AWS Best Practices (Capital One Data Breach) - Salem73616C656D/reading-notes GitHub Wiki

Key Takeaways

AWS Governance Practices:

  • Don't allow EC2 instances to have IAM roles that allow attaching or replacing role policies in any production environments.
  • Clean up unused cloud resources (especially EC2 instances and S3 buckets) left over from prior development or production debugging efforts.
  • Review S3 bucket permissions, policies and access via both automation and manual audits.
  • Use CloudTrail, CloudWatch and/or AWS lambda services to review and automate specific actions taken on S3 resources.
  • Periodically review IAM roles

AWS Configuration Practices:

  • AWS IAM: Ensure least privileged IAM instance roles are used for AWS resource access from instances.
  • AWS IAM: Ensure IAM policies are attached only to groups or roles
  • AWS S3: Ensure AWS S3 buckets do not allow public READ access
  • AWS S3: Ensure AWS S3 buckets do not allow public READ_ACP access
  • AWS S3: Ensure AWS S3 buckets do not allow public WRITE_ACP access
  • AWS S3: Ensure S3 buckets do not allow FULL_CONTROL access to AWS authenticated users via S3 ACLs
  • AWS S3: Ensure that Amazon S3 buckets access is limited only to specific IP addresses
  • AWS S3: Ensure S3 buckets do not allow READ access to AWS authenticated users through ACLs
  • AWS S3: Ensure S3 buckets do not allow FULL_CONTROL access to AWS authenticated users via S3 ACLs
  • AWS S3: Ensure all S3 buckets have policy to require server-side and in transit encryption for all objects stored in bucket
  • AWS Networking: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
  • AWS Networking: Ensure Application Load Balancer (ALB) with administrative service: SSH (TCP:22) is not exposed to the public internet
  • AWS Networking: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (SSH)
  • AWS Networking: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (RDP)
  • AWS - Audit and Logging: Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
  • AWS - Audit and Logging: Ensure CloudTrail is enabled in all regions
  • AWS - Audit and Logging: Ensure CloudTrail trails are integrated with CloudWatch Logs
  • AWS - Audit and Logging: Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
  • AWS - Monitoring: Ensure a log metric filter and alarm exist for CloudTrail configuration changes.

Vocabulary

No new vocabulary

Conclusion