Building Resilient Web Applications on AWS: A Comprehensive Approach to Security

 

I have been asked by friends and customers what is the best way to implement a web based application with minimum costs and good security. Of course, the best way is to define exactly what you want to achieve and let professionals do it, while keeping an eye on the Secure Software Development Lifecycle.

But, this article is not about SSDLC, it is about how to start web application development having also security as a top priority. Securing a classical web application involves a multi-layered approach, addressing the presentation, business logic, and database layers.

Most important thing to keep in mind when engaging into such an enterprise is: don’t try to do everything by yourself – use existing tools and services, which come with a more than decent security built-in.

This article explores how to architect a secure web application on AWS, but it can be applied very well to other cloud based services provider,  and conduct a thorough risk assessment at each level.

A good security approach is to practice defense in depth, meaning that you should check and validate the security of the components used as well. This means that we need to perform at least a high-level risk assessment of these components as well.

 

 

Securing the Presentation Layer

At the forefront of user interaction, the presentation layer demands robust security measures. Amazon CloudFront serves as a reliable content delivery network, ensuring low latency and protection against DDoS attacks.

AWS Identity and Access Management (IAM) steps in to control access to resources at this layer, while AWS Web Application Firewall (WAF) safeguards against common web exploits and secures APIs.

The Presentation layer hosts the UI of the application, typically a website written in HTML5 or a combination of HTML, php, JS, or some high level programming languages that can produce HTML as output.

Such web UIs must be uploaded on a AWS S3 bucket read accessible to everyone and then configure the CloudFront to distribute it.

Risk Assessment at the Presentation Layer

  • Regularly review and adjust IAM policies to mitigate the risk of unauthorized access.
  • Conduct penetration testing on the web application to identify and address vulnerabilities.
  • Monitor CloudFront logs for unusual patterns indicative of a security threat.
  • Make sure nobody has unrestricted access to your S3 bucket hosting the web content

Security practices

  • If you collect data, make sure it is encrypted using AWS Secrets Manager;
  • Do not encrypt using your own keys, hardcoded in your application.
  • Do not invent yourself some “encryption” mechanism, which in the end is just an obfuscation.

Securing the Business Logic Layer

The business logic layer is the heart of a web application, where critical processes take place. Containerizing application logic using AWS Elastic Container Service (ECS) or AWS Fargate ensures enhanced isolation.

AWS Lambda, offering serverless computing, executes sensitive business logic securely. AWS Secrets Manager manages and rotates sensitive API keys and tokens.

Risk Assessment at the Business Logic Layer

– Regularly audit and review AWS Lambda functions to maintain the security of business logic.
– Conduct static and dynamic code analysis to identify vulnerabilities in the application logic.
– Implement AWS CloudWatch for real-time monitoring and alerting on anomalous Lambda function behavior.

Securing the Database Level

The database, housing crucial data, requires robust security measures. Amazon RDS provides secure and scalable relational databases with automatic backups and encryption.

Fine-grained access control through IAM roles and policies is essential for secure database access. AWS Key Management Service (KMS) handles encryption of data at rest within the database.

 

Risk Assessment at the Database Level

– Regularly audit and review database access controls and IAM roles to prevent unauthorized access.
– Implement automated vulnerability scanning tools for the database to identify potential weaknesses.
– Set up AWS CloudTrail to log and monitor all database-related API activity.

 

Continuous Monitoring and Response

Ensuring the ongoing security of a web application involves continuous monitoring and a robust incident response plan. AWS Security Hub acts as a centralized monitoring tool, while AWS Config rules automate the assessment and remediation of non-compliance.

An incident response plan with specific procedures for each layer of the web application architecture ensures a swift and effective response to security incidents.

 

In the next post: risk assessment for the Amazon services used in this article:

  • AWS IAM
  • AWS Elastic Container Service (ECS)
  • AWS Fargate
  • AWS Key Management Service (KMS)
  • AWS Lambda
  • AWS CloudTrail
  • AWS Secrets Manager
  • AWS CloudFront
  • AWS S3

Conclusion

By adopting a comprehensive security strategy across the presentation layer, business logic, and database levels, small organizations can build resilient and cost aware web applications on the AWS platform.

This approach, coupled with regular risk assessments, establishes a solid foundation for web application security, safeguarding against common cybersecurity threats.


© Copyright 2024 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity


Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch

Related Posts

Understanding ISO 27001:2022 Annex A.12 – Operations Security

We started the ISO 27001:2022 series with the promise of explaining how the 14 categories of controls can be implemented. Today we address ISO 27001:2022 Annex A.12, “Operations Security”, which focuses on ensuring secure operations of information systems and assets. This annex provides guidelines for implementing controls to manage day-to-day operations, protect against security incidents, and maintain the […]

Understanding ISO 27001:2022 Annex A.6 – Organization of Information Security

We started the ISO 27001:2022 series with the promise of explaining how the 14 categories of controls can be implemented. We start today with ISO 27001:2022 Annex A.6, “Organization of Information Security”, which outlines requirements for establishing an effective management framework to govern information security within an organization. This annex emphasizes the importance of defining roles, responsibilities, […]

Discover more from Sorin Mustaca on Cybersecurity

Subscribe now to keep reading and get access to the full archive.

Continue reading