The Complete Guide to Perform an AWS Security Audit

90% of organizations use a multi-cloud operating model to help achieve their business goals in a 2022 survey.

AWS (Amazon Web Services) is among the biggest cloud computing platforms businesses use today. It offers cloud storage via data warehouses or data lakes, data analytics, machine learning, security, and more.

Given the prevalence of multi-cloud environments, cloud security is a major concern. 89% of respondents in the above survey said security was a key aspect of cloud success.

Security audits are essential for network security and compliance. AWS not only allows audits but recommends them and provides several tools to help, like AWS Audit Manager.

In this guide, we share the best practices for an AWS security audit and a detailed step-by-step list of how to perform an AWS audit. We have also explained the six key areas to review.

Best practices for an AWS security audit

There are three key considerations for an effective AWS security audit:

Time it correctly

You should perform a security audit:

• On a regular basis. Perform the steps described below at regular intervals.

• When there are changes in your organization, such as new hires or layoffs.

• When you change or remove the individual AWS services you use. This ensures you have removed unnecessary permissions.

• When you add or remove software to your AWS infrastructure.

• When there is suspicious activity, like an unauthorized login.

Be thorough

When conducting a security audit:

• Take a detailed look at every aspect of your security configuration, including those that are rarely used.

• Do not make any assumptions. Use logic instead. If an aspect of your security configuration is unclear, investigate why it was instated and the business purpose it serves.

• Simplify your auditing and management process by using unified cloud security platforms.

Leverage the shared responsibility model

AWS uses a shared responsibility model. It splits the responsibility for the security of cloud services between the customer and the vendor.

A cloud user or client is responsible for the security of:

• Digital identities

• Employee access to the cloud

• Data and objects stored in AWS

• Any third-party applications and integrations

AWS handles the security of:

• The global AWS online infrastructure

• The physical security of their facilities

• Hypervisor configurations

• Managed services like maintenance and upgrades

• Personnel screening

Many responsibilities are shared by both the customer and the vendor, including:

• Compliance with external regulations

• Security patches

• Updating operating systems and software

• Ensuring network security

• Risk management

• Implementing business continuity and disaster recovery strategies

The AWS shared responsibility model assumes that AWS must manage the security of the cloud. The customer is responsible for security within the cloud.

Step-by-step process for an AWS security audit

An AWS security audit is a structured process to analyze the security of your AWS account. It lets you verify security policies and best practices and secure your users, roles, and groups. It also ensures you comply with any regulations.

You can use these steps to perform an AWS security audit:

Step 1: Choose a goal and audit standard

Setting high-level goals for your AWS security audit process will give the audit team clear objectives to work towards. This can help them decide their approach for the audit and create an audit program. They can outline the steps they will take to meet goals.

Goals are also essential to measure the organization’s current security posture. You can speed up this process using a Cloud Security Posture Management (CSPM) tool.

Next, define an audit standard. This defines assessment criteria for different systems and security processes.

The audit team can use the audit standard to analyze current systems and processes for efficiency and identify any risks. The assessment criteria drive consistent analysis and reporting.

Step 2: Collect and review all assets

Managing your AWS system starts with knowing what resources your organization uses. AWS assets can be data stores, applications, instances, and the data itself.

Auditing your AWS assets includes:

• Create an asset inventory listing: Gather all assets and resources used by the organization. You can collect your assets using AWS Config, third-party tools, or CLI (Command Line Interface) scripts.

• Review asset configuration: Organizations must use secure configuration management practices for all AWS components. Auditors can validate if these standards are competent to address known security vulnerabilities.

• Evaluate risk: Asses how each asset impacts the organization’s risk profile. Integrate assets into the overall risk assessment program.

• Ensure patching: Verify that AWS services are included in the internal patch management process.

Step 3: Review access and identity

Reviewing account and asset access in AWS is critical to avoid cybersecurity attacks and data breaches. AWS Identity and Access Management (IAM) is used to manage role-based access control. This dictates which users can access and perform operations on resources.

Auditing access controls include:

• Documenting AWS account owners: List and review the main AWS accounts, known as the root accounts. Most modern teams do not use root accounts at all, but if needed, use multiple root accounts.

• Implement multi-factor authentication (MFA): Implement MFA for all AWS accounts based on your security policies.

• Review IAM user accounts: Use the AWS Management Console to identify all IAM users. Evaluate and modify the permissions and policies for all accounts. Remove old users.

• Review AWS groups: AWS groups are a collection of IAM users. Evaluate each group and the permissions and policies assigned to them. Remove old groups.

• Check IAM roles: Create job-specific IAM roles. Evaluate each role and the resources it has access to. Remove roles that have not been used in 90 days or more.

• Define monitoring methods: Install monitoring methods for all IAM accounts and roles. Regularly review these methods.

• Use least privilege access: The Principle of Least Privilege Access (PoLP) ensures users can only access what they need to complete a task. It prevents overly-permissive access controls and the misuse of systems and data.

• Implement access logs: Use access logs to track requests to access resources and changes made to resources.

Step 4: Analyze data flows

Protecting all data within the AWS ecosystem is vital for organizations to avoid data leaks. Auditors must understand the data flow within an organization. This includes how data moves from one system to another in AWS, where data is stored, and how it is protected. Ensuring data protection includes:

• Assess data flow: Check how data enters and exits every AWS resource. Identify any vulnerabilities in the data flows and address them.

• Ensure data encryption: Check if all data is encrypted at rest and in transit.

• Review connection methods: Check connection methods to different AWS systems. Depending on your workloads, this could include AWS Console, S3, RDS (relational database service), and more.

• Use key management services: Ensure data is encrypted at rest using AWS key management services.

• Use multi-cloud management services: Since most organizations use more than one cloud system, using multi-cloud CSPM software is essential.

Step 5: Review public resources

Elements within the AWS ecosystem are intentionally public-facing, like applications or APIs. 

Others are accidentally made public due to misconfiguration. This can lead to data loss, data leaks, and unintended access to accounts and services. Common examples include EBS snapshots, S3 objects, and databases.

Identifying these resources helps remediate risks by updating access controls. Evaluating public resources includes:

• Identifying all public resources: List all public-facing resources. This includes applications, databases, and other services that can access your AWS data, assets, and resources.

• Conduct vulnerability assessments: Use automated tools or manual techniques to identify vulnerabilities in your public resources. Prioritize the risks and develop a plan to address them.

• Evaluate access controls: Review the access controls for each public resource and update them as needed. Remove unauthorized access using security controls and tools like S3 Public Access Block and Guard Duty.

• Review application code: Check the code for all public-facing applications for vulnerabilities that attackers could exploit. Conduct tests for common risks such as SQL injection, cross-site scripting (XSS), and buffer overflows.

Key AWS areas to review in a security audit

There are six essential parts of an AWS system that auditors must assess to identify risks and vulnerabilities:

Identity access management (IAM)

AWS IAM manages the users and access controls within the AWS infrastructure. You can audit your 

IAM users by:

• List all IAM users, groups, and roles.

• Remove old or redundant users. Also, remove these users from groups.

• Delete redundant or old groups.

• Remove IAM roles that are no longer in use.

• Evaluate each role’s trust and access policies.

• Review the policies assigned to each group that a user is in.

• Remove old or unnecessary security credentials.

• Remove security credentials that might have been exposed.

• Rotate long-term access keys regularly.

• Assess security credentials to identify any password, email, or data leaks.

These measures prevent unauthorized access to your AWS system and its data.

Virtual private cloud (VPC)

Amazon Virtual Private Cloud (VPC) enables organizations to deploy AWS services on their own virtual network.

Secure your VPC by:

• Checking all IP addresses, gateways, and endpoints for vulnerabilities.

• Creating security groups to control the inbound and outbound traffic to the resources within your VPC.

• Using route tables to check where network traffic from each subnet is directed.

• Leveraging traffic mirroring to copy all traffic from network interfaces. This data is sent to your security and monitoring applications.

• Using VPC flow logs to capture information about all IP traffic going to and from the network interfaces.

• Regularly monitor, update, and assess all of the above elements.

Elastic Compute Cloud (EC2)

Amazon Elastic Compute Cloud (EC2) enables organizations to develop and deploy applications in the AWS Cloud. Users can create virtual computing environments, known as instances, to launch as servers.

You can secure your Amazon EC2 instances by:

• Review key pairs to ensure that login information is secure and only authorized users can access the private key.

• Eliminate all redundant EC2 instances.

• Create a security group for each EC2 instance. Define rules for inbound and outbound traffic for every instance. Review security groups regularly.

• Eliminate unused security groups.

• Use Elastic IP addresses to mask instance failures and enable instant remapping.

• For increased security, use VPCs to deploy your instances.

Storage (S3)

Amazon S3, or Simple Storage Service, is a cloud-native object storage platform. It allows users to store and manage large amounts of data within resources called buckets.

Auditing S3 involves:

• Analyze IAM access controls

• Evaluate access controls given using Access Control Lists (ACLs) and Query String Authentication

• Re-evaluate bucket policies to ensure adequate object permissions

• Check S3 audit logs to identify any anomalies

• Evaluate S3 security configurations like Block Public Access, Object Ownership, and PrivateLink.

• Use Amazon Macie to get alerts when S3 buckets are publically accessible, unencrypted, or replicated.

Mobile apps

Mobile applications within your AWS environment must be audited. Organizations can do this by:

• Review mobile apps to ensure none of them contain access keys.

• Use MFA for all mobile apps.

• Check for and remove all permanent credentials for applications. Use temporary credentials so you can frequently change security keys.

• Enable multiple login methods using providers like Google, Amazon, and Facebook.

Threat detection and incident response

The AWS cloud infrastructure must include mechanisms to detect and react to security incidents. To do this, organizations and auditors can:

• Create audit logs by enabling AWS CloudTrail, storing and access logs in S3, CloudWatch logs, WAF logs, and VPC Flow Logs.

• Use audit logs to track assessment trails and detect any deviations or notable events

• Review logging and monitoring policies and procedures

• Ensure all AWS services, including EC2 instances, are monitored and logged

• Install logging mechanisms to centralize logs on one server and in proper formats

• Implement a dynamic Incident Response Plan for AWS services. Include policies to mitigate cybersecurity incidents and help with data recovery.

• Include AWS in your Business Continuity Plan (BCP) to improve disaster recovery. Dictate policies related to preparedness, crisis management elements, and more.

Top tools for an AWS audit

You can use any number of AWS security options and tools as you perform your audit.

However, a Cloud-Native Application Protection Platform (CNAPP) like Prevasio is the ideal tool for an AWS audit. It combines the features of multiple cloud security solutions and automates security management.

 

Prevasio increases efficiency by enabling fast and secure agentless cloud security configuration management. It supports Amazon AWS, Microsoft Azure, and Google Cloud. All security issues across these vendors are shown on a single dashboard.

You can also perform a manual comprehensive AWS audit using multiple AWS tools:

• Identity and access management: AWS IAM and AWS IAM Access Analyzer

• Data protection: AWS Macie and AWS Secrets Manager

• Detection and monitoring: AWS Security Hub, Amazon GuardDuty, AWS Config, AWS CloudTrail, AWS CloudWatch

• Infrastructure protection: AWS Web Application Firewall, AWS Shield

A manual audit of different AWS elements can be time-consuming. Auditors must juggle multiple tools and gather information from various reports.

A dynamic platform like Prevasio speeds up this process. It scans all elements within your AWS systems in minutes and instantly displays any threats on the dashboard.

The bottom line on AWS security audits

Security audits are essential for businesses using AWS infrastructures. Maintaining network security and compliance via an audit prevents data breaches, prevents cyberattacks, and protects valuable assets.

A manual audit using AWS tools can be done to ensure safety. However, an audit of all AWS systems and processes using Prevasio is more comprehensive and reliable. It helps you identify threats faster and streamlines the security management of your cloud system.