Skip to main content

How CodeSpaces Was Killed by Security Issues on AWS. The Best Practices to Avoid it.

Amazon Web Services is the lead Cloud Computing provider in the public cloud market. Organizations are rapidly moving their applications to AWS Cloud because of the cost, elasticity, easily accessible and on-demand provisioning and many more features that Amazon introduced step-by-step during the last years.

The computing resources are available from anywhere in the world with a single click on the console or APIs or SDKs. Because of this easy accessibility security becomes a challenge for the Cloud Providers and as well as the Consumers.

Recently, an unauthorized person had gained access to the Code Spaces AWS console and completely deleted their computing resources, data, volumes, snapshots and configurations. Because of this Code Spaces shutdown their operations completely and issued a public notice to all their customers saying that “Code Spaces will not be able to operate beyond this point,” citing the price of resolving the issue, as well as the expected cost of refunding paying customers. This attack put the Code Spaces in an irreversible position both financially and in terms of ongoing credibility.

So in Public Cloud, security becomes a key component to secure your resources. Organizations should employ known security consultants and follow best practices to manage their cloud workloads effectively.

In this article, I am putting some of the best practices that everyone should apply immediately to their organizations AWS account and resources.

  • AWS Console is heavily used to manage the resources by Cloud Administrators and developers. It can be accessed via the browser HTTPS using simple username and password. To protect it further, AWS is supporting the Multi-Factor Authentication (MFA) for second level authentication. To login to AWS console, you have to use the integrated MFA code with the respective user account. This MFA code is dynamically generated by the MFA device:

 

MFA code that is dynamically generated by the MFA device
  • IAM Service allows you to assign the privileges using User Policies. Use the Policy Generator or Custom Policy to assign the privileges rather than using the predefined Policy Templates. Assign the least privileges to users and slowly grant the additional privileges as on when needed.

 

  • Use AWS IAM Policy Simulator to simulate and test the user privileges. This will help you to find whether issued policies are working properly or not.
IAM Policy Simulator
  • If you are using the AWS CLIs or any SDKs within the EC2 environment, launch the EC2 Instances with IAM roles rather than using the AWS Keys to access any of your AWS resources
  • Rotate all your users AWS Access Keys and Passwords periodically
  • Do not open the remote access protocols like SSH and RDP to the Public. Rather use a Bastion Server with MFA or VPN connectivity to reach any of the AWS resources.
  • Enable CloudTrail to log all your API calls via the Console, Command-line or SDKs, which will help you to identify who are accessing the AWS resources and their Identities.
  • Perform security audit periodically on all the AWS Services which is used by your organization and make sure you are following the best practices.
Trusted Advisor

We will cover more about the AWS security in future blog posts. Visit Cloud Academy’s Training Library on Cloud Security to keep your cloud environment secure and compliant.

Avatar

Written by

Praveen Kumar Muppala

I have strong experience on Multiple Unix/Linux flavours, LAMP Stack, Monitoring Systems, Database, NoSQL. I love to explore the new concepts/services in Cloud Computing World. I have written 4 certifications in different flavours of Linux/Unix.

Related Posts

Avatar
John Chell
— June 13, 2019

AWS Certified Solutions Architect Associate: A Study Guide

The AWS Solutions Architect - Associate Certification (or Sol Arch Associate for short) offers some clear benefits: Increases marketability to employers Provides solid credentials in a growing industry (with projected growth of as much as 70 percent in five years) Market anal...

Read more
  • AWS
  • AWS Certifications
Chris Gambino and Joe Niemiec
Chris Gambino and Joe Niemiec
— June 11, 2019

Moving Data to S3 with Apache NiFi

Moving data to the cloud is one of the cornerstones of any cloud migration. Apache NiFi is an open source tool that enables you to easily move and process data using a graphical user interface (GUI).  In this blog post, we will examine a simple way to move data to the cloud using NiFi c...

Read more
  • AWS
  • S3
Avatar
Chandan Patra
— June 11, 2019

Amazon DynamoDB: 10 Things You Should Know

Amazon DynamoDB is a managed NoSQL service with strong consistency and predictable performance that shields users from the complexities of manual setup.Whether or not you've actually used a NoSQL data store yourself, it's probably a good idea to make sure you fully understand the key ...

Read more
  • AWS
  • DynamoDB
Avatar
Andrew Larkin
— June 6, 2019

The 11 AWS Certifications: Which is Right for You and Your Team?

As companies increasingly shift workloads to the public cloud, cloud computing has moved from a nice-to-have to a core competency in the enterprise. This shift requires a new set of skills to design, deploy, and manage applications in cloud computing.As the market leader and most ma...

Read more
  • AWS
  • AWS Certifications
Sam Ghardashem
Sam Ghardashem
— May 15, 2019

Aviatrix Integration of a NextGen Firewall in AWS Transit Gateway

Learn how Aviatrix’s intelligent orchestration and control eliminates unwanted tradeoffs encountered when deploying Palo Alto Networks VM-Series Firewalls with AWS Transit Gateway.Deploying any next generation firewall in a public cloud environment is challenging, not because of the f...

Read more
  • AWS
Joe Nemer
Joe Nemer
— May 3, 2019

AWS Config Best Practices for Compliance

Use AWS Config the Right Way for Successful ComplianceIt’s well-known that AWS Config is a powerful service for monitoring all changes across your resources. As AWS Config has constantly evolved and improved over the years, it has transformed into a true powerhouse for monitoring your...

Read more
  • AWS
  • Compliance
Avatar
Francesca Vigliani
— April 30, 2019

Cloud Academy is Coming to the AWS Summits in Atlanta, London, and Chicago

Cloud Academy is a proud sponsor of the 2019 AWS Summits in Atlanta, London, and Chicago. We hope you plan to attend these free events that bring the cloud computing community together to connect, collaborate, and learn about AWS. These events are all about learning. You can learn how t...

Read more
  • AWS
  • AWS Summits
Paul Hortop
Paul Hortop
— April 2, 2019

How to Monitor Your AWS Infrastructure

The AWS cloud platform has made it easier than ever to be flexible, efficient, and cost-effective. However, monitoring your AWS infrastructure is the key to getting all of these benefits. Realizing these benefits requires that you follow AWS best practices which constantly change as AWS...

Read more
  • AWS
  • Monitoring
Joe Nemer
Joe Nemer
— April 1, 2019

AWS EC2 Instance Types Explained

Amazon Web Services’ resource offerings are constantly changing, and staying on top of their evolution can be a challenge. Elastic Cloud Compute (EC2) instances are one of their core resource offerings, and they form the backbone of most cloud deployments. EC2 instances provide you with...

Read more
  • AWS
  • EC2
Avatar
Nitheesh Poojary
— March 26, 2019

How DNS Works – the Domain Name System (Part One)

Before migrating domains to Amazon's Route53, we should first make sure we properly understand how DNS worksWhile we'll get to AWS's Route53 Domain Name System (DNS) service in the second part of this series, I thought it would be helpful to first make sure that we properly understand...

Read more
  • AWS
Avatar
Stuart Scott
— March 14, 2019

Multiple AWS Account Management using AWS Organizations

As businesses expand their footprint on AWS and utilize more services to build and deploy their applications, it becomes apparent that multiple AWS accounts are required to manage the environment and infrastructure.  A multi-account strategy is beneficial for a number of reasons as ...

Read more
  • AWS
  • Identity Access Management
Avatar
Sanket Dangi
— February 11, 2019

WaitCondition Controls the Pace of AWS CloudFormation Templates

AWS's WaitCondition can be used with CloudFormation templates to ensure required resources are running.As you may already be aware, AWS CloudFormation is used for infrastructure automation by allowing you to write JSON templates to automatically install, configure, and bootstrap your ...

Read more
  • AWS
  • CloudFormation