20 Security checks to “Bullet Proof” your AWS Infrastructure
Here is the list of top 20 security checks that must be regularly performed to ‘bullet-proof’ your AWS Infrastructure:
1.Security Groups
A security group acts as a virtual firewall that controls the inbound and outbound traffic for one or more instances. You associate a security group with the launch of each instance. Since the data may have an open IP port or is open to public access, there are chances of data breach. In order to avoid exposure to security vulnerabilities, we recommend that only ports associated with relevant IP and security groups are kept open.
2.IAM MFA Audit
To add an extra layer of security to your AWS account, it is recommended to enable Multi Factor Authentication for IAM users to safeguard your critical data from the online hackers.
3.ELB Access Log
If you have not enabled AWS ELB Access for the Elastic load balancers, your data is exposed to some threats. We recommend you to enable the ELB Access log for enhanced security.
4.Termination Protection
If the AWS EC2 instances don’t have API termination protection enabled, it may lead to accidental termination of machines through an automated process. It is recommended to enable termination protection all the mission critical EC2 instances running in your AWS cloud account.
5.ELB Listener Security Audit
If a load balancer has no listener that uses a secure protocol (HTTPS or SSL), it is a threat to your data. Configure one or more secure listeners for your load balancer. You should create HTTPS or SSL listeners for publicly interfaced ELBs.
6.Unused IAM Access Keys
If you have unused certain IAM access keys in the last 30 days or since creation, we would highly recommend you to remove them for better security and avoid key compromises.
7.RDS Security Audit (for VPC SG and for list of ports)
For the AWS RDS instances which have DB port opened to public or a range of IPs, we recommend to open the port for only the required IPs and security groups.
8.Root Account Access Key
One of the best ways to protect your account is to not have an access key for your root account. Create one or more AWS Identity and Access Management (IAM) users, give them the necessary permissions.
9.IAM Admin Roles Audit
Having one unique IAM admin for your AWS account is risky. Instead, have one or more AWS IAM users, give them the permissions, and use these IAMs for everyday interaction with AWS. Also, try to use temporary security credentials (IAM Roles) instead of long-term access keys.
10.IAM Password Policy
When you set a password policy for your AWS account, always remember to specify the complexity requirements and mandatory password regeneration on expiration of the IAM’s password. By doing this, you are ensuring that your account credentials are in safer hands!
11.IAM Policy (for Managed Policies)
If you have granted complete control of your AWS account to a single IAM, there is a possibility of data breach as the IAM user can access any of your resource at any point of time.. You may also exclude any IAM user you feel need not be given the full access in future.
12.CloudTrail
No Cloudtrail= Security risks!
AWS CloudTrail is a web service that records API calls made on your account and delivers log files to your Amazon S3 bucket. Customers who wants to track changes to resources, answers simple questions about user activity, demonstrate compliance, troubleshoot, or perform security analysis should enable CloudTrail.
13.IAM Admin Count
Total number of admin accounts. If there are too many IAM admin accounts, this may lead to security issues. It is recommended not to have many IAM users with admin rights.
14.SSL Expiry
If you have uploaded SSL certificates to Amazon Web Services for ELB (Elastic Load Balancing) or CloudFront (CDN), then you would want to keep an eye on the expiration dates and renew the certificates on time to ensure uninterrupted service.
15.Root Account MFA
Never forget to enable MFA for your root account. The best option would be to give limited access to only privileged IAMs.
16.Unused Security Group
If certain security groups are not used or attached to any instances, it is recommended to remove these security groups.
17.RDS Encryption
Encrypting your RDS is a good practice. If the RDS instances are not encrypted at database storage level, you can use Amazon RDS encryption to increase data protection for your applications deployed in the cloud, and to fulfill any compliance requirements for data-at-rest encryption.
18.Old IAM Access keys
As an administrator, we recommend you to regularly rotate /change the access keys for IAM users in your account. If you have given the users the necessary permissions, then they can rotate their own access keys. Meanwhile, change the access keys that are older than 60 days to enhance security of your AWS accounts.
19.S3 Bucket Permissions
By default, all S3 bucket permissions are private and you need to give Read/Write access permissions to others by writing an access policy. Bucket permissions that grant List access to everyone can result in higher than expected charges if objects in the bucket are listed by unintended users at a high frequency. Make sure you are granting limited access permissions.
20.Service Log Expiry
It is advisable to enable service log expiration for each of the logging buckets to ensure you don’t miss out of the expiration dates.
To know how Rational Selling can help you Set up & secure your Cloud infrastructure : Visit us www.Rationalselling.com or write us at info@rationalselling.com
Follow us : Twitter, Facebook & LinkedIn