July 19, 2021
What to Look for When Shopping for and Deploying AWS Marketplace Tools
The Amazon Web Services (AWS) Marketplace enables qualified AWS partners to market and sell their software to AWS customers. It’s a great resource for finding security tools—and other types of tools—that run on AWS.
But don’t assume the Marketplace is a walled garden in which all offerings are ready to immediately plug and play in your cloud environment. Deploying these tools without careful consideration of security implications can leave your cloud environment vulnerable to attack.
In this blog post, we’ll review key considerations and recommendations for choosing and deploying AWS Marketplace tools in a way that minimizes vulnerabilities to attack while enabling efficient and reliable deployment of tools across your cloud environment.
Understand Roles and Responsibilities
In the AWS environment, security responsibilities are shared between AWS and its customers. Under the AWS Shared Responsibility Model, customers are responsible for security functions such as identity and access management, firewall configuration, and data encryption. AWS is responsible for securing the cloud infrastructure that runs the software offered in the AWS cloud (e.g., hardware, software, networks).
When selecting cloud security tools from the AWS Marketplace, be sure to understand the functions your tools will be performing in the context of the shared responsibility model. We recommend conducting a detailed review of your security requirements to ensure they are all addressed by either AWS or third-party tools/solutions that you will be deploying.
Ensure You Have the Latest Patches
For many third-party tools, the version you find on the AWS Marketplace will not have the latest patches, which can lead to significant vulnerabilities. We suggest using a product like HashiCorp’s Packer to ensure that machine images being prepared for deployment in your cloud environment include the latest versions of any AWS Marketplace tools you will be using.
Lean Into Infrastructure as Code
We recommend using Infrastructure as Code (IaC) tools and techniques for deploying AWS Marketplace security tools (and other tools) in your cloud environment. IaC automates infrastructure provisioning, enabling you to develop, deploy, and scale cloud applications with greater speed while eliminating manual deployment errors that can leave your environment vulnerable to attack.
IaC solutions allow for immutable infrastructure, new images are created when updates are released rather than patching a system over time. When infrastructure changes are needed, a new infrastructure image will be created and used to fully replace the existing image. Automated tools enable new images to be spun up and deployed quickly, making this approach feasible.
Immutability eliminates configuration drift, improves resilience, ensures consistency between development, test, staging, and production environments, and makes it easier to track infrastructure versions and roll back to previous versions if needed.
While there are many excellent tools available to help you implement IaC in your cloud environment, we’ve had good luck helping clients implement HashiCorp’s IaC tools, specifically:
- Automatically builds infrastructure machine images on the fly, pulling the latest versions of software and corporate security controls from multiple sources.
- Creates identical machine images for multiple platforms from a single source configuration.
- Allows identical images to be run in development, test, staging, and production environments across multiple platforms.
- Uses infrastructure machine images prepared by Packer to quickly launch completely provisioned and configured machine instances.
- Machine instances can be deployed across multiple platforms, including AWS, Azure, GCP, and on-prem data centers.
We’ve also achieved positive results helping clients use the open-source Salt configuration management tool for automated provisioning of configuration details in IaC cloud environments.
Beware of Lift and Shift Tools
Some software vendors will take products developed for on-prem legacy environments and offer them for use in cloud environments without migrating them to cloud-native applications. While this can be a good way for a legacy vendor to quickly and inexpensively transition their products to the cloud, these “lift and shift” products may have significant drawbacks, including:
- Security weaknesses that may not have been an issue when the product was used in a secure legacy datacenter where the perimeter was defended against attack, but make the product vulnerable in a modern cloud environment.
- Not supported by commonly-used IaC tools.
- Not able to take advantage of valuable, function-rich products and services available to cloud-native applications (e.g., Zero Trust security tools, microservices, containers).
- Not able to scale across multiple servers and CSPs.
- Performance issues because the applications have not been optimized for cloud operation.
If you are not sure if an application or tool you are considering acquiring through AWS Marketplace or elsewhere is “Lift and Shift,” we suggest consulting a third-party expert to help you make the determination before purchasing the product. Tevora’s team of security and cloud experts would be happy to help with this.
Here are some additional resources that provide a deeper dive into cloud security tools and cloud migration.
We Can Help
If you have questions about selecting the right AWS marketplace tools for your organization or would like help implementing these tools in your cloud environment, our team of cloud and security specialists can help.
We’re happy to just answer a few questions or roll up our sleeves and work side-by-side with your team to help implement cloud security and IaC solutions. And our extensive experience helping clients comply with a wide variety of security frameworks and standards helps us know exactly what steps you’ll need to take to bring your organization into compliance.
Just give us a call at (833) 292-1609 or email us at firstname.lastname@example.org.
About the Author
Christopher Callas is the Manger of Cloud Security at Tevora.