Anterovium - Fotolia
What security controls does Amazon Elastic File System offer? Are there additional controls that should be in place to ensure Amazon workloads are kept safe?
There are three types of controls available to protect content in the Amazon Elastic File System: user controls, audit services and network controls.
Access to content can be limited to those users who are granted explicit permissions. Amazon Elastic File System is integrated -- like other AWS services -- with the AWS Identity and Access Management (IAM) service. File system administrators can leverage existing users and groups to assign access privileges to individual users or members of particular groups. For example, if department or project-level groups exist in IAM, those groups can be assigned privileges to work with files and directories in the Elastic File System. New groups can also be created in IAM to accommodate new requirements.
Cloud administrators can use CloudTrail to track activities in the Elastic File System. CloudTrail logs information about calls to the AWS API. These calls may originate from an AWS command-line client, a custom application calling the RESTful API, or from other interfaces that make use of the file system service.
Security groups and network access control lists can also be used to limit access to and operations on file-system objects.
The Elastic File System is designed to provide file services to EC2 instances and other AWS compute resources. As with other resources, cloud administrators should follow best authentication and access practices, such as least privilege.
Granting privileges to individual users is sometimes tempting, as it can be a quick way to meet an urgent need for a user to access a file or directory. However, in the long run, it is best to assign access privileges to groups only, which promotes a structure that tends to align with functional business requirements instead of ad hoc requests from users. Also, as users change roles within the organization, it is easy to remove them from one group and add them to another. The alternative -- reviewing each permission granted and assessing if it should continue to be granted to the user in a new role -- is time-consuming and prone to error.
Ask the Expert:
Want to ask Dan Sullivan a question about cloud security? Submit your question now via email. (All questions are anonymous.)
Learn more about cloud IAM in this SearchCloudSecurity school
Dig Deeper on Cloud Provisioning and Cloud Identity Management Issues
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading