | Allow and deny |
| Traffic Control | Automatic outbound for allowed inbound | Requires explicit rules |
| Default Behaviour | Denies all traffic | Uses default NACL if unspecified |
When setting up security rules:
- Restrict SSH Access: Limit port 22 access to specific IP ranges instead of using 0.0.0.0/0.
- Minimise Open Ports: Only open ports essential for your applications.
- Use Layered Defences: Combine security groups and NACLs for stronger protection.
Review Security Settings
Regular audits are critical. For instance, 75% of users keep access keys active for over 90 days. Focus on the following:
- Monitor and refine security group configurations.
- Review permissions and update systems every quarter.
- Test configurations after making infrastructure changes.
Configure VPC Settings
-
Multi-Zone Distribution
Spread subnets across multiple Availability Zones to improve reliability and fault tolerance. -
Traffic Monitoring
Use VPC Flow Logs and AWS Network Firewall for advanced traffic filtering and monitoring. -
Access Analysis
Leverage the Network Access Analyzer to identify unintended access to your resources.
For example, a setup with three VPCs and AWS Network Firewall can route traffic through a dedicated inspection VPC, ensuring thorough filtering and monitoring.
These configurations lay the groundwork for effective security tracking and response.
Security Tracking and Response
Ensure effective tracking and quick incident response by setting up secure logging and integrating threat detection with alert systems.
Set Up AWS CloudTrail Logging
AWS CloudTrail logs account activities and retains a 90-day event history by default. To monitor events across all AWS Regions, create a multi-region trail.
Follow these steps to secure your CloudTrail logs:
| Setting | Configuration | Purpose |
|---|---|---|
| Storage Location | Separate AWS account | Creates an isolated security boundary |
| Encryption | SSE-KMS | Protects data while stored |
| File Validation | Enabled | Identifies any tampering |
| MFA Delete | Required | Prevents unauthorised deletions |
For real-time monitoring and alerts, integrate CloudTrail with CloudWatch Logs.
Install AWS GuardDuty
Enhance your security measures by using AWS GuardDuty, which continuously monitors your AWS accounts for suspicious activities.
- Activate GuardDuty in all supported Regions, even those not actively used.
- Set up protection for services like EKS, S3, and EC2.
- Use suppression rules to filter out low-priority alerts.
- Automate responses through Amazon EventBridge.
Create Security Alerts
Once logs are collected and threats are monitored, set up an alert system to enable swift action during incidents.
- Notification Setup: Configure alerts to notify security teams via Amazon SNS. Automate responses using EventBridge and Lambda.
-
Response Framework: Define procedures for handling specific alerts:
- Automatically isolate affected resources.
- Trigger backup processes.
- Initiate investigation workflows.
- Record incident details for compliance purposes.
-
Continuous Improvement: Regularly evaluate and improve your alert system by:
- Refining alert thresholds.
- Updating response protocols.
- Documenting lessons learned.
- Adjusting automation to minimise false positives.
Security Steps Quick Reference
The table below provides a summary of key AWS security controls, the tools available, their advantages, and associated costs. This is particularly important for SMBs, as 43% of breaches target them, and 83% face challenges in recovering afterwards.
| Security Control | AWS Tools | Advantages | Cost Details |
|---|---|---|---|
| Identity Management | AWS IAM, MFA | Access control, prevention of unauthorised access, compliance support | Included with AWS account |
| Network Protection | Amazon VPC, AWS Network Firewall, AWS Shield Advanced | Network security, malware defence, DDoS protection | Shield Advanced: Extra cost; others: Basic features included |
| Data Security | Amazon S3, AWS KMS, AWS PrivateLink | Encryption, private connectivity, data integrity | Pay-as-you-go model |
| Threat Detection | Amazon GuardDuty, Amazon Inspector | Automated monitoring, misconfiguration alerts, auto-remediation | Free trial available |
| Logging & Monitoring | AWS CloudTrail, Amazon CloudWatch, VPC Flow Logs | Activity tracking, account monitoring, traffic insights | Basic features included |
| Backup & Recovery | AWS Backup | Automated backups, cross-region replication, fast recovery | Charges based on storage used |
| Security Assessment | AWS Security Hub, AWS Trusted Advisor | Centralised security insights, compliance checks, performance improvement | Trusted Advisor: Free; Security Hub: Usage-based |
AWS security tools can help reduce monthly security incidents by 43.4% and minimise unplanned downtime by 69%. Focus on the controls that align with your business priorities and use the AWS Trusted Advisor dashboard to fine-tune both security and costs. Many AWS services also offer free trials, allowing you to evaluate their effectiveness before committing fully.
This table summarises the key steps discussed earlier, providing a quick reference for building a secure AWS environment. Use these controls to ensure your AWS setup meets high security standards.
Conclusion
Security on AWS is crucial for small and medium-sized businesses (SMBs). Nearly 43% of data breaches target SMBs, with cybercrime costing them around £1.9 billion in 2021. Alarmingly, 83% of SMBs are financially unprepared to handle these incidents.
AWS security tools have shown impressive results, reducing monthly security incidents by 43.4% and cutting downtime by 69%.
"We need a mind shift to realise security is a continuous journey, not a one-time purchase. In a landscape where threats are constantly evolving, awareness and action are necessary for continued protection." - AWS Smart Business Blog
Take the example of legal tech SMB weetrust. By using AWS Security Hub, they strengthened their security approach and achieved ISO 27001 certification, all with a small IT team. Similarly, consulting firm ZS used AWS security services to centralise their security operations and automate issue management, which not only sped up innovation but also improved employee awareness.
These cases highlight how embedding AWS security into your operations can create a strong, resilient foundation. By making security a core part of your processes, you can better protect against evolving threats while positioning your business for growth.
FAQs
How can SMBs ensure GDPR compliance when using AWS services?
Small and medium-sized businesses (SMBs) can stay compliant with GDPR when using AWS by taking advantage of the platform’s robust security and data management features. AWS provides tools like encryption, access controls, and monitoring to help businesses protect personal data and meet GDPR requirements.
To align with GDPR, SMBs can control where their data is stored, manage who can access it, and ensure it remains secure with services like AWS Key Management Service (KMS) for encryption and Amazon Macie for identifying and classifying sensitive data. Additionally, AWS offers a Data Processing Agreement (DPA) that meets GDPR standards, ensuring businesses can process data lawfully.
By leveraging these tools and implementing best practices, SMBs can confidently safeguard personal data and meet their legal obligations under GDPR.
What are the benefits of using multi-factor authentication (MFA) for AWS accounts, and how can SMBs set it up effectively?
Multi-factor authentication (MFA) adds an extra layer of security to your AWS accounts by requiring two forms of verification, such as a password and a one-time authentication code. This significantly reduces the risk of unauthorised access, even if a password is compromised.
MFA can be set up using virtual authenticator apps, hardware tokens, or security keys. For SMBs, virtual apps like Google Authenticator or Authy are often the most cost-effective and straightforward option. Enabling MFA for root accounts and key users should be prioritised to safeguard sensitive resources and data. By implementing MFA, SMBs can enhance their security posture and better protect their cloud environment from potential threats.
How can small and medium-sized businesses (SMBs) reduce the cost of AWS security tools without compromising protection?
SMBs can manage AWS security costs effectively while maintaining robust protection by adopting a few key strategies:
- Automate security tasks using tools like AWS Security Hub, Amazon GuardDuty, and Amazon Inspector to reduce manual effort and improve efficiency.
- Take advantage of free trials and cost analysis tools, such as the AWS Trusted Advisor, to identify savings opportunities and optimise security configurations.
- Optimise storage and compute usage by right-sizing resources, implementing tiered storage strategies, and using cost-efficient instance types like AWS Graviton2.
Additionally, consider setting appropriate log retention periods and automating routine tasks where possible. These steps can help SMBs strike a balance between cost-effectiveness and strong security practices.
