see more blog

Security Checklist for systems on Amazon Web Services


Security has always been a business concern when moving to the cloud, especially for businesses that store user data such as banking, finance, real estate, and insurance. Therefore, VTI Cloud will share our cloud security checklist for systems on Amazon Web Services (AWS) in the article below.

AWS Shared Responsibility Model

Security and compliance are a shared responsibility between AWS and its customers. This shared model can help reduce the operational burden on customers as AWS operates, manages, and controls components from the server operating system and virtualization layer to the physical security of the facilities. The department is operating the service.

The customers will be in charge of and manage the client operating system (including security updates and patches), other associated application software, and the configuration of the Security Groups and firewall provided by AWS.

shared responsibility model

The customer should carefully consider the services he/she chooses as the customer’s responsibility will vary with the service in use, the integration of those services into the customer’s IT environment as well as the law. and current regulations.

This nature of shared responsibility also provides flexibility and provides the ability to control customers to enable deployment.

Security in the Shared Responsibility Model

AWS’s Shared Responsibility Model makes it clear that certain aspects of AWS security are in the hands of the business, and businesses must be fully responsible for the security incidents that occur in the management of the business.

Security in the Shared Responsibility Model

Customer’s Responsibilities

AWS’s Responsibilities

Preventing or detecting when an AWS account has been compromised

o

 

Preventing or detecting a privileged or regular AWS user behaving in an insecure manner

o

 

Preventing sensitive data from being uploaded to or shared from applications in an inappropriate manner

o

 

Configuring AWS services (except AWS Managed Services) in a secure manner

o

 

Restricting access to AWS services or custom applications to only those users who require it

o

 

Updating guest operating systems and applying security patches

o

 

Ensuring AWS and custom applications are being used in a manner compliant with internal and
external policies

o

o

Ensuring network security (DoS, man-in-the-middle (MITM), port scanning)

o

o

Configuring AWS Managed Services in a secure manner

 

o

Providing physical access control to hardware/software

 

o

Providing environmental security assurance against things like mass power outages, earthquakes, floods, and other natural disasters

 

o

Database patching

 

o

Protecting against AWS zero-day exploits and other vulnerabilities

 

o

Business continuity management (availability, incident response)

 

o

To understand more on this model, please read more on the following link: https://aws.amazon.com/compliance/shared-responsibility-model/

AWS Security Checklist

VTI Cloud has developed a checklist of best practices and highest priority, which businesses must follow to proactively stop threats. This checklist provides customer recommendations for Security Pillar matching in the AWS Well-Architected Framework.

aws security

VTI Cloud wrote about AWS Well-Architected Framework in the latest blog post, here: AWS Well-Architected Framework là gì? | VTI CLOUD

Security checklist of AWS Identity & Access Management (IAM)

 

Work Checklist Check
  • Avoid using the Access Keys of the root account in AWS as these allow full access to all resources
 
  • Multi-Factor Authentication must be enabled for the root account to provide two-factor authentication
 
  • Centralize identity with AWS Single Sign-On or 3rd party solution to avoid creating multiple IAM accounts arising frequently or using long-term (long-term) Access Keys
 
 
  • Make sure the user account also has MFA authentication
 
  • The IAM Access Keys must be renewed periodically
 
  • Ensure a strong password policy for users and set up a 90-day lifecycle for passwords
 
  • Assign permissions to users based on User Groups, rather than on individual users
 
  • Granting minimal access while creating IAM Policies, these policies are required to take certain actions.
 
  • Attach IAM Policies to Groups or Roles when creating
 
  • Appropriate conditions should be used to limit refusal or authorization of action against resources
 
  • Eliminate unnecessary IAM users who are inactive or inactive
 
  • Use IAM Roles to grant access to applications on EC2 Instance
 
  • Use multiple AWS accounts to separate data and resources on AWS, and enable the use of Service Control Policies to integrate guardrails in AWS Control Tower. AWS Control Tower makes it easy to set up and manage AWS multi-account environments
 

 

Security checklist of Amazon S3

 

Work Checklist Check
  • Ensure S3 buckets are not publicly accessible (publicly read or write) – users can enable ‘Amazon S3 block public access to prevent access from Public
 
  • Use object-level or bucket-level permissions next to IAM Policies to grant access to resources.
 
  • Enable MFA Delete to prevent accidental deletion of buckets
 
  • Consider encryption of stored data, which can be done in two ways – server-side and client-side encryption
 
  • Allows encryption of incoming and outgoing traffic through SSL endpoints
 
  • Configure S3 lifecycle management (S3 lifecycle) through rule-based actions and use Bucket Versioning, to deal with random deletion
 
  • Make sure S3 access logging is enabled
 
  • Continuously inspect and monitor S3 buckets using Amazon CloudWatch metrics
 

 

Security checklist of Amazon EC2, Amazon VPC, and Amazon EBS

 

Work Checklist Check
  • Ensure data and disk (disk volume) in EBS is encrypted with AES-256

 
  • Restrict access to instances from restricted IP ranges using Security Groups
 
  • Limits the scope of ports opened on EC2 Security Groups, to prevent attacks through vulnerabilities
 
  • Use IAM policies with restrictions for IAM users, roles that are allowed to change or modify the original AMI (Amazon Machine Images)
 
  • Make sure Elastic Load Balancers have a valid Security Group associated with it and enable access logging
 
  • Monitor and optimize default Security Groups, as they allow unlimited access for inbound and outbound traffic
 
  • Use AWS Firewall Manager to automatically apply the rules of Security Groups and AWS WAF
 
  • Ensure limited access to SSH, FTP, SMTP, MySQL, PostgreSQL, MongoDB, MSSQL, CIFS…, limit access to fixed IPs if possible.
 
  • Use IAM Roles to grant access to EC2, instead of Access Keys for temporary requests
 
  • If you are using the IAM user Access Keys for permanent permissions, make sure not to embed these keys directly in the code.
 
  • Create different keys for different applications, rotate Access Keys, use MFA validation, and deactivate unused Key pairs
 
  • Enable and enable VPC flow logs to record incoming and outgoing traffic in VPC for better tracking and early diagnosis of potential problems
 
  • Delete unused Virtual Private Gateway and VPC Internet Gateway
 
  • Make sure that no VPC endpoints are exposed to the public, by checking the key value in the policy.
 
  • Make sure there are no Network ACLs that allow unrestricted access or exit
 

 

Security checklist of AWS CloudTrail

 

Work Checklist Check
  • Make sure CloudTrail has Multi-region feature enabled
 
  • You should log into a centralized S3 bucket and use access logging and restrict access to the CloudTrail S3 bucket.
 
  • Make sure both CloudTrail and CloudTrail logging have Multi-Region logging enabled
 
  • Ensure CloudTrail log file integrity authentication is enabled
 
  • Ensure CloudTrail logs are encrypted
 
  • Use in conjunction with Amazon CloudWatch for binding metrics, with Amazon GuardDuty for continuous monitoring and AWS Security Hub for a holistic view of security on AWS
 

 

Security checklist of Amazon CloudFront, AWS WAF, and AWS Shield

 

Work Checklist Check
  • Uses Amazon CloudFront, AWS WAF, and AWS Shield to provide DDoS attack protection at Layer 3 (Network), Layer 4 (Transport), and Layer 7 (Application)
 
 
  • Use secure CloudFront SSL versions
 

 

Security checklist of Amazon RDS

 

Work Checklist Check
  • Make sure the RDS Security Groups do not allow unrestricted access
 
  • Ensure encryption of RDS instances and snapshots, using AES-256 level encryption
 
  • Protects data when transmitting to RDS over SSL endpoints
 
  • Monitoring RDS control with AWS Key Management Service (KMS) and Customer Managed Keys
 
  • Configure AWS Secrets Manager to automatically rotate secrets (a set of information, usernames, and passwords, and connection details used to access a secured service) to Amazon RDS
 
  • Ensure RDS database instances and snapshots are not publicly accessible
 
  • Enable automatic minor upgrade for RDS
 

 

Security checklist of Amazon Redshift

 

Work Checklist Check
  • Enable require_ssl parameter in all Redshift clusters to minimize the risk of data encryption in transit for the Redshift and connect SQL Client to the enterprise cluster
 
  • Enables Redshift Cluster encryption
 
  • Enable the require_ssl parameter for the RedShift Cluster
 
  • Make sure Redshift user activity logging is enabled
 
  • Ensure Redshift encryption with KMS Customer-Managed Keys
 
  • We recommend that enterprises launch Redshift clusters in the VPC for better control
 
  • Make sure that the Redshift clusters are not publicly accessible
 

 

Security checklist of AWS Systems Manager

 

Work Checklist Check
  • Use AWS Systems Manager Patch Manager to automate the process of patching systems and code, including OS, application, and code dependencies
 
  • Use the AWS Systems Manager Automation runbook or use Command to access the database or system indirectly
 

 

Security checklist of Monitoring and Alerts

 

Work Checklist Check
  • Enable AWS Config to monitor historical data of resources, and use the Config Managed Rules to automatically alert or immediately alert unwanted changes
 
  • Alerts on the creation of both logs and events from AWS CloudTrail, to Amazon GuardDuty and application logs, help identify high-priority alerted events to investigate security incidents.
 

 

Conclusion

The most important requirement when ensuring a secure infrastructure is complete visibility. Simply put, how can an enterprise take preventive action if it doesn’t even know what’s wrong?

With the use of AWS security checklists recommended for some typical VTI Cloud services above, businesses will ensure the most essential elements to keep their infrastructure at risk. In addition, businesses can contact us, VTI Cloud, for advice and implementation on security checklists with AWS Well-Architected Review and Managed Services for businesses.

We will ensure your system runs the most smoothly, but always ensure information security, system security, and especially the optimal cost of use of the current system.

Read more on our AWS Well-Architected Review at the following link: https://vticloud.io/services/well-architected

About VTI Cloud

VTI Cloud is an Advanced Consulting Partner of AWS Vietnam with a team of over 50+ AWS certified solution engineers. With the desire to support customers in the journey of digital transformation and migration to the AWS cloud, VTI Cloud is proud to be a pioneer in consulting solutions, developing software, and deploying AWS infrastructure to customers in Vietnam and Japan.

Building safe, high-performance, flexible, and cost-effective architectures for customers is VTI Cloud’s leading mission in enterprise technology mission.

In addition, VTI Cloud supports building VIET-AWS community. This group is one of the fast-growing AWS User Groups and is officially recognized by Amazon in the Asia Pacific (Vietnam) region.

VIET-AWS is a place to connect and exchange support between Solutions Architect, DevOps, SysOps, and budding students with cloud computing services of Amazon Web Services (AWS). Join VTI Cloud to join VIET-AWS: https://www.facebook.com/groups/vietawscommunity

Related news

what’s up at VTI