aws-security-best-practices

AWS Security Configuration Checklist – Top 50 | CyberNcrypt

ByCyberNcrypt

AWS Security

AWS and the customer share responsibility for security and compliance. The AWS shared responsibility model specifies your (as an AWS account holder/user) and AWS’s responsibilities for security and compliance.

AWS responsibility “Cloud Security” – AWS is responsible for protecting the infrastructure that runs all of the AWS Cloud services. This infrastructure consists of the hardware, software, networking, and facilities used to provide AWS Cloud services.

Customer responsibility “Cloud Security” – A customer’s responsibility will be determined by the AWS Cloud services that they choose. This determines how much configuration work the customer is required to do as part of their security responsibilities.

In short, the customer must configure the security controls provided by AWS, such as security groups, network access control, IAM (Identity and Access Management), and all other AWS service configurations. The AWS infrastructure will be vulnerable to several risks if the services are not correctly configured.

AWS Foundational Security Best Practices standard

AWS provides security best practices for configuring its services, known as the AWS Foundational security best practices standard, to keep the cloud environment safe from various threats.

The AWS Foundational Security Best Practices standard is a set of controls that detect deviations from security best practices in your deployed accounts and resources. The standard enables you to continuously evaluate all of your AWS accounts and workloads in order to quickly identify areas, where best practices, are not being followed. It provides actionable and prescriptive guidance on how to improve and maintain the security posture of an organization.

Here is a list of the fifty most important security configurations that every DevOps engineer should implement to create a highly secure cloud environment.

  • Enable CloudTrail logging across all AWS.
  • Turn on CloudTrail log file validation.
  • Enable CloudTrail multi-region logging.
  • Integrate CloudTrail with CloudWatch.
  • Enable access logging for CloudTrail S3 buckets.
  • Enable access logging for Elastic Load Balancer (ELB).
  • Enable Redshift audit logging.
  • Enable Virtual Private Cloud (VPC) flow logging.
  • Require multifactor authentication (MFA) to delete CloudTrail buckets.
  • Turn on multifactor authentication for the “root” account.
  • Turn on multi-factor authentication for IAM users.
  • Enable IAM users for multi-mode access.
  • Attach IAM policies to groups or roles.
  • Rotate IAM access keys regularly, and standardize on the selected number of days.
  • Set up a strict password policy.
  • Set the password expiration period to 90 days and prevent reuse.
  • Don’t use expired SSL/TLS certificates.
  • User HTTPS for CloudFront distributions.
  • Restrict access to the CloudTrail bucket.
  • Encrypt CloudTrail log files at rest.
  • Encrypt Elastic Block Store (EBS) database.
  • Provision of access to resources using IAM roles.
  • Ensure EC2 security groups don’t have large ranges of ports open.
  • Configure EC2 security groups to restrict inbound access to EC2.
  • Avoid using root user accounts.
  • Use secure SSL ciphers when connecting between the client and ELB.
  • Use secure SSL versions when connecting between client and ELB.
  • Use a standard naming (tagging) convention for EC2.
  • Encrypt Amazon’s Relational Database Service (RDS).
  • Ensure access keys are not being used with root accounts.
  • Use secure CloudFront SSL versions.
  • Enable the require_ssl parameter in all Redshift clusters.
  • Rotate SSH keys periodically.
  • Minimize the number of discrete security groups.
  • Reduce the number of IAM groups.
  • Terminate unused access keys.
  • Disable access for inactive or unused IAM users.
  • Remove unused IAM access keys.
  • Delete unused SSH Public Keys.
  • Restrict access to Amazon Machine Images (AMIs).
  • Restrict access to EC2 security groups.
  • Restrict access to RDS instances.
  • Restrict access to Redshift clusters.
  • Restrict access to outbound access.
  • Disallow unrestricted ingress access on uncommon ports.
  • Restrict access to well-known ports such as CIFS, FTP, ICMP, SMTP, SSH, and Remote desktop.
  • Inventory and categorize all existing custom applications by the types of data stored, compliance requirements, and possible threats they face.
  • Grant the fewest privileges possible for application users.
  • Enforce a single set of data loss prevention policies across custom applications and all other cloud services.
  • Encrypt highly sensitive data such as protected health information (PHI) or personally identifiable information (PII).

For more details visit – AWS Foundational Security Best Practices standard

Similar Posts