DEV Community

Cover image for How can you secure microservices architecture using AWS services?
Vijay Kodam
Vijay Kodam

Posted on • Edited on

1

How can you secure microservices architecture using AWS services?

Introduction

Security in Public Cloud is utmost important. Losing access to your website or attackers deleting your database are catastrophic-company-ending-events.

Shared Responsibility Model

Security and Compliance is a shared responsibility between AWS and the customer.

From AWS Documentation:

AWS is responsible for the "Security of the Cloud". AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.

Customer is responsible for the “Security in the Cloud”. Customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities.

Refer AWS Documentation for more information on Shared Responsibility Model.

Best Practices

Luckily, AWS provides you with a host of security services to improve your security posture from Day One. Note that this is not an exhaustive list and "it depends" on where you run and what services you use. Here are some of the steps to secure your microservices architecture in AWS:

  • Use AWS Shield for DDoS protection
  • Use AWS GuardDuty for intelligent threat detection.
  • Use AWS IAM for managing identities and access to AWS resources
  • Use AWS WAF to protect your web applications from common exploits.
  • Use AWS Certificates Manager for encrypting website data in transit using TLS/SSL certificates.
  • Use AWS KMS keys to encrypt all EBS volumes and Aurora DB (data at rest)
  • Use AWS Secrets Manager to store your application secrets.
  • Run all your workloads in private subnets. Allow only needed traffic using Security Groups and NACLs.
  • If your applications need Internet connectivity to download updates then configure NAT GW in public subnet.
  • You could also use VPC peering to isolate specific workloads in a different VPC in a different AWS account.
  • Use Amazon Inspector to scan EC2 for security vulnerabilities
  • Use Amazon Security Hub to automate AWS security checks and centralize security alerts.
  • Use AWS Cognito for authentication and authorization of the API requests.
  • Use CloudTrail for audit logging.

Conclusion

Security should not be an after thought when building and running applications in AWS. Utilize some or all of these AWS security services to make your microservices architecture secure.

What have I missed? This post assumed microservices are running in EC2 VMs. If microservices are running in Amazon EKS then it calls for a totally new approach and very long post. I will post about EKS security soon.

Follow me on LinkedIn at https://www.linkedin.com/in/vijaykodam/ where I post articles about AWS, Kubernetes and cloud computing in general. I also post all my articles to my blog at https://vijay.eu/posts

Image Credits: Microservices architecture made by me using draw.io

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (0)

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay