Cloud-native architectures have become a cornerstone for many organisations thanks to their scalability, resilience and agility. However, with their rise in popularity, they’ve also become attractive targets for security attacks. Whether you’re running a microservices-based system, a containerised app, or using managed services, securing your application at every level is essential.
In this blog, we’ll dive into the key security practices and tips to protect both the frontend and backend of cloud-native systems. From encryption and authentication to network isolation, API security and automating security in your pipelines, I’ll walk you through the essentials to keep your applications safe.
Since we’re on the topic of security, it’s also important to touch on AWS’s Security Pillar, part of the AWS Well-Architected Framework. This pillar is all about protecting your data, systems, and assets by following security practices. By the end of this blog, you’ll not only review how to secure a cloud-native environment but you’ll also have some ideas on how to level up your app’s security.
1 – Frontend
Enable HTTPS with Amazon CloudFront and AWS Certificate Manager (ACM)
By using HTTPS and blocking/redirecting HTTP with CloudFront and ACM services, you ensure that your static site or application is secure and globally accessible, all while reducing the risk of security vulnerabilities, improving user trust and preventing data tampering by ensuring integrity of the data.
AWS Certificate Manager
ACM simplifies the process of obtaining certificates at no additional cost and provides automatically renew, reduce operational overhead about forgetting expired certificates.
Amazon CloudFront
CloudFront securely delivers content with low latency and high transfer speeds, with varying benefits, from performance to security features such as:
- CloudFront CDN reduces application latency by serving content from the AWS edge locations closest to the user.
- By caching static content, you can also reduce the number of requests made to the origin (S3), which additionally can lower your AWS costs.
- CloudFront integrates AWS Shield, which provides automatic protection against DDoS attacks. Besides, you can also configure AWS WAF to block malicious attacks by implementing IP blocking and SQL injection protection.
- With the use of CloudFront in your static app deployed on a S3 bucket, you can configure Origin Access Control to restrict direct access to the application S3 bucket. This ensures that all traffic must go through CloudFront, where you can enforce HTTPS, caching and security controls.
Prevent Cross-Site Scripting (XSS) attacks
Cross-Site Scripting (XSS) attacks occur when an attacker injects malicious scripts into web pages viewed by other users. These scripts can steal sensitive data like cookies, session tokens, or even execute actions on behalf of a user. Below is a list of some measures you can implement to ensure such crucial prevention.
- Use HTTPOnly and Secure Cookies: Setting cookies with HTTPOnly and Secure flag, prevents JavaScript access and ensure cookies are only sent via HTTPS.
- Use AWS WAF: As mentioned previously, AWS WAF protects your frontend from common web attacks such as XSS and SQL Injection.
Implement authentication
As usual, every web application has an authentication and authorisation process, and with AWS, it would not be different. With Amazon Cognito, you can handle user sign-up, sign-in, and access management for web and mobile apps and integrate social identity providers such as Google, Facebook, etc. You can create custom access tokens from the user information to secure the application APIs, with that enabling an extra security layer between frontend and backend. On top of that, Amazon Cognito is deeply integrated with other AWS services like API Gateway, Lambda, S3 and more. For example, with Cognito Identity Pools, you can grant temporary AWS credentials to users, allowing them to interact with AWS resources directly (e.g., upload files to S3).
Third-party frameworks recommendations
DOMPurify
DomPurify secures React web applications against XSS attacks and provides a sanitisation tool against malicious attacks of script injections.
Projen
Projen allows you to create and standardise project configuration across your organisation. Through Projen templates, you can predefine a configuration that automates project setup and management. It helps developer teams to create consistent project scaffolding in frameworks like Typescript, Javascript, CDK, etc. And, standardized settings, dependencies, patterns and even CI/CD plans. Projen is highly recommended for organisations that want to implement several applications with similar architectures.
2 – Backend
Implement the least privilege principle
The least privilege principle enforces that every AWS user, role and service has the minimum permissions necessary to perform its task. For example, if you have a Lamba function that reads from DynamoDB and returns a list of clients, there is no sense to set this function to have permission writes to the table. On AWS, the least privilege principle can be implemented with the use of IAM configuration.
Secure the network
There are several measures to apply to your network, some of them are standard and others will depend on your backend architecture, whether you’re running a microservices-based system, a containerised application, or managed services.
Isolate sensitive backend services
Isolate critical backend components from the public internet, by placing them in private subnets on a Virtual Private Cloud (VPC).
Many organisations keep critical resources, such as RDS databases, Elasticsearch clusters, or internal services, inside private subnets within a VPC. Serverless resources such as Lambda also apply here. By placing Lambda in a VPC, you can leverage VPC features like security groups and network access control lists (NACLs) to fine-tune control over what traffic is allowed to/from your Lambda functions. This minimises exposure and ensures that Lambda functions interact with resources securely.
Avoid public internet exposure
With VPC Endpoints you can connect your private resources inside VPC and on-premises to AWS services without exposing your traffic to the public internet. Example: A Lambda function sits on a private VPC and your DynamoDB sits on a public internet connection, with VPC Endpoint you set a private Link (powered by AWS PrivateLink) between the two resources, and then you can communicate easily without the need for the lambda function to go to the public internet to connect to the DynamoDB table.
Data protection
Encryption
Encryption plays a key role in Data Protection and most major AWS storage services do offer support for encryption, and in many cases, it can be enabled easily.
Though encryption at rest is not always enabled by default and requires manual configuration you can use AWS KMS to encrypt sensitive data at rest in services like S3, DynamoDB, RDS and EBS volumes. To ensure that all sensitive data transmitted between services is encrypted in transit with SSL/TLS, you must enable AWS CloudFront and ELB to force HTTPS connections as pointed out previously.
S3 Bucket security
If your application uses S3 buckets as storage, these are good practices to follow:
- Ensure that the buckets are private by default
- Enable encryption policies with SSE-SE/SSM-KMS
- Enable Versioning, this helps recover from unintended overwrites or deletions
- Enable S3 Server Access Logs to track detailed access logs of requests made to your S3 objects.
- Implement Object Lock to enforce write-once-read-many (WORM) policies. This can protect your objects from being deleted or modified for a fixed duration, which is crucial for compliance or safeguarding sensitive data.
- Discover and secure sensitive data using Amazon Macie: Macie uses machine learning and pattern matching to provide visibility of data security risks and enables automated protection against those risks. Extremely helpful for organisations that seek to follow compliance and secure sensitive information requirements.
Protect data sensitive content
Due to regulatory and privacy requirements, organisations must protect the sensitive data they collect about their customers and operations and data masking is a way of achieving that. Data masking creates a fake version of data by changing confidential information. Big database products such as SQL Server and Oracle database offers data masking functionalities and if your data resides on AWS you can use resources such as AWS Transcribe, Redshift or SNS to trigger Lambda functions that will detect and mask your application data.
Backup policies
Backup is critical to ensuring the safety, availability and integrity of data. Whether due to accidental deletion, hardware failure, or cyberattacks, data loss can result in severe financial and operational impacts. Implementing regular and automated backup procedures provides a safety net, allowing businesses to recover from disasters without significant downtime or loss of information.
AWS Backup service is designed to automate and centralise backup processes, it can help by enabling features such as automatic backup schedule, backup encryption, and cross-region or account backup availability. To know more about AWS Backup, consult its official website here.
Credentials & Keys
Avoiding hardcoded secrets might sound obvious, but it still happens nowadays. A developer must never hardcode sensitive information into the code and implement changes through pull requests where other team members and automated tools can review and validate the changes. Use AWS Secrets Manager or Systems Manager Parameter Store to store sensitive information such as API keys, database credentials, and other secrets securely in AWS.
Logging & Monitoring
Setup AWS Config
Enable AWS Config to continuously audit your AWS resources and ensure compliance with security best practices. Use pre-built Config rules to monitor configuration changes.
Monitoring dashboards
Implementing a good level of logging into your application helps you to debug and troubleshoot problems faster, monitor performance issues, analyse behavior statistics, collect operational insights and implement audit requirements. To achieve all of that, you must use a dashboard to visualise such information. There are many tools on the market you can use to create dashboards such: Grafana, Kibana, Splunk and PowerBI. On AWS side you have available resources such Amazon QuickSight, CloudWatch Dashboards, Elasticsearch and Amazon Managed Grafana.
Implement test practices
A full-stack cloud native application can benefit from various types of tests. Here is a breakdown of some types of tests and some popular frameworks used by the development community.
Unit Testing
The most common type of test, unit tests focus on individual components and test of functions to ensure they work as expected in isolation, the most common frameworks are Jest, Karma for frontend and JUnit, pytest and again Jest for backend.
Integration and End to end Testing
Integration and End-to-End (E2E) tests focus on the whole flow of the operation/functionality you want to test, is how different modules (backend, frontend) work together while simulating real user interactions. Common frameworks are Cypress, TestCafe and Selenium.
API Testing
Ensure that API is working as expected, a test usually done on Postman application manually but also automated through integration of tests with CI/CD workflow.
Acceptance Testing
Validate if the application meets the business requirements from an end-user perspective. One of the most common frameworks used is Cucumber.
Chaos Testing
The name explains its purpose, to test how system behaves under unexpected failures or disruption for instance it simulates server failures, CPU stress, and network outages.
For such test AWS provides AWS Fault Injection Simulator a fully managed service that enables you to perform chaos experiments on AWS workloads.
Vulnerability Testing
Focus on identifying security weaknesses and vulnerabilities in an application or its underlying infrastructure. The goal is to detect and remediate vulnerabilities before they are exploited by attackers.
Types of Vulnerability Testing
- Static Application Security Testing: Analyse the source code for vulnerabilities like SQL injection, XSS, etc. SonaQube is a very known tool used for such test.
- Dependency Software Composition Analysis: Identify vulnerabilities in third-party libraries, frameworks or packages that the application depends on. A common tool for such test is Black Duck, an open-source security and license compliance tool
- Cloud Infrastructure Vulnerability Scanning: Identifies vulnerabilities in the cloud environment, such as misconfigured services and insecure permissions. AWS Inspector and Prowler are very common tools.
Third-party frameworks recommendations
Lambda Powertools
Lambda Powertools is a developer toolkit to implement Serverless best practices and increase developer velocity, Powertools is available for Typescript, Javascript, Python and in .NET. Some of its main features are: Tracer lambda function handlers, Logger middleware functions and high-level functions to retrieve secrets or parameters from AWS Secrets Manager, etc.
Git Guardian
Git Guardian is a security tool designed to help developers and organisations by monitoring and protecting their code repositories from sensitive information leaks. It specialises in detecting secrets such as API keys, passwords, credentials or private tokens, very useful for medium and big development teams.
By combining these AWS security practices, you can build a robust, cloud-native application that is both scalable and secure, protecting your frontend, backend, and infrastructure from threats while complying with industry regulations and standards.
Amazon Q Developer
Amazon Q Developer is a generative AI-powered assistant, that can assist you build and operate AWS applications. You can ask questions about AWS architecture, resources, best practices, documentation a support to help in your software development. Amazon Q provides extensions to integrate with the most common IDEs (VSCode, Visual Studio and IntelliJ). With the extensions, you can interact with Amazon Q to analyse, scan your code, verify security vulnerabilities and make improvements such as framework updates or even debugging any errors.
Scan vulnerabilities with Amazon Q
Amazon Q performs code scanning to verify and analyse code security and quality. In order to leverage such a feature, you need to understand what types of scans are available:
- Code Security Scanning
- SAST scanning: Detect security vulnerabilities in your source code, for instance resource leaks, SQL injection and cross-site scripting.
- Secrets scanning: Prevent the exposure of sensitive credential keys.
- IaC scanning: Scan the infrastructure code files to detect misconfiguration, compliance and security issues.
- Code Quality Scanning
- Detects quality and maintainability issues to ensure your codebase meets the best practices.
How Cevo can help?
As you can see, security is a vast subject and there’s always more to explore beyond what we can cover. I hope this blog helped you to find security characteristics that you need to improve in your application or at least to confirm your expectations. And, if you have legacy or modern applications, and you feel you are not secure enough, reach out to us, we can help upskill your knowledge and, most importantly, increase the security of cloud environment.
Do you have legacy or modern applications and feel they aren’t secure enough? Reach out to us! We can help you enhance your security practices and upskill your team and help ensure the security of your applications.