Skip to content

AWS Security Practices

Turn on multif­actor authen­tic­ation for the “root” account
Turn on CloudTrail log file valida­tion.
Enable CloudTrail multi-­region logging.
Integrate CloudTrail with CloudW­atch.
Enable access logging for CloudTrail S3 buckets.
Enable access logging for Elastic Load Balancer (ELB).
Enable Redshift audit logging.
Enable Virtual Private Cloud (VPC) flow logging.
Require multif­actor authen­tic­ation (MFA) to delete CloudTrail buckets
Enable CloudTrail logging across all AWS.
Turn on multi-­factor authen­tic­ation for IAM users.
Enable IAM users for multi-mode access.
Attach IAM policies to groups or roles
Rotate IAM access keys regularly, and standa­rdize on the selected number of days
Set up a strict password policy.
Set the password expiration period to 90 days and prevent reuseC­ustomer Visual­force pages with standard headers
Don’t use expired SSL/TLS certif­icates
User HTTPS for CloudFront distri­butions
Restrict access to CloudTrail bucket.
Encrypt CloudTrail log files at rest
Encrypt Elastic Block Store (EBS) database.
Provision access to resources using IAM roles.
Ensure EC2 security groups don’t have large ranges of ports open
Configure EC2 security groups to restrict inbound access to EC2.
Avoid using root user accounts.
Use secure SSL ciphers when connecting between the client and ELB.
Use secure SSL versions when connecting between client and ELB.
Use a standard naming (tagging) convention for EC2.
Encrypt RDS.
Ensure access keys are not being used with root accounts.
Use secure CloudFront SSL versions.
Enable the requir­e_ssl parameter in all Redshift clusters.
Rotate SSH keys period­ically.
Minimize the number of discrete security groups.
Reduce number of IAM groups.
Terminate unused access keys
Disable access for inactive or unused IAM users
Remove unused IAM access keys
Delete unused SSH Public Keys
Restrict access to AMIs.
Restrict access to EC2 security groups.
Restrict access to RDS instances.
Restrict access to Redshift clusters.
Restrict outbound access.
Disallow unrest­ricted ingress access on uncommon ports.
Restrict access to well-known ports such as CIFS, FTP, ICMP, SMTP, SSH, Remote desktop
Inventory & categorize all existing custom apps by the types of data stored, compliance requir­ements & possible threats they face.
Involve IT security throughout the develo­pment process.
Grant the fewest privileges as possible for applic­ation users
Enforce a single set of data loss prevention policies across custom applic­ations and all other cloud services.
Encrypt highly sensitive data such as protected health inform­ation (PHI) or personally identi­fiable inform­ation (PII).