AWS Security
Download as PPTX, PDF0 likes230 views
The document outlines security best practices for AWS including: - Using IAM roles instead of long-term access keys, enabling MFA authentication, and granting least privilege access. - Encrypting data at rest using AES-256 encryption, limiting network access using security groups, and enabling logging. - Ensuring S3 buckets, RDS instances, and Redshift clusters are not publicly accessible and their access is encrypted. - Implementing monitoring with CloudWatch and using security tools like Inspector, Shield, and WAF.
AWS Security
- 1. Agenda - Introduction - AWS Shared Responsibility Model - AWS Data Security - AWS Servers Security - AWS Applications Security - Security Best Practice 1
- 4. Shared Responsibility Model and service categories 4
- 5. AWS Cloud Adoption Framework Overview 5
- 6. 6 AWS Security Best Practices Checklist Amazon Elastic Compute Cloud Amazon Relational Database Service Amazon Aurora Amazon CloudFront Amazon API Gateway AWS Lambda AWS Lightsail DNS Zone Walking As of now, the AWS penetration testing policy allows testing of the following AWS services:
- 7. 7 Amazon inspector Amazon Inspector features and benefits ๏ Enforce security standards and compliance ๏ Increasing development agility ๏ Leverage AWS Security expertise ๏ Integrated with AWS services and AWS partners
- 8. Amazon Inspector Components 8 AWS Agent Assessment run Assessmen t target Findings Assessmen t report Rules package
- 9. 9 AWS Shield AWS Shield features and benefits ๏ Seamless integration and deployment ๏ Customizable protection ๏ Cost efficient ๏ Quick detection ๏ Inline attack mitigation
- 10. 10 AWS Web Application Firewall (WAF) ๏ Increased protection against web attacks ๏ Security integrated with how you develop applications ๏ Ease of deployment and maintenance ๏ Improved web traffic visibility ๏ Cost effective web application development
- 12. 12 Amazon API Gateway ๏ Low cost and efficient ๏ Flexible security controls ๏ Run your APIs without servers ๏ Monitor APIs
- 13. AWS Security Best Practices Checklist (IAM) โข Avoid using AWS root account user access keys as it gives full access to all resources โข Make sure MFA authentication is enabled for the root account to provide two-factor authentication โข Assign individual IAM users with necessary permissions to enable login ensure User Accounts also have MFA authentication โข IAM Access Keys must be rotated at periodic intervals โข Ensure a strong password policy for users โข Assign permissions to users based on User Groups, instead of individual IAM users โข Provide access to a resource through IAM Roles โข Grant least access while creating IAM Policies, needed to perform the necessary actions โข Attach IAM Policies to Groups or Roles on creation โข If required, conditions can be defined for Policies under which access is granted to a resource โข Get rid of unnecessary IAM credentials, those with are inactive or unused use IAM Roles to grant access to applications on EC2 Instances 13
- 14. AWS Security Best Practices Checklist (S3) โขEnsure S3 buckets are not publicly accessible (public read or write permissions) โขMake use of object-level or bucket-level permissions in addition to IAM policies to grant access to resources โขEnable MFA Delete to prevent accidental deletion of buckets โขConsider encryption of stored data, which can be done in two ways server-side and client-side encryption โขEnable encryption of inbound and outbound data traffic, through SSL endpoints โขConfigure S3 lifecycle management through rule-based actions and use versioning to store and retrieve multiple versions of an object in a bucket, to deal with accidental deletions โขEnsure S3 access logging is enabled โขConstantly audit and monitor S3 buckets using CloudWatch 14
- 15. AWS Security Best Practices Checklist (EC2, VPC & EBS) โขEnsure data and disk volumes in EBS are encrypted with AES- 256, the industry standard algorithm โขRestrict access to instances from limited IP ranges using Security Groups limit the range of open ports on EC2 security groups, to prevent exposure to vulnerabilities โขEnsure ELBs have a valid security group attached to it โขMonitor and optimize default security groups, as they allow unrestricted access for inbound and outbound traffic โขEnsure restricted inbound access to SSH, FTP, SMTP, MySQL, PostgreSQL, MongoDB, MSSQL, CIFS, etc; to required entities only โขUse IAM roles to grant access to EC2, instead of access keys for temporary requirements โขIf youโre using IAM user access keys for long term permissions, ensure that you donโt embed the keys directly into code, generate different keys for different applications, rotate your access keys, use MFA authentication and decommission unused key pairs. โขEnable and activate your VPC flow logs to record inbound and outbound traffic in your VPC for better monitoring and early diagnosis โขDelete unused Virtual Private Gateways and VPC Internet Gateways โขMake sure that no VPC endpoints are exposed, by checking the principal value in the policy โขEnsure no ACLs allow unrestricted inbound or outbound access 15
- 16. AWS Security Best Practices Checklist (CloudTrail) โขEnsure CloudTrail is activated across all regions, and for global services like IAM, STS, etc โขIt is recommended to log to a centralized S3 bucket โขMake sure both CloudTrail itself and CloudTrail logging are enable for all regions โขEnsure CloudTrail log file integrity validation is enabled โขEnsure CloudTrail log files are encrypted 16
- 17. 20 AWS Security Best Practices Checklist RDS โขEnsure RDS security groups do not allow unrestricted access โขEnsure encryption of the RDS instances and snapshots, using AES-256 level encryption โขProtect data in transit to RDS through SSL endpoints โขMonitor control to RDS using AWS KMS and Customer Managed Keys โขEnsure RDS database instances and snapshots are not publicly accessible โขEnable the auto minor upgrade feature for RDS
- 18. 21 AWS Security Best Practices Checklist Redshift โ โขEnable require_ssl parameter in all Redshift clusters to minimize risk for encryption of data in transit for Redshift, and to connect your SQL client with your cluster โขEnable Redshift Cluster encryption โขEnsure Redshift user activity logging is enabled โขEnsure Redshift encryption with KMS Customer Managed Keys โขIt is recommended that Redshift clusters are launched within a VPC for better control โขEnsure that the Redshift clusters are not publicly accessible
- 19. 22 VPC Security Best Practices โขPlan Your VPC before You Create It โขChoose the Highest CIDR Block โขUnique IP Address Range โขLeave the Default VPC Alone โขDesign for Region Expansion โขTier Your Subnets โขFollow the Least Privilege Principle โขKeep Most Resources in the Private Subnet
- 20. 23 IAM Security Best Practices โขDelete your root access keys โขEnforce MFA โขUse roles instead of users โขUse access advisor periodically โขDevelop a Zero Trust Approach to Security โขAutomate Onboarding and Offboarding โขUser Access review
- 21. 24 DATA Security Best Practices โขEncryption โขUse KMS โขRotate your keys โขClassify your data โขSecure data in transit โขS3 bucket permissions
- 22. 25 Servers Security Best Practices โขUse IAM roles for EC2 โขUse ELB โขSecurity group configuration โขUse Web Application Firewall (WAF) โขSecured access: โขBackup and recovery โขEC2 termination protection
- 23. 26 Application Security Best Practices โขUse web application firewall โขAmazon Inspector โขPenetration testing โขUtilize AWS security tools
- 24. 27 Monitoring in AWS AWS allows you to monitor all your resources in the cloud such as your servers and your AWS services, along with applications running on these services through its fully managed monitoring service AWS CloudWatch. AWS CloudWatch provide ๏ถ Metrics ๏ถ Dashboards ๏ถ Events ๏ถ Alarms ๏ถ Log monitoring