Over the last couple of years I have been involved with over 20 AWS deployments during various stages and the first thing that I always do is enable a couple of the key AWS services. Most people would probably turn these on for application monitoring but these are tools that can also be used to “soft harden” an AWS environment. This is not the holy grail of security but it’s good to get into the habit of turning these on and using them. Before I set things up to turn these on, I run through a checklist of what needs to be done:
Identity Access Management
- Avoid the use of the “root” account
- Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
- Ensure credentials unused for 90 days or greater are disabled
- Ensure access keys are rotated every 90 days or less
- Ensure IAM password policy requires at least one uppercase letter
- Ensure IAM password policy requires at least one lowercase letter
- Ensure IAM password policy requires at least one symbol
- Ensure IAM password policy requires at least one number
- Ensure IAM password policy requires minimum length of 14 or greater
- Ensure no root account access key exists
- Ensure MFA is enabled for the “root” account
- Ensure CloudTrail is enabled in all regions
- Ensure CloudTrail log file validation is enabled
- Ensure the S3 bucket CloudTrail logs to is not publicly accessible
- Ensure CloudTrail trails are integrated with CloudWatch Logs
- Ensure AWS Config is enabled in all regions
- Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
- Ensure CloudTrail logs are encrypted at rest using KMS CMKs
- Ensure rotation for customer created CMKs is enabled
- Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
- Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
- Ensure VPC flow logging is enabled in all VPC
In combination with the above I also make sure that I have the following turned on and configured to work for both production and security.
Increasing Visibility with CloudWatch
Cloudwatch is a monitoring service for AWS cloud resources and applications that are run within AWS. Cloudwatch can collect and monitor log files, set alarms and automatically react to changes in the AWS environment. Cloudwatch can monitor EC2, DynamoDB tables, RDS instances and can also be set up with custom metrics generated by the above services. CloudWatch can also be used to gain system-wide visibility into resource utilisation, application performance, and operational health. You can use these insights to react and keep your application running smoothly.
Increasing Visibility with CloudTrail
CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.
Evaluate and Record with AWS Config
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.
The above guide should give you some direction on where to go from here, I find that normally if I’m unsure I will test, test and test again in a non production environment.