AWS Security Best Practices
Nidhi Vichare
AWS Security Best Practices
AWS recommends a lot of security best practices, which can be difficult to track and prioritize. So I have made it easier, and developed a checklist of the most high priority best practices, that you must follow to proactively prevent threats. Use this checklist to make sure you are doing what it takes to keep your infrastructure risk-free. I have split this list into two parts: "What you should enable" and "What are the restrictions you must enforce"
| | | | ----------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | | | | Enable | Restrictions | | Use secure SSL ciphers when connecting between the client and ELB. | Avoid using root user accounts. | | Enable the require_ssl parameter in all Redshift clusters. | Build an inventory & categorize all existing custom apps by the types of data stored, compliance requirements & possible threats they face. | | Use secure SSL versions when connecting between client and ELB. | Involve IT security throughout the development process. | | Use a standard naming (tagging) convention for EC2 | Grant the fewest privileges as possible for application users | | Encrypt RDS | Disallow unrestricted ingress access on uncommon ports. | | Encrypt highly sensitive data such as protected health information (PHI) or personally identifiable information (PII). | Grant the fewest privileges as possible for application users | | Encrypt CloudTrail log files at rest | Terminate unused access keys | | Encrypt Elastic Block Store (EBS) database. | Disable access for inactive or unused IAM users | | Encrypt highly sensitive data such as protected health information (PHI) or personally identifiable information (PII). | Remove unused IAM access keys | | Enforce a single set of data loss prevention policies across custom applications and all other cloud services. | Don’t use expired SSL/TLS certificates | | Integrate CloudTrail with cloudwatch. | Delete unused SSH Public Keys | | Ensure access keys are not being used with root accounts. | Restrict access to AMIs. | | Enable the required ssl parameter in all Redshift clusters. | Restrict access to EC2 security groups. | | Enable CloudTrail multi-region logging. | Restrict access to RDS instances. | | Enable access logging for CloudTrail S3 buckets. | Restrict access to Redshift clusters. | | Enable access logging for Elastic Load Balancer (ELB). | Restrict outbound access. | | Enable Redshift audit logging. | Restrict access to well-known ports such as CIFS, FTP, ICMP, SMTP, SSH, Remote desktop | | Enable Virtual Private Cloud (VPC) flow logging. | Restrict access to CloudTrail bucket. | | Enable CloudTrail logging across all AWS. | Restrict access to well-known ports such as CIFS, FTP, ICMP, SMTP, SSH, Remote desktop | | Enable IAM users for multi-mode access. | Remove unused IAM access keys | | Rotate IAM access keys regularly, and standardize on the selected number of days | Terminate unused access keys | | Rotate SSH keys periodically. | Disable access for inactive or unused IAM users | | Turn on CloudTrail log file validation. | Delete unused SSH Public Keys | | Attach IAM policies to groups or roles | Disallow unrestricted ingress access on uncommon ports. | | Ensure EC2 security groups don’t have large ranges of ports open | Set up a strict password policy. | | Configure EC2 security groups to restrict inbound access to EC2. | Set the password expiration period to 90 days and prevent reuse | | Inventory & categorize all existing custom apps by the types of data stored, compliance requirements & possible threats they face. | Reduce number of IAM groups. | | Use HTTPS for CloudFront distributions | Minimize the number of discrete security groups. | | Use secure CloudFront SSL versions. | Provision access to resources using IAM roles. | | Turn on MFA for IAM users. | Enforce a single set of data loss prevention policies across custom applications and all other cloud services. | | Require Multifactor authentication (MFA) to delete CloudTrail buckets | | | Turn on multifactor authentication for the “root” account | |
Further Reading
🔗 Read more about Snowflake here
🔗 Read more about Cassandra here
🔗 Read more about Elasticsearch here
🔗 Read more about Kafka here
🔗 Read more about Spark here
🔗 Read more about Data Lakes here
🔗 Read more about Redshift vs Snowflake here
🔗 Read more about Best Practices on Database Design here