This document provides an overview of key areas to focus on for security when using AWS cloud infrastructure: automation, IAM, network design, encryption, auditing, and continuous integration. It emphasizes that automation is critical for security and infrastructure should be defined as code. For IAM, it recommends using a directory service and restricting use of the root account. For network design, it suggests using VPCs and monitoring traffic. It also provides checklists for each area to help ensure security best practices are followed.
27. It creates a culture
around describing
systems as data
28. The cloud is an
abstraction, talk about it
as one
29. It creates a place where simple
code review is the only blocker
between you and the end result
30. Automation Checklist
All infrastructure is recorded as code
All infrastructure changes are made by an automated tool
Console logins are restricted to a handful of
administrators
Teams are educated and empowered to make necessary
changes via automation
51. And forces people to
think about the roles they
need to perform a task
52. IAM Checklist
Root account has MFA enabled
Root account has no access keys*
Users have no permissions outside of the ability to use STS to assume
roles*
Directories are replicated into AWS and used as the system of record
MFA is enabled for all human users
MFA is required to access privileged roles
Users are trained and provided tools to make role assumption seamless
Users have no inline policies
65. Network Design Checklist
Everything is deployed inside a VPC
Flow logs are enabled and monitored
Everything that can has a security group attached
Any security group that allows access from 0.0.0.0/0 has
a detailed description and justification
Remote access is only allowed via a bastion host or
internal interface
77. Encryption Checklist
All Master or Key Encryption Keys are stored using KMS
All KMS keys have the rotation option enabled
All AWS services utilized that store data should use KMS
Data encryption keys are generated using kms master
keys and stored encrypted
97. Alert Event Examples
Root account login
Root account key usage
New user created
User added to administrative roles
Too many KMS decrypt events
98. Auditing Checklist
Configuration analysis is performed at least daily, if not for
every change
CloudTrail is enabled for all active regions
CloudWatch metrics and alarms are implemented for
major violation cases
Guard Duty?
102. Now you can block or
rollback changes based
on audit findings
103. You can also institute a
seamless sign-off policy
that lives in code hosting
104.
105.
106. CI Checklist
All infrastructure changes trigger configuration audits
Critical issues found in CI trigger immediate response
Use the CI pipeline to create a sign-off process that
allows teams to move faster