Disclaimer :-):
There are bunch of Amazon AWS security checklists and recommendations online. Definitely the best one is https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
I'm not trying to reinvent the wheel, but integrate and summarize lessons I learned and advices given to me by other AWS experts.
This checklist starts from the moment when you begin AWS account creation.
Check your resulted account security status:
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
AWS Auditing Security Checklist
https://d0.awsstatic.com/whitepapers/compliance/AWS_Auditing_Security_Checklist.pdf
PS. I would like to thank Liem aka Pimpon for advices in preparing this checklist.
There are bunch of Amazon AWS security checklists and recommendations online. Definitely the best one is https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
I'm not trying to reinvent the wheel, but integrate and summarize lessons I learned and advices given to me by other AWS experts.
This checklist starts from the moment when you begin AWS account creation.
- Create dedicated email address for AWS account registration. This email will become you root account login name, so, please, do not use your daily used or published online email
- Enable MFA (Multi Factor Authentication) on the root account. Details: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html
- Remove or DO NOT create any API key associated with root account. API keys has no MFA - anyone who has root API keys gets full access to you account. Unintentional leaking of the API key quite common security incident.
- Copy/bookmark/save IAM sign-in url. You will need to access you AWS Web GUI.
- Create IAM user with AdministratorAccess policy attached. It will be your new "root" like account.
- Create other IAM users required. Minimize their permission using built-in AWS managed policies like: PowerUserAccess; ReadOnlyAccess; AmazonEC2FullAccess , etc
- Enable MFA on all users created. Details: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html
- Enforce strict password policy. Details: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
- Generate API keys for users who needs it. For "high-power" user make this keys inactive. They will activate keys through MFA protected AWS Web GUI only when it needed.
- Do not use API keys in applications running inside AWS. Use IAM roles instead. Details: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
- Enable and configure CloudTrail for all regions + s3 bucket for the CloudTrailLogs. Details: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html
- Send CloudTrails Events to the CloudWatch Logs. Details: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html
- Configure monitoring of the CloudTrail Log Files using Amazon CloudWatch Logs metric filters and alarms. Details: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/monitor-cloudtrail-log-files-with-cloudwatch-logs.html
- Configure near-real time Log data processing using Subscriptions or/and using lambda function. Details: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/Subscriptions.html
- Using #13 and 14 configure notification for suspicions events
- Enable AWS Config Service to get AWS configuration snapshots and change notifications. Details: http://docs.aws.amazon.com/config/latest/developerguide/gs-console.html
- Enable and configure AWS VPC flow logs to get visibility on network level. Details: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html
- Enforce server side encryption on your S3 buckets: Details: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
- Enable encryption on you EBS volumes: Details: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
Almost all steps covered above could and must be automated. I already published and will publish more automation examples in this blog.
- Check Amazon AWS Trusted advisor
- Run AWS Credentials Report
- Run awesome AWS audit Scout2 tool : https://isecpartners.github.io/Scout2/
And do this periodically.
Checklists and Best Practices:
AWS CIS Foundations Benchmark (must read document)https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
AWS Auditing Security Checklist
https://d0.awsstatic.com/whitepapers/compliance/AWS_Auditing_Security_Checklist.pdf
PS. I would like to thank Liem aka Pimpon for advices in preparing this checklist.