AWS is a flexible, cost-effective, and easy-to-use cloud productivity platform. AWS provides a suite of productivity services that you can use to manage your business. This paper is targeted at customers’ internal security, risk and compliance teams and their external auditors who may have a need to assess the use of AWS.
This paper provides a checklist to support assessments of AWS based on the following domains:
- AWS Super Admins - Admin accounts come with elevated privileges, they're valuable targets for hackers and cyber criminals. Every developer or user on your network with administrative privileges adds risk of account compromise.
- AWS Identity Access Management - Identity management and access control is the discipline of managing access to enterprise resources to keep systems and data secure. As a key component of your security architecture, it can help verify your users' identities before granting them the right level of access to workplace systems and information.
- AWS Resources - Customers are responsible for maintaining the security of anything they install / store on their internal storage or connect to their tenant. Secure management of your resources means knowing what resources your organization is using (asset inventory), securely configuring the guest OS and applications on your resources (secure configuration settings, patching, and anti-malware), and controlling changes to your resources (change management).
- AWS Chat & Conferences - Make sure your users is not vulnerable to Meeting Bombing, Malicious Links In a Chat, and Stolen Meeting Links. Making sure your videoconferencing is set up securely can help prevent these attacks from being successful.
- AWS Email Security - Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with email systems.
- AWS Certificates - SSL, and its successor TLS, are industry standard protocols for encrypting network communications and establishing the identity of websites over the Internet. SSL/TLS provides encryption for sensitive data in transit and authentication using SSL/TLS certificates to establish the identity of your site and secure connections between browsers and applications and your site.
- AWS Incident Response - Protect the organization's information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker's presence, and restoring the integrity of the network and systems.
Automate your AWS ISO / PCI compliance process and prevent misconfiguration.
1. AWS Super Admins
Admin accounts come with elevated privileges, they're valuable targets for hackers and cyber criminals. Every developer or user on your network with administrative privileges adds risk of account compromise.
1.1. Admin Account Protection
Title | Action | Overview | Services |
|---|---|---|---|
| Root MFA Device | Ensures a multi-factor authentication device is enabled for the root account | Ensures a multi-factor authentication device is enabled for the root account | AWS IAM |
2. AWS Identity Access Management
Identity management and access control is the discipline of managing access to enterprise resources to keep systems and data secure. As a key component of your security architecture, it can help verify your users' identities before granting them the right level of access to workplace systems and information.
2.1. Secrets Protection
Title | Action | Overview | Services |
|---|---|---|---|
| Strong password policy | Enforce strong password policy | Passwords should have at least ten characters and include uppercase and lowercase letters, numbers, and symbols. | AWS IAM |
| Password Expiration | Ensures password policy enforces a password expiration. | A strong password policy enforces minimum length, expirations, reuse, and symbol usage | AWS IAM |
2.2. Third Party Access
Title | Action | Overview | Services |
|---|---|---|---|
| Trusted Cross Account Roles | Ensures that only trusted cross-account IAM roles can be used. | IAM roles should be configured to allow access to trusted account IDs. | AWS IAM |
| Cross-Account Access External ID and MFA | Detects if either MFA or external IDs are used to access AWS roles. | IAM roles should be configured to require either a shared external ID or use an MFA device when assuming the role. | AWS IAM |
2.3. Access Keys
Title | Action | Overview | Services |
|---|---|---|---|
| Access Keys Extra | Detects the use of more than one access key by any single user. | Having more than one access key for a single user increases the chance of accidental exposure. Each account should only have one key that defines the users permissions. | AWS IAM |
3. AWS Resources
Customers are responsible for maintaining the security of anything they install / store on their internal storage or connect to their tenant. Secure management of your resources means knowing what resources your organization is using (asset inventory), securely configuring the guest OS and applications on your resources (secure configuration settings, patching, and anti-malware), and controlling changes to your resources (change management).
3.1. Computing
Title | Action | Overview | Services |
|---|---|---|---|
| Open SSH in EC2 | Determine if TCP port 22 for SSH is open to the public | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as SSH should be restricted to known IP addresses. | AWS EC2 |
| Open MySQL | Detects if TCP port 4333 or 3306 for MySQL is open to the public | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as MySQL should be restricted to known IP addresses. | AWS EC2 |
| Open PostgreSQL | Detects if TCP port 5432 for PostgreSQL is open to the public | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as PostgreSQL should be restricted to known IP addresses. | AWS EC2 |
| Unassociated Elastic IP Addresses | Detects if EIPs are allocated to a resource to avoid accidental usage or reuse and to save costs | EIPs should be deleted if they are not in use to avoid extra charges. | AWS EC2 |
| Public IP Address EC2 Instances | Detects if EC2 instances do not have public IP address attached | EC2 instances should not have a public IP address attached in order to block public access to the instances. | AWS EC2 |
| ELB HTTPS Only | Detects if ELBs are configured to only accept connections on HTTPS ports | For maximum security, ELBs can be configured to only accept HTTPS connections. Standard HTTP connections will be blocked. This should only be done if the client application is configured to query HTTPS directly and not rely on a redirect from HTTP | AWS ELB |
3.2. S3 Storage
Title | Action | Overview | Services |
|---|---|---|---|
| S3 Bucket Versioning | Detects object versioning is enabled on S3 buckets | S3 bucket should have lifecycle configuration enabled to automatically downgrade the storage class for your objects. | AWS S3 |
| S3 Bucket Lifecycle Configuration | Detects if S3 buckets have lifecycle configuration enabled to automatically transition S3 bucket objects. | S3 bucket should have lifecycle configuration enabled to automatically downgrade the storage class for your objects. | AWS S3 |
| S3 Bucket Encryption | Detects object encryption is enabled on S3 buckets | S3 object encryption provides fully-managed encryption of all objects uploaded to an S3 bucket. | AWS S3 |
| S3 Bucket All Users Policy | Detects S3 bucket policies allow global write | S3 buckets can be configured to allow the global principal to access the bucket via the bucket policy. This policy should be restricted only to known users or accounts. | AWS S3 |
| S3 Bucket All Users ACL | Detects if S3 buckets allow global write | S3 buckets can be configured to allow anyone, regardless of whether they are an AWS user or not, to write objects to a bucket or delete objects. This option should not be configured unless there is a strong business requirement. | AWS S3 |
| S3 Bucket Logging | Detects if S3 bucket logging is enabled for S3 buckets | S3 bucket logging helps maintain an audit trail of access that can be used in the event of a security incident. | AWS S3 |
4. AWS Chat & Conferences
Make sure your users is not vulnerable to Meeting Bombing, Malicious Links In a Chat, and Stolen Meeting Links. Making sure your videoconferencing is set up securely can help prevent these attacks from being successful.
5. AWS Email Security
Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with email systems.
6. AWS Certificates
SSL, and its successor TLS, are industry standard protocols for encrypting network communications and establishing the identity of websites over the Internet. SSL/TLS provides encryption for sensitive data in transit and authentication using SSL/TLS certificates to establish the identity of your site and secure connections between browsers and applications and your site.
6.1. ACM Validation & Expiration
Title | Action | Overview | Services |
|---|---|---|---|
| ACM Certificate Expiry | Detect upcoming expiration of ACM certificates | Certificates that have expired will trigger warnings in all major browsers. AWS will attempt to automatically renew the certificate but may be unable to do so if email or DNS validation cannot be confirmed. | AWS ACM |
| ACM Certificate Validation | Detects if ACM certificates are not configured to use DNS validation | With DNS validation, ACM will automatically renew certificates before they expire, as long as the DNS CNAME record is in place. | AWS ACM |
7. AWS Incident Response
Protect the organization's information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker's presence, and restoring the integrity of the network and systems.
7.1. Security Notifications & Alerting
Title | Action | Overview | Services |
|---|---|---|---|
| CloudTrail Enabled | Detects if CloudTrail is enabled for all regions within an account | CloudTrail should be enabled for all regions in order to detect suspicious activity in regions that are not typically used. | AWS CloudTrail |
7.2. Detecting Vulnerabilities & Misconfiguration
Title | Action | Overview | Services |
|---|---|---|---|
| Config Service Enabled | Detects if AWS Config Service is enabled to detect changes to account resources | The AWS Config Service tracks changes to a number of resources in an AWS account and is invaluable in determining how account changes affect other resources and in recovery in the event of an account intrusion or accidental configuration change. | AWS ConfigService |
| GuardDuty is Enabled | Ensures GuardDuty is enabled | GuardDuty provides threat intelligence by analyzing several AWS data sources for security risks and should be enabled in all accounts. | AWS GuardDuty |