We are here to guide clients on how to completely fulfill their responsibility of securing AWS platform. Amazon cloud storage services’ customers can use and implement AWS security configuration checklists to assure that the offered services are settled at the highest security level.
Amazon Web Services (AWS) – Nowadays is considered as the leader in the market of public cloud IaaS. It offers a wide range of global compute, database, applications, analytics, storage, and deployment services, which enables companies to move quickly, lower IT finances, and scale applications. According to Amazon’s point of view, around one million active AWS clients are taking full benefits of productivity and cost they provide.
Like most CSPs, AWS operates under the shared responsibility infrastructure. The service takes care of security OF the cloud platform while the clients have the duty for security IN the cloud. This clearly states that clients completely own the duty of assuring that AWS services are defined in a protective manner. The current batch of misconfigured buckets in AWS S3 is only a single example of what can be done when clients avoid their cyber security duties.
Firstly, Let’s Talk About Service Provider’s Duty
It is not possible for Amazon vendor to completely track the way clients use its services. This is the reason due to which customers have to concentrate on AWS infrastructure security, comprising of securing its storage, computing, database, and networking services against intrusions. The cloud service provider is responsible for safeguarding hardware components, software, and the physical facilities, which host AWS services. Also, Amazon service takes its own responsibility of securing configuration of its managed services like Amazon RDS, WorkSpaces, Redshift, etc.
Now, Let’s Talk About Role of Customers
Customers have the major duty of securing use of AWS services, which are commonly considered as unmanaged. For example – while Amazon has developed multiple security layers’ features to stop unauthorized access to AWS, comprising of MFA; now its the role of a client to ensure that MFA feature is activated in his or her account. It is so because by default, multifactor authentication option in AWS is deactivated. Furthermore, the already available default settings of Amazon web services are often the least secure. Making corrections in misconfiguration of AWS security settings hence, is a low fruit that companies should prioritize for fulfilling their end of security responsibility.
Time to Begin With AWS Security Configuration Checklists
Amazon service vendor had invested much on building a strong set of protective tools for its clients to use its services globally. Now it is up to the clients to create the most of these in-built capabilities. Following listed are top twenty best measures that are recommended by experts to secure AWS services:
- Activate CloudTrail logging across entire AWS
- Turn on the multi-region logging of CloudTrail
- Activate the access to CloudTrail S3 buckets’ log
- Activate the access to Elastic Load Balancer log
- Demand for MFA to remove CloudTrail buckets
- Reuse keys of IAM access, and define on chosen days
- Enable IAM client to work in multi-mode
- Append IAM standards to roles or groups
- Consolidate CloudTrail with CloudWatch
- Set 90 days password expiration period
- Enable validation of CloudTrail log file
- Begin auditing of Redshift logging
- Turn on the logging of VPC workflow
- Activate MFA for the main account
- Enable MFA for the users’ account
- Setup a strict password standard
- Avoid use of SSL/TLS certificate
- Encrypt log files of CloudTrail at rest
- Ignore the use of root user tenants
- Use secure SSL ciphers and versions
Top 20 AWS security configuration checklists are provided in this post. Administrators of the account can implement them with the strong intention of securing their tenant from data breaches. Stay cybersafe, and take best use of AWS services for the business growth!