Turn on multifactor authentication for the “root” account |
Turn on CloudTrail log file validation. |
Enable CloudTrail multi-region logging. |
Integrate CloudTrail with CloudWatch. |
Enable access logging for CloudTrail S3 buckets. |
Enable access logging for Elastic Load Balancer (ELB). |
Enable Redshift audit logging. |
Enable Virtual Private Cloud (VPC) flow logging. |
Require multifactor authentication (MFA) to delete CloudTrail buckets |
Enable CloudTrail logging across all AWS. |
Turn on multi-factor authentication for IAM users. |
Enable IAM users for multi-mode access. |
Attach IAM policies to groups or roles |
Rotate IAM access keys regularly, and standardize on the selected number of days |
Set up a strict password policy. |
Set the password expiration period to 90 days and prevent reuseCustomer Visualforce pages with standard headers |
Don’t use expired SSL/TLS certificates |
User HTTPS for CloudFront distributions |
Restrict access to CloudTrail bucket. |
Encrypt CloudTrail log files at rest |
Encrypt Elastic Block Store (EBS) database. |
Provision access to resources using IAM roles. |
Ensure EC2 security groups don’t have large ranges of ports open |
Configure EC2 security groups to restrict inbound access to EC2. |
Avoid using root user accounts. |
Use secure SSL ciphers when connecting between the client and ELB. |
Use secure SSL versions when connecting between client and ELB. |
Use a standard naming (tagging) convention for EC2. |
Encrypt RDS. |
Ensure access keys are not being used with root accounts. |
Use secure CloudFront SSL versions. |
Enable the require_ssl parameter in all Redshift clusters. |
Rotate SSH keys periodically. |
Minimize the number of discrete security groups. |
Reduce number of IAM groups. |
Terminate unused access keys |
Disable access for inactive or unused IAM users |
Remove unused IAM access keys |
Delete unused SSH Public Keys |
Restrict access to AMIs. |
Restrict access to EC2 security groups. |
Restrict access to RDS instances. |
Restrict access to Redshift clusters. |
Restrict outbound access. |
Disallow unrestricted ingress access on uncommon ports. |
Restrict access to well-known ports such as CIFS, FTP, ICMP, SMTP, SSH, Remote desktop |
Inventory & categorize all existing custom apps by the types of data stored, compliance requirements & possible threats they face. |
Involve IT security throughout the development process. |
Grant the fewest privileges as possible for application users |
Enforce a single set of data loss prevention policies across custom applications and all other cloud services. |
Encrypt highly sensitive data such as protected health information (PHI) or personally identifiable information (PII). |