30 likes | 38 Views
ComplyScore manages 3rd party information security assessment on behalf of its clients. We have developed the following checklist for vendors that host on AWS and are making it available for community use. You can use it for free for your own use. If you distribute it, you are required to preserve the ComplyScore logo. Visit https://www.complyscore.com/ to know more about vendor risk assessment and vendor risk management.
E N D
AWS InfoSec Implementation : Best Practices Checklist ComplyScore manages third party assessment to take away the hassle of vendor assessments from their clients. It is tailored to meet specific needs and quickly identify, track, and measure all integral vendors to ensure the services they provide to your organization are secure. This checklist helps you in assessing the best practices implemented by the vendor and evaluate their internal AWS implementations. Security of Root Account Disable Root API access Delete root Access key (access key ID and secret access key) if one is created Do not use root access to manage the AWS environment Setup an alert when root access is used Setup MFA for root account Access Management Rotate access keys once every 90 days Enable MFA for all accounts that have console access or have access to system administration functions Assign unique IAM user names for each user Attach IAM policies only to groups or roles Assign permissions to IAM Users strictly using groups Run applications EC2 Instances using Roles https://complyscore.com/ | 609-256-4579 | admin@complyscore.com
AWS InfoSec Implementation : Best Practices Checklist Network No security groups should allow ingress from 0.0.0.0/0 to port 22 No security groups should allow ingress from 0.0.0.0/0 to port 3389 Use security group to control inbound & outbound traffic Monitoring, Encryption & Other controls Monitor Activity in Your AWS Account Enable logging for all resources Integrate CloudTrail with CloudWatch Logs Enable AWS Config in all regions Encrypt CloudTrail logs at rest using KMS CMKs Rotate customer created CMKs Enable S3 Bucket access logging Enable VPC Flow Logging Deny public-access to S3 buckets [Many breaches were reported in this category] Enable Server-side encryption (SSE) to encrypt sensitive data Encrypt Inbound and outbound S3 traffic Conduct a risk assessment of AWS environment Maintain a structured asset library for AWS using AWS Config.[We regularly find that vendors do not have formal asset library for AWS] Maintain a Cross reference between policies and user counts. This will highlight areas where a sensitive policy has been overused https://complyscore.com/ | 609-256-4579 | admin@complyscore.com
AWS InfoSec Implementation : Best Practices Checklist Alarms : Enabling alarms on sensitive events are critical to securing the environment. Alarms should be enabled for following events Unauthorized API calls Management Console sign-in without MFA Usage of 'root' account IAM policy changes Configuration changes Disabling or scheduled deletion of customer created keys Storage policy changes Configuration changes Security group changes Changes to Network Access Control Lists Changes to network gateways Route table changes AWS offers multiple tools to manage security. An assessment of which tools are used gives a good indication of the vendors security posture. Resource Configuration User Activities Network Traffic Host Vulnerabilities/Activities AWS Config AWS Trusted Advisor Cloud Trail CloudWatch Amazon Inspector GuardDuty VPC Flow logs https://complyscore.com/ | 609-256-4579 | admin@complyscore.com