Centralized Management in Multi-Account AWS Environments: A Security and Compliance Perspective
DOI:
https://doi.org/10.63282/3050-9246.IJETCSIT-V4I3P103Keywords:
AWS Security, Multi-Account Governance, Centralized Security Management, Identity and Access Management, Compliance Automation, Cloud Security, AWS Organizations, AWS Security Hub, Regulatory Compliance, Zero Trust ArchitectureAbstract
Adoption of multi account architectures in the Amazon Web Services (AWS) has brought along several challenges such as the management of security, policy enforcement and regulatory compliance. While this leads to issue such as inconsistent identity access controls, misconfigured security policies, and compliance deviations in the traditional decentralized security approaches. In order to overcome these challenges, the contributions of this study are to propose a Centralized Security Management Framework (CSMF), to leverage AWS-native tools for automation of identity and access management (IAM), security and network protection, compliance enforcement. It combines AWS Organizations, AWS IAM, AWS Config, AWS Security Hub and AWS GuardDuty to create an integrated multi AWS account security governance model. Results of empirical evaluation over a real world AWS testbed show that by eliminating those ineffective rules and Falsely believing misconfigurations to be secure, CSMF reduces the security misconfigurations, improves compliance, and accelerates incident detection and response compared to traditional SMs. We closed some key findings which showed the IAM security risk drop by 65%, the network vulnerability drop by 72%, the compliance adherence increase by 80% and the incident response efficiency increase by 55%. Integral to future steps, AI driven security automation, Zero Trust security model, cross cloud security governance, and adaptive compliance framework are all the future research direction. We present this study as a base for centralized security management in organizations in order to grant them ability to apply scalable policy based security and compliance enforcement in their AWS multi accounts environments
Downloads
References
[1] M. Fu, Y. Zhang, and W. Lin, “Soteria: A Provably Compliant User Right Manager Using a Novel Two-Layer Blockchain Technology,” arXiv preprint arXiv: 2003.10128, 2020. doi: 10.48550/arxiv.2003.10128.
[2] A. Rath, R. D. Kumawat, and P. Kumar, “Security Pattern for Cloud SaaS: From System and Data Security to Privacy Case Study in AWS and Azure,” Computers, vol. 8, no. 2, p. 34, 2019. doi: 10.3390/computers8020034.
[3] C. Park, J. Kang, and S. Lee, “Configuration Method of AWS Security Architecture That Is Applicable to the Cloud Lifecycle for Sustainable Social Network,” Security and Communication Networks, vol. 2022, Art. no. 3686423, 2022. doi: 10.1155/2022/3686423.
[4] M. B. Yassein and S. Aljawarneh, “A Conceptual Security Framework for Cloud Computing Issues,” International Journal of Information Technology and Web Engineering, vol. 11, no. 2,
[5] pp. 14–27, 2016. doi: 10.4018/ijiit.2016040102.
[6] S. Bugiel, T. Pöppelmann, and A. Sadeghi, “AmazonIA: When Elasticity Snaps Back,” in Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS’11), 2011, pp. 389–400. doi: 10.1145/2046707.2046753.
[7] A. Ahmed, A. Akhunzada, M. A. Shah, S. Zikria, and M. H. Rehmani, “Service Management for IoT: Requirements, Taxonomy, Recent Advances and Open Research Challenges,” IEEE Access, vol. 7, pp. 155472–155508, 2019. doi: 10.1109/access.2019.2948027.
[8] H. Liu, S. Wang, Y. Chen, and J. Zhang, “On Manually Reverse Engineering Communication Protocols of Linux Based IoT Systems,” arXiv preprint arXiv:2007.11981, 2020. doi: 10.48550/arxiv.2007.11981.
[9] A. Ntentos, P. Katsaros, and N. Moustakis, “Assessing Architecture Conformance to Security-Related Practices in Infrastructure as Code Based Deployments,” in Proceedings of the 2022 IEEE International Conference on Services Computing (SCC), 2022, pp. 136–144. doi: 10.1109/scc55611.2022.00029.
[10] R. Ramaj, M. Cico, and S. Rrushi, “Holding on to Compliance While Adopting DevSecOps: An SLR,” Electronics, vol. 11, no. 22, p. 3707, 2022. doi: 10.3390/electronics11223707.
[11] Y. Liu, S. Wang, and A. F. T. Win, “Allocating Limited Resources to Protect a Massive Number of Targets Using a Game Theoretic Model,” Security and Communication Networks, vol. 2019, Art. no. 5475341, 2019. doi: 10.1155/2019/5475341.
[12] Y. Ding, W. Han, and L. Chen, “A Novel Attribute-Based Access Control Scheme Using Blockchain for IoT,” IEEE Access, vol. 7, pp. 38431–38441, 2019. doi: 10.1109/ access.2019.2905846.
[13] M. N. Uddin, S. A. F. R. Mahmood, and Y. Wang, “A Dynamic Access Control Model Using Authorising Workflow and Task-Role-Based Access Control,” IEEE Access, vol. 7, pp. 147774–147787, 2019. doi: 10.1109/access.2019.2947377.
[14] J. Zhang, Y. Lin, and X. Wu, “Community-Based Secure Information and Resource Sharing in AWS Public Cloud,” in Proceedings of the 2015 International Conference on Cloud and Internet of Things (CIC), 2015, pp. 258–265. doi: 10.1109/cic.2015.42.
[15] P. Rohan, A. C. Jose, and S. Ramasubbu, “Serverless Video Analysis Pipeline for Autonomous Remote Monitoring System,” in Proceedings of the 2022 International Conference on Emerging Technologies in Computing (ICETEC), 2022. doi: 10.1109/ icetecc56662.2022.10068884.
[16] K. Deyannis, T. M. Ben, and K. Samarasinghe, “Andromeda: Enabling Secure Enclaves for the Android Ecosystem,” in Proceedings of the 2021 IFIP International Conference on Information Security and Cryptology, 2021, pp. 173–188. doi: 10.1007/978-3-030-91356-4_11.
[17] R. Bhatt, “Optimizing SAP Migration Strategies to AWS: Best Practices and Lessons Learned,” International Journal of Research and Innovation in Applied Science, vol. 1, no. 1,
[18] pp. 79–84, 2021. doi: 10.55544/ijrah.1.1.11.
[19] J. Montes, R. Simmonds, and D. Weatherley, “Cloud Computing for Climate Modelling: Evaluation, Challenges and Benefits,” Computers, vol. 9, no. 2, p. 52, 2020. doi: 10.3390/ computers9020052.
[20] S. Gupta, A. K. V., and J. Hall, “Future Smart Connected Communities to Fight COVID-19 Outbreak,” arXiv preprint arXiv:2007.10477, 2020. doi: 10.48550/arxiv.2007.10477.
[21] R. Parizi, “Empirical Vulnerability Analysis of Automated Smart Contracts Security Testing on Blockchains,” arXiv preprint arXiv:1809.02702, 2018. doi: 10.48550/ arxiv.1809.02702.
[22] C. Rosert and F. Sauer, “How (not) to stop the killer robots: A comparative analysis of humanitarian disarmament campaign strategies,” Security Studies, vol. 29, no. 3, pp. 415–455, 2020. doi: 10.1080/13523260.2020.1771508.
[23] R. Daruvuri, “An improved AI framework for automating data analysis,” World Journal of Advanced Research and Reviews, vol. 13, no. 1, pp. 863–866, Jan. 2022, doi: 10.30574/wjarr.2022.13.1.0749.
