Security Checklist for systems on Amazon Web Services

Security has always been a business concern when moving to the cloud, especially for businesses that store user data such as banking, finance, real estate, and insurance. Therefore, VTI Cloud will share our cloud security checklist for systems on Amazon Web Services (AWS) in the article below.

AWS Shared Responsibility Model

Security and compliance are a shared responsibility between AWS and its customers. This shared model can help reduce the operational burden on customers as AWS operates, manages, and controls components from the server operating system and virtualization layer to the physical security of the facilities. The department is operating the service.

The customers will be in charge of and manage the client operating system (including security updates and patches), other associated application software, and the configuration of the Security Groups and firewall provided by AWS.

The customer should carefully consider the services he/she chooses as the customer’s responsibility will vary with the service in use, the integration of those services into the customer’s IT environment as well as the law. and current regulations.

This nature of shared responsibility also provides flexibility and provides the ability to control customers to enable deployment.

Security in the Shared Responsibility Model

AWS’s Shared Responsibility Model makes it clear that certain aspects of AWS security are in the hands of the business, and businesses must be fully responsible for the security incidents that occur in the management of the business.

Security in the Shared Responsibility Model	Customer’s Responsibilities	AWS’s Responsibilities
Preventing or detecting when an AWS account has been compromised	o
Preventing or detecting a privileged or regular AWS user behaving in an insecure manner	o
Preventing sensitive data from being uploaded to or shared from applications in an inappropriate manner	o
Configuring AWS services (except AWS Managed Services) in a secure manner	o
Restricting access to AWS services or custom applications to only those users who require it	o
Updating guest operating systems and applying security patches	o
Ensuring AWS and custom applications are being used in a manner compliant with internal and external policies	o	o
Ensuring network security (DoS, man-in-the-middle (MITM), port scanning)	o	o
Configuring AWS Managed Services in a secure manner		o
Providing physical access control to hardware/software		o
Providing environmental security assurance against things like mass power outages, earthquakes, floods, and other natural disasters		o
Database patching		o
Protecting against AWS zero-day exploits and other vulnerabilities		o
Business continuity management (availability, incident response)		o

To understand more on this model, please read more on the following link: https://aws.amazon.com/compliance/shared-responsibility-model/

AWS Security Checklist

VTI Cloud has developed a checklist of best practices and highest priority, which businesses must follow to proactively stop threats. This checklist provides customer recommendations for Security Pillar matching in the AWS Well-Architected Framework.

VTI Cloud wrote about AWS Well-Architected Framework in the latest blog post, here: AWS Well-Architected Framework là gì? | VTI CLOUD

Security checklist of AWS Identity & Access Management (IAM)

Work Checklist	Check
Avoid using the Access Keys of the root account in AWS as these allow full access to all resources
Multi-Factor Authentication must be enabled for the root account to provide two-factor authentication
Centralize identity with AWS Single Sign-On or 3rd party solution to avoid creating multiple IAM accounts arising frequently or using long-term (long-term) Access Keys
Assign IAM users the necessary permissions to allow service logon or resource access through IAM Policies or IAM Roles if using cross-account
Make sure the user account also has MFA authentication
The IAM Access Keys must be renewed periodically
Ensure a strong password policy for users and set up a 90-day lifecycle for passwords
Assign permissions to users based on User Groups, rather than on individual users
Granting minimal access while creating IAM Policies, these policies are required to take certain actions.
Attach IAM Policies to Groups or Roles when creating
Appropriate conditions should be used to limit refusal or authorization of action against resources
Eliminate unnecessary IAM users who are inactive or inactive
Use IAM Roles to grant access to applications on EC2 Instance
Use multiple AWS accounts to separate data and resources on AWS, and enable the use of Service Control Policies to integrate guardrails in AWS Control Tower. AWS Control Tower makes it easy to set up and manage AWS multi-account environments

Security checklist of Amazon S3

Work Checklist	Check
Ensure S3 buckets are not publicly accessible (publicly read or write) – users can enable ‘Amazon S3 block public access to prevent access from Public
Use object-level or bucket-level permissions next to IAM Policies to grant access to resources.
Enable MFA Delete to prevent accidental deletion of buckets
Consider encryption of stored data, which can be done in two ways – server-side and client-side encryption
Allows encryption of incoming and outgoing traffic through SSL endpoints
Configure S3 lifecycle management (S3 lifecycle) through rule-based actions and use Bucket Versioning, to deal with random deletion
Make sure S3 access logging is enabled
Continuously inspect and monitor S3 buckets using Amazon CloudWatch metrics

Security checklist of Amazon EC2, Amazon VPC, and Amazon EBS

Work Checklist	Check
Ensure data and disk (disk volume) in EBS is encrypted with AES-256
Restrict access to instances from restricted IP ranges using Security Groups
Limits the scope of ports opened on EC2 Security Groups, to prevent attacks through vulnerabilities
Use IAM policies with restrictions for IAM users, roles that are allowed to change or modify the original AMI (Amazon Machine Images)
Make sure Elastic Load Balancers have a valid Security Group associated with it and enable access logging
Monitor and optimize default Security Groups, as they allow unlimited access for inbound and outbound traffic
Use AWS Firewall Manager to automatically apply the rules of Security Groups and AWS WAF
Ensure limited access to SSH, FTP, SMTP, MySQL, PostgreSQL, MongoDB, MSSQL, CIFS…, limit access to fixed IPs if possible.
Use IAM Roles to grant access to EC2, instead of Access Keys for temporary requests
If you are using the IAM user Access Keys for permanent permissions, make sure not to embed these keys directly in the code.
Create different keys for different applications, rotate Access Keys, use MFA validation, and deactivate unused Key pairs
Enable and enable VPC flow logs to record incoming and outgoing traffic in VPC for better tracking and early diagnosis of potential problems
Delete unused Virtual Private Gateway and VPC Internet Gateway
Make sure that no VPC endpoints are exposed to the public, by checking the key value in the policy.
Make sure there are no Network ACLs that allow unrestricted access or exit

Security checklist of AWS CloudTrail

Work Checklist	Check
Make sure CloudTrail has Multi-region feature enabled
You should log into a centralized S3 bucket and use access logging and restrict access to the CloudTrail S3 bucket.
Make sure both CloudTrail and CloudTrail logging have Multi-Region logging enabled
Ensure CloudTrail log file integrity authentication is enabled
Ensure CloudTrail logs are encrypted
Use in conjunction with Amazon CloudWatch for binding metrics, with Amazon GuardDuty for continuous monitoring and AWS Security Hub for a holistic view of security on AWS

Security checklist of Amazon CloudFront, AWS WAF, and AWS Shield

Work Checklist	Check
Uses Amazon CloudFront, AWS WAF, and AWS Shield to provide DDoS attack protection at Layer 3 (Network), Layer 4 (Transport), and Layer 7 (Application)
Use “Signed-URLs” for content that needs to be authorized, see also: Using signed URLs – Amazon CloudFront
Use secure CloudFront SSL versions

Security checklist of Amazon RDS

Work Checklist	Check
Make sure the RDS Security Groups do not allow unrestricted access
Ensure encryption of RDS instances and snapshots, using AES-256 level encryption
Protects data when transmitting to RDS over SSL endpoints
Monitoring RDS control with AWS Key Management Service (KMS) and Customer Managed Keys
Configure AWS Secrets Manager to automatically rotate secrets (a set of information, usernames, and passwords, and connection details used to access a secured service) to Amazon RDS
Ensure RDS database instances and snapshots are not publicly accessible
Enable automatic minor upgrade for RDS

Security checklist of Amazon Redshift

Work Checklist	Check
Enable require_ssl parameter in all Redshift clusters to minimize the risk of data encryption in transit for the Redshift and connect SQL Client to the enterprise cluster
Enables Redshift Cluster encryption
Enable the require_ssl parameter for the RedShift Cluster
Make sure Redshift user activity logging is enabled
Ensure Redshift encryption with KMS Customer-Managed Keys
We recommend that enterprises launch Redshift clusters in the VPC for better control
Make sure that the Redshift clusters are not publicly accessible

Security checklist of AWS Systems Manager

Work Checklist	Check
Use AWS Systems Manager Patch Manager to automate the process of patching systems and code, including OS, application, and code dependencies
Use the AWS Systems Manager Automation runbook or use Command to access the database or system indirectly

Security checklist of Monitoring and Alerts

Work Checklist	Check
Enable AWS Config to monitor historical data of resources, and use the Config Managed Rules to automatically alert or immediately alert unwanted changes
Alerts on the creation of both logs and events from AWS CloudTrail, to Amazon GuardDuty and application logs, help identify high-priority alerted events to investigate security incidents.

Conclusion

The most important requirement when ensuring a secure infrastructure is complete visibility. Simply put, how can an enterprise take preventive action if it doesn’t even know what’s wrong?

With the use of AWS security checklists recommended for some typical VTI Cloud services above, businesses will ensure the most essential elements to keep their infrastructure at risk. In addition, businesses can contact us, VTI Cloud, for advice and implementation on security checklists with AWS Well-Architected Review and Managed Services for businesses.

We will ensure your system runs the most smoothly, but always ensure information security, system security, and especially the optimal cost of use of the current system.

Read more on our AWS Well-Architected Review at the following link: https://vticloud.io/services/well-architected

About VTI Cloud

VTI Cloud is an Advanced Consulting Partner of AWS Vietnam with a team of over 50+ AWS certified solution engineers. With the desire to support customers in the journey of digital transformation and migration to the AWS cloud, VTI Cloud is proud to be a pioneer in consulting solutions, developing software, and deploying AWS infrastructure to customers in Vietnam and Japan.

Building safe, high-performance, flexible, and cost-effective architectures for customers is VTI Cloud’s leading mission in enterprise technology mission.