In this series, Mark and I have talked about hardening your AWS resources (both inside and outside of your instances) and preforming ongoing monitoring. The last two tips are around measuring your overall security so that you can understand your risks and measure your progress.
It may be an old adage but it still rings true… You can’t manage what you can’t measure. You may have layer upon layer of defense, but unless you conduct a vulnerability assessment you don’t really know where you stand.
Conducting a vulnerability assessment includes identifying and prioritizing vulnerabilities in all areas of your system. You start by cataloging the vulnerabilities through a mixtures of tools, services and manual evaluation. Then you move on to prioritizing the vulnerabilities and evaluating ways of mitigating.
Tools and services often take two forms, network scanners or host-based. Within these two forms there are passive and active scanners. Some vulnerabilities can only be detected on the instance or with privileged network access.
If you are running a network scan against your AWS instances, you need to fill out the AWS Vulnerability / Penetration Testing Request Form. This way, AWS knows you will be conducting a scan and your connectivity won’t be disrupted.
Once you know where you stand, its time to work towards improving your security posture. You start with the most serious vulnerabilities and work your way down the list.
Remediation can take many different forms. It may be as simple as closing a port, or turning off a service. In other cases it requires a software patch or a rule from an intrusion prevention system. No matter how you remediate, it is important to verify that remediation is in place and protecting the vulnerability.
The number of unmitigated vulnerabilities in your application makes a great metric to track over time in order to understand if you are continually improving.
Stay tuned for the next (and final) tip where we look at another important way to evaluate your security.
Have any tips for how you conduct vulnerability assessments on AWS? Please share them in the comments! And if you’re interested in securing your EC2 or VPC instances, check out our new Deep Security as a Service for cloud servers, currently in free Beta.