11 aws cloud security get cloud fit best...
TRANSCRIPT
GET CLOUD FIT
DISABLE ROOT ACCOUNT API ACCESS KEY
Create IAM admin users. At least 2, no more than 3 per
IAM group.
Grant access to billing information and tools.
Disable/Remove the default AWS root user API access
keys.
ENABLE MFA TOKENS EVERYWHERE Rotating passwords too often: BAD
Using overly complicated passwords no one
remembers: BAD
Using Multi-factor Authentication: GOOD
REDUCE IAM USERS WITH ADMINRIGHTS
How much access does any particular user or
application need in order to perform needed tasks.
What is the risk if the key is lost or compromised?
Is there intellectual property or financial data
somewhere in that equation?
Could the result impact my revenue or reputation?
USE ROLES FOR AWS EC2Reduce the surface area of attack.
Temporary authentication credentials.
Auditable activity with CloudTrail.
Automatically generated authentication credentials.
Limited privilege.
DO NOT ALLOW 0.0.0.0/0 UNLESS YOU MEAN IT
STRENGTHEN S3 BUCKETS
CLOUDTRAIL & ENCRYPTION
USE AUTOSCALING TO COUNTER DDOS
USE IAM ROLES WITH AWS STS
Evident. io is the pioneer and leader in security and compliance automation for
public cloud. The Evident Security Platform (ESP) enables organizations of al l sizes to
proactively manage cloud security risk — minimizing attack surface and improving
overal l security posture, al l from a single dashboard.
ESP continuously monitors an organization’s entire cloud footprint for AWS and Azure,
identifying and assessing security risks, providing security staff with expert remediation
guidance, and enabling painless security auditing and compliance reporting. Bui lt on
Amazon Web Services APIs, ESP is agent-less and can be deployed to even the most
complex environments in minutes.
7901 STONERIDGE DR. , SUITE 150, PLEASANTON, CA 94588 •
(855) 933-1337 • [email protected] •
COPYRIGHT © 2018 EVIDENT.IO, INC. ALL RIGHTS RESERVED.
11 AWS Cloud Security Best Practices
LEAST PRIVILEGE
ROTATE ALL KEYS REGULARLY
Only give minimal rights to do things on AWS...just
what is needed to accomplish tasks or actions. This
applies to:
Rotate ALL credentials, passwords, and
API access keys on a regular basis.
IAM Users
IAM Groups
IAM Roles / Instance Profiles
Applications or Scripts
Become more secure AND simplify management.
Think of it as one of the cheapest and most effective
insurance policies on the AWS cloud.
Only allow the access from the origin IP and port where
you will admin your instance from.
Only turn this on when needed and remove it when not.
This can all be scripted and if you are going through the
steps to admin an instance, you should factor in turning
on and off remote access to “only when needed.”
Don't let your S3 Buckets atrophy. Ensure they are
configured properly and don't allow global access to
view, list, delete or put content.
Let's make this simple:
Logging, Logging, LOGGING.
Encrypt, Encrypt, ENCRYPT.