TYPO3 on AWS - Part 3: Security & Compliance

Thanks to Sebastian from root360 for sharing!

Security and compliance are given top priority in most companies. And rightly so. A solid security concept is not only a prerequisite to save unpleasant costs, but also minimizes non-quantifiable risks, such as the loss of data or server access by unauthorized persons. After having introduced appropriate migration strategies to the AWS Cloud in my last blog article, I now give some insights into security and compliance issues for a TYPO3 set up on AWS.

Basically, AWS's security concept is based on the shared responsibility model. As a result, AWS takes over the 'security of the cloud', while the customer is responsible for 'security in the cloud'. Cloud Security covers data center protection and regular training for AWS staff in each data center. AWS also ensures that the security of the hardware, software, and network is established. Numerous certificates certify that AWS meets all common security standards. In particular, AWS meets the requirements of ISO 27001 and the Cloud Computing Compliance Controls Catalogue (C5) that are highly relevant for the German market. AWS provides these and many other certificates free of charge via the in-house Artifact service. Put simply, AWS already meets key security standards and requirements.

By contrast, the responsibility of 'security in the cloud' is entirely within the scope of the AWS customer. This responsibility concerns both the guest operating system, as well as all data in-transit and at-rest, encryption and your TYPO3 installation. The customer is also responsible for firewall, identity and access management configurations, and network traffic. In the following, I'll talk about some ways and best practices regarding security in the cloud.

In the area of AWS security which is within the scope of the customer, various security measures should be taken at both the infrastructure and the individual service level. For internal tracking of changes and access to the AWS Management Console, you can track all actions with the AWS CloudTrail service: CloudTrail records all API calls and user activities in the AWS Management Console. There are also certain measures to be taken regarding traffic. For example, if you implement only the AWS Application Loadbalancer (ALB) by default, only HTTP and HTTPS protocols are processed. FTP requests, but also SSH and MySQL queries are not allowed and the web server is not directly accessible. You can find more information in the documentation of AWS.

An AWS Web Application Firewall (WAF) is often implemented on the ALB as well. 

At the network level, AWS provides a number of best practices. Certainly the most important thing to do is to divide all areas into subnets and grant exclusive permission for the most necessary traffic. For example, we set up network access control lists of the subnets only with a minimum of permission. The same applies, of course, to the individual security groups. Furthermore, access control of individual services can be controlled by so-called roles in AWS Identity and Access Management (IAM). To provide an example, an EC2 instance can only query the parameters defined by the role for another service. 

Likewise, you should implement a suitable protection of the guest operating system and software. Access protection can and should be done by automatically blocking the IP address if several unsuccessful login attempts have been started. At the same time, improved protection against so-called brute force attacks is ensured. 

A number of precautions should also be taken regarding data security. As root360, we integrate both Amazon Elastic File System (EFS) storage services and occasionally Simple Storage Service (S3) as shared storage. Both should be encrypted by default. However, the connection of S3 to TYPO3 can take a little longer depending on your know-how. Encryption of the database is also possible. However, encryption is not only critical from an infrastructure point of view. Data must also be encrypted at the software level. It is therefore essential to be informed about the latest state of development and use new encryption algorithms that are considered safe, such as the SHA-256 hash. The change and management of passwords can be easily mapped via the AWS KMS.

With regard to TYPO3, the same factors must be considered in the cloud, which must also be observed in an on-premises environment: Are the latest technologies used? Is Ubuntu up to date, do I use the latest packages? Do I make database queries and am I protected against SQL injections? Or do I just deliver static content and do not need to worry about it? Will the latest SOLR version be used or am I still using an older version with corresponding security vulnerabilities? Do I trust the developers of the plugins used? 

Regular scanning of Common Vulnerabilities and Exposures (CVEs) is always recommended. This is a collection of known vulnerabilities. The audit should be carried out on a regular basis; ideally each audit consists of a process of assessing and prioritizing the vulnerabilities and the need for action. Depending on the vulnerability, a response should be undertaken as swiftly as possible. The list of CVEs can be found on the website of the National Vulnerability Database.

Security considerations also concern the updates of the software. The updates should ideally be automated, including security patches and minor updates. A weekly update allows security vulnerabilities to be resolved quite quickly. Server and software configuration changes should be versioned and stored. This allows you to track changes and, if necessary, reset them to a previous state. The major updates are equally independent of the AWS cloud which typically require a significant amount of effort and also retain internal and external resources. What's exciting, though, is that AWS always provides the latest technologies, so you can easily adapt them to your major update.

Though it may not be feasible to cover all aspects in one article, it became clear that security in the AWS Cloud concerns a great array of different aspects. Using AWS services always means AWS ensures the security of the cloud. For security in the cloud, however, you need to be active, or alternatively, the high demands on security standards in the cloud can also be implemented and maintained by managed services providers such as root360.