Security Checklist for systems on Amazon Web Services
Security has always been a business concern when moving to the cloud, especially for businesses that store user data such as banking, finance, real estate, and insurance.
AWS Shared Responsibility Model
Security and compliance are a shared responsibility between AWS and its customers. This shared model can help reduce the operational burden on customers as AWS operates, manages, and controls components from the server operating system and virtualization layer to the physical security of the facilities. The department is operating the service.
The customers will be in charge of and manage the client operating system (including security updates and patches), other associated application software, and the configuration of the Security Groups and firewall provided by AWS.
The customer should carefully consider the services he/she chooses as the customer’s responsibility will vary with the service in use, the integration of those services into the customer’s IT environment as well as the law. and current regulations.
This nature of shared responsibility also provides flexibility and provides the ability to control customers to enable deployment.
Security in the Shared Responsibility Model
AWS’s Shared Responsibility Model makes it clear that certain aspects of AWS security are in the hands of the business, and businesses must be fully responsible for the security incidents that occur in the management of the business.
Security in the Shared Responsibility Model
Preventing or detecting when an AWS account has been compromised
Preventing or detecting a privileged or regular AWS user behaving in an insecure manner
Preventing sensitive data from being uploaded to or shared from applications in an inappropriate manner
Configuring AWS services (except AWS Managed Services) in a secure manner
Restricting access to AWS services or custom applications to only those users who require it
Updating guest operating systems and applying security patches
Ensuring AWS and custom applications are being used in a manner compliant with internal and external policies
Ensuring network security (DoS, man-in-the-middle (MITM), port scanning)
Configuring AWS Managed Services in a secure manner
Providing physical access control to hardware/software
Providing environmental security assurance against things like mass power outages, earthquakes, floods, and other natural disasters
Protecting against AWS zero-day exploits and other vulnerabilities
Business continuity management (availability, incident response)
This article has developed a checklist of best practices and highest priority, which businesses must follow to proactively stop threats. This checklist provides customer recommendations for Security Pillar matching in the AWS Well-Architected Framework.
Checklist of AWS Identity & Access Management (IAM)
Avoid using the Access Keys of the root account in AWS as these allow full access to all resources
Multi-Factor Authentication must be enabled for the root account to provide two-factor authentication
Centralize identity with AWS Single Sign-On or 3rd party solution to avoid creating multiple IAM accounts arising frequently or using long-term (long-term) Access Keys
Make sure the user account also has MFA authentication
The IAM Access Keys must be renewed periodically
Ensure a strong password policy for users and set up a 90-day lifecycle for passwords
Assign permissions to users based on User Groups, rather than on individual users
Granting minimal access while creating IAM Policies, these policies are required to take certain actions.
Attach IAM Policies to Groups or Roles when creating
Appropriate conditions should be used to limit refusal or authorization of action against resources
Eliminate unnecessary IAM users who are inactive or inactive
Use IAM Roles to grant access to applications on EC2 Instance
Use multiple AWS accounts to separate data and resources on AWS, and enable the use of Service Control Policies to integrate guardrails in AWS Control Tower. AWS Control Tower makes it easy to set up and manage AWS multi-account environments
Checklist of Amazon S3
Ensure S3 buckets are not publicly accessible (publicly read or write) – users can enable ‘Amazon S3 block public access’ to prevent access from Public
Use object-level or bucket-level permissions next to IAM Policies to grant access to resources.
Enable MFA Delete to prevent accidental deletion of buckets
Consider encryption of stored data, which can be done in two ways – server-side and client-side encryption
Allows encryption of incoming and outgoing traffic through SSL endpoints
Configure S3 lifecycle management (S3 lifecycle) through rule-based actions and use Bucket Versioning, to deal with random deletion
Make sure S3 access logging is enabled
Continuously inspect and monitor S3 buckets using Amazon CloudWatch metrics
Checklist of Amazon EC2, Amazon VPC, and Amazon EBS
Ensure data and disk (disk volume) in EBS is encrypted with AES-256
Restrict access to instances from restricted IP ranges using Security Groups
Limits the scope of ports opened on EC2 Security Groups, to prevent attacks through vulnerabilities
Use IAM policies with restrictions for IAM users, roles that are allowed to change or modify the original AMI (Amazon Machine Images)
Make sure Elastic Load Balancers have a valid Security Group associated with it and enable access logging
Monitor and optimize default Security Groups, as they allow unlimited access for inbound and outbound traffic
Use AWS Firewall Manager to automatically apply the rules of Security Groups and AWS WAF
Ensure limited access to SSH, FTP, SMTP, MySQL, PostgreSQL, MongoDB, MSSQL, CIFS…, limit access to fixed IPs if possible.
Use IAM Roles to grant access to EC2, instead of Access Keys for temporary requests
If you are using the IAM user Access Keys for permanent permissions, make sure not to embed these keys directly in the code.
Create different keys for different applications, rotate Access Keys, use MFA validation, and deactivate unused Key pairs
Enable and enable VPC flow logs to record incoming and outgoing traffic in VPC for better tracking and early diagnosis of potential problems
Delete unused Virtual Private Gateway and VPC Internet Gateway
Make sure that no VPC endpoints are exposed to the public, by checking the key value in the policy.
Make sure there are no Network ACLs that allow unrestricted access or exit
Checklist of AWS CloudTrail
Make sure CloudTrail has Multi-region feature enabled
You should log into a centralized S3 bucket and use access logging and restrict access to the CloudTrail S3 bucket.
Make sure both CloudTrail and CloudTrail logging have Multi-Region logging enabled
Ensure CloudTrail log file integrity authentication is enabled
Ensure CloudTrail logs are encrypted
Use in conjunction with Amazon CloudWatch for binding metrics, with Amazon GuardDuty for continuous monitoring and AWS Security Hub for a holistic view of security on AWS
Checklist of Amazon CloudFront, AWS WAF, and AWS Shield
Uses Amazon CloudFront, AWS WAF, and AWS Shield to provide DDoS attack protection at Layer 3 (Network), Layer 4 (Transport), and Layer 7 (Application)