/AWS_Security_Checklist

AWS security checklist for myself

Security Checklist

Web application instances

  • Are in a private subnet to block the incoming internet connection

  • Can’t be sshed from outside of the private network.

  • Allow only requests from specific local Ip range

  • All web instances have well defined security groups and there is no open ports to the world.

  • Instances has no ssh keys and has only one key in ~/.ssh/authorizedkeys

Nat Gateway

  • In a public network.

  • Can not be pinged

  • Can not be sshed

Security Groups

  • All security groups are well defined and well named

  • Any irrelevant security group has to be removed

Load Balancer

  • There is a security group just for load balancer

IAM & AWS Credentials & Keys

  • Production & staging SSH keys has to be secured with a passphrase.

  • Every AWS user has different credentials and well defined policies

  • AWS Keys has to be rotated at least in every 6 months. Add a calendar entry that repeats every 6 months.

  • AWS Root key has to be protected well. If no need to use. The access key has to be deleted from AWS panel.

  • Root account shouldn’t be used just to access to AWS. Create an individual AWS account for yourself (as manager)

  • Check every AWS user has MFA

  • Require users to create strong passwords. Check the related setting for this requirement. docs.aws.amazon.com

  • Check and delete unnecessary keys

  • Encrypt ~/.aws/credentials file in your local

CloudTrail

  • is active

  • Check the latest CloudTrail archive date on S3

S3

  • Check if the sensitive files encrypted at S3

Database

  • Check if data encryption is enabled on MongoDb

Threat Modelling

  • Configure Guard​Duty with proper notification channels.