Top 50 AWS Recommended Security Best Practices

1

MFA
Turn on multif­actor authen­tic­ation for the “root” account

2

Log file valida­tion
Turn on CloudTrail log file valida­tion.

3

Multi-­region logging
Enable CloudTrail multi-­region logging.

4

CloudW­atch
Integrate CloudTrail with CloudW­atch.

5

S3 Buckets
Enable access logging for CloudTrail S3 buckets.

6

Elastic Load Balancer (ELB)
Enable access logging for Elastic Load Balancer (ELB).

7

Redshift audit logging
Enable Redshift audit logging.

8

VPC flow logging
Enable Virtual Private Cloud (VPC) flow logging.

9

CloudTrail buckets
Require multif­actor authen­tic­ation (MFA) to delete CloudTrail buckets

10

CloudTrail
Enable CloudTrail logging across all AWS.

11

IAM users
Turn on multi-­factor authen­tic­ation for IAM users.

12

Multi-mode access
Enable IAM users for multi-mode access.

13

IAM policies
Attach IAM policies to groups or roles

14

IAM access keys
Rotate IAM access keys regularly, and standa­rdize on the selected number of days

15

strict password policy
Set up a strict password policy.

16

Password expiration period
Set the password expiration period to 90 days and prevent reuseC­ustomer Visual­force pages with standard headers

17

SSL/TLS
Don’t use expired SSL/TLS certif­icates

18

CloudFront distri­butions
User HTTPS for CloudFront distri­butions

19

CloudTrail bucket
Restrict access to CloudTrail bucket.

20

CloudTrail log files
Encrypt CloudTrail log files at rest

21

Elastic Block Store (EBS)
Encrypt Elastic Block Store (EBS) database.

22

IAM roles
Provision access to resources using IAM roles.

23

EC2 security groups
Ensure EC2 security groups don’t have large ranges of ports open

24

restrict inbound access to EC2
Configure EC2 security groups to restrict inbound access to EC2.

25

root user accounts
Avoid using root user accounts.

26

Secure SSL ciphers
Use secure SSL ciphers when connecting between the client and ELB.

27

Secure SSL versions
Use secure SSL versions when connecting between client and ELB.

28

standard naming (tagging)
Use a standard naming (tagging) convention for EC2.

29

RDS
Encrypt RDS.

30

Root accounts
Ensure access keys are not being used with root accounts.

31

secure CloudFront SSL versions
Use secure CloudFront SSL versions.

32

Redshift clusters
Enable the requir­e_ssl parameter in all Redshift clusters.

33

SSH keys
Rotate SSH keys period­ically.

34

Discrete security groups
Minimize the number of discrete security groups.

35

IAM groups
Reduce number of IAM groups.

36

Unused access keys
Terminate unused access keys

37

Inactive or unused IAM users
Disable access for inactive or unused IAM users

38

Unused IAM access keys
Remove unused IAM access keys

39

Unused SSH Public Keys
Delete unused SSH Public Keys

40

Access to AMIs
Restrict access to AMIs.

41

Access to EC2 security groups
Restrict access to EC2 security groups.

42

Access to RDS instances
Restrict access to RDS instances.

43

Access to Redshift clusters
Restrict access to Redshift clusters.

44

Outbound access
Restrict outbound access.

45

Ingress access on uncommon ports
Disallow unrest­ricted ingress access on uncommon ports.

46

Access to well-known ports
Restrict access to well-known ports such as CIFS, FTP, ICMP, SMTP, SSH, Remote desktop

47

Existing custom apps
Inventory & categorize all existing custom apps by the types of data stored, compliance requir­ements & possible threats they face.

48

Develo­pment process
Involve IT security throughout the develo­pment process.

49

Applic­ation users
Grant the fewest privileges as possible for applic­ation users

50

Custom applic­ations and all other cloud services
Enforce a single set of data loss prevention policies across custom applic­ations and all other cloud services.

51

Protected health inform­ation (PHI) or personally identi­fiable inform­ation (PII)
Encrypt highly sensitive data such as protected health inform­ation (PHI) or personally identi­fiable inform­ation (PII).

52

How to protect sensitive data for its entire lifecycle in AWS

You can protect data in-transit over individual communications channels using transport layer security (TLS), and at-rest in individual storage silos using volume encryption, object encryption or database table encryption. However, if you have sensitive workloads, you might need additional protection that can follow the data as it moves through the application stack. Fine-grained data protection techniques such as field-level encryption allow for the protection of sensitive data fields in larger application payloads while leaving non-sensitive fields in plaintext. This approach lets an application perform business functions on non-sensitive fields without the overhead of encryption, and allows fine-grained control over what fields can be accessed by what parts of the application. Learn more here

*

Source
AWS CCP Blog



1 / 10
AWS Security Services
2 / 10
AWS Security: Shared responsibility
3 / 10
Security services
4 / 10
AWS Shared Responsibility Model
5 / 10
AWS Security Toolkit
6 / 10
Continuous compliance monitoring
7 / 10
AWS Shared Responsibility Model
8 / 10
Remediation with AWS Security Hub
9/ 10
AWS Network Firewall and Amazon GuardDuty
10 / 10
An AWS automated remediation workflow