Cloud

AWS Storage best practices & Key management

Publish Date: December 18, 2019

AWS provides several storage options depending upon the business and customer requirements. All the services are the leading solutions in the category. They have a good set of industry-wide best practices associated with their implementation for helping customers to get the best in class security. In this blog, we shall cover the best practices across all the different storage solutions

Amazon S3 (Amazon Simple Storage Service) – is an object storage service that offers industry-leading scalability, data availability, security, and performance. Best practices include
- S3 buckets should not be publicly accessible and have the appropriate policies associated with them
- Implement the least privilege access
- Use IAM roles for services that require Amazon S3 access
- Enable multi-factor authentication(MFA) delete to prevent accidental bucket/object deletions
- Enable server-side and client-side data encryption at rest along with data in transit
- Enable object lock, versioning, and cross-region replication
- Consider VPC endpoints for Amazon S3 access
Amazon Elastic Block Store (EBS) – is a high-performing & convenient block storage service which is designed to use with Amazon Elastic Compute Cloud (EC2) for throughput & transaction-intensive workloads at any scale. In addition to basic best practices (as mentioned in S3), some of the additional ones include
- Use proper naming conventions to follow AWS tagging best practices
- Identify EBS volumes attached to stop EC2 instances (i.e., unused EBS volumes).
- Ensure AWS Elastic Block Store (EBS) volumes have recent snapshots available for point-in-time recovery.
- Ensure EBS volumes are encrypted with KMS CMKs(customer master keys) to have full control over data encryption and decryption.
- Ensure encryption of all AWS EBS volumes for web tier.

Identify unattached AWS EBS volumes and remove them to regulate your AWS costs.

Amazon Elastic File System(EFS) – is a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. It is built to scale on-demand to petabytes without disrupting applications, growing and shrinking automatically
As you add and remove files, eliminating the need to provision and manage capacity to accommodate growth.
- Ensure encryption with KMS Customer Master Keys (CMKs) to have full control over data encryption and decryption
- Ensure encryption to protect static data

Amazon FSx for Windows File Server – is a fully managed native Microsoft Windows file system which can help store Windows-based applications that require shared file storage to AWS
- Make sure to configure the service account with the minimum privileges required

Keeping Active Directory Configuration Updated with Amazon FSx
Using Security Groups to Limit Traffic Within active VPC
Creating Outbound Security Group Rules for Your File System’s Network Interface

Amazon S3 Glacier – Amazon S3 Glacier and S3 Glacier Deep Archive are a secure, durable, and extremely low-cost Amazon S3 cloud storage classes for data archiving and long-term backup. Customers can store data for as little as $1 per terabyte per month
- Reduce request and storage costs with aggregation
- Improve speed and reliability with multipart upload
- Reduce costs with ranged retrievals
- Not recommended for high-frequency access and low latency requirements

AWS Storage Gateway – The AWS Storage Gateway is an appliance that seamlessly links your on-premises environment to Amazon cloud storage.

- Storage Gateway allows data storage in AWS cloud for scalable and cost-effective storage while maintaining data security.
- AWS Storage Gateway backs up the data as incremental EBS snapshots in Amazon storage
- AWS Storage Gateway runs on-premise, as a virtual machine (VM) appliance, or in AWS, as an EC2 instance,ensuring high availability.
- Gateways hosted on EC2 instances are used for disaster recovery, data mirroring, and as a storage for applications hosted on EC2
- AWS Storage Gateway, uploads data using SSL and provides data encryption at rest when stored in S3 or Glacier using AES-256
- AWS Storage Gateway performs compression of data-in-transit and at-rest

Amazon cloud data migration services-Amazon offers data migration services to migrate data into and out of the AWS cloud.
These services help securely and quickly move multi-petabyte archives, accelerate network transfers with existing infrastructure, and capture continuous streaming data from multiple sources. Regardless of which implementation services you utilize, there are some best practices to keep in mind:

- Back up the data before executing it.
- Stick to the strategy. The migration process can be complicated at times, so prepare for that reality and then stick to the plan.
- Test, test, test.

AWS Backup– AWS backup is a fully managed backup service for centralizing and automated back up of data across AWS services in the cloud as well as on-premises using the AWS Storage Gateway. AWS Backup, can be configured centrally backup policies and monitor backup activity for AWS resources, like Amazon EBS volumes,RDS databases,DynamoDB tables,EFS file systems, and Storage Gateway volumes.
To ensurer data in AWS stays intact and protected, follow these best practices applied in 5 key areas:

Security Monitoring
Secure Authentication
and configuration
Inactive Entities
Access Restrictions

AWS Key Management Service
AWS Key Management Service (KMS) makes it easier to carry out the execution of cryptographic keys and manage their usage across all the AWS applications and services. AWS Key Management Service (KMS) is a secure, reliable, and resilient service that involves usage of modules of hardware security that have been ratified under FIPS 140-2 or are underway validation. KMS is unified with AWS CloudTrail to deliver an audit trail of all the key usage to help in recognizing any alterations and ensuring statutory and compliance needs.

Ensure a Customer Master Key (CMK) is created for the app, web & database tier.
Recognize and retrieve any KMS CMK (Customer Master Keys) planned for deletion
Ensure the privacy and security of KMS master keys to avoid malicious activity.
Make sure that Amazon KMS CMKs are present for use in your AWS account.
Ensure the KMS key rotation feature is enabled for all your Customer Master Keys (CMK).
Stay vigilant so that Amazon KMS master keys do not permit any mysterious cross-account access.
KMS (Key Management Service) configuration modifications have been noticed within your AWS account.
Ensure keys underuse have full power over the encryption/ decryption operation
Spot and delete any disabled CMK (Customer Master Keys) to lessen the AWS costs.

Much has been said about the flexibility and scalability benefits of cloud compute, storage, and services — but any benefit can become a liability without oversight, control, and expertise of experienced AWS partners.

While this blog gives a better understanding of the features and characteristics of these cloud storage and services, you must understand your workloads and requirements then decide.

Our decades of experience managing critical systems and a team of technical experts, we specialize in seamless execution, crafting best-of-breed solutions enabling customers to unlock value and capabilities leveraging the power of AWS.

YASH, a leading AWS partner, has vast experience helping customers effectively store data in the AWS Cloud, creating seamless storage across their cloud and on-premises environments to support backup and recovery, primary storage, archive, and Business Continuance/Disaster Recovery (BCDR).
Links
https://docs.aws.amazon.com/whitepapers/latest/aws-overview/storage-services.html
https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html
https://aws.amazon.com/fsx/lustre/
https://aws.amazon.com/fsx/windows/
https://docs.aws.amazon.com/fsx/latest/WindowsGuide/self-managed-AD-best-practices.html