nnthanh101/sentiment-analysis

Security for the architecture

Closed this issue · 1 comments

daitc2004 commented
  • Identity and access management
  • Infrastructure Protection
  • Data Protection
daitc2004 commented
  1. AWS Config
    https://docs.aws.amazon.com/config/latest/developerguide/gs-console.html
    • Enable config rules
      • s3-account-level-public-access-blocks: Checks whether the required public access block settings are configured from account level. The rule is NON_COMPLIANT when the public access block settings are not configured from account level.
      • s3-bucket-public-read-prohibited: Checks that your S3 buckets do not allow public read access. If an S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant.
      • s3-bucket-server-side-encryption-enabled: Checks that your Amazon S3 bucket either has S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption.
      • lambda-concurrency-check: Checks whether the AWS Lambda function is configured with function-level concurrent execution limit. The rule is NON_COMPLIANT if the Lambda function is not configured with function-level concurrent execution limit.
      • iam-password-policy: Checks whether the account password policy for IAM users meets the specified requirements.
      • vpc-sg-open-only-to-authorized-ports: Checks whether any security groups with inbound 0.0.0.0/0 have TCP or UDP ports accessible. The rule is NON_COMPLIANT when a security group with inbound 0.0.0.0/0 has a port accessible which is not specified in the rule parameters.
      • root-account-mfa-enabled: Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in.
      • api-gw-execution-logging-enabled: Checks that all methods in Amazon API Gateway stage has logging enabled. The rule is NON_COMPLIANT if logging is not enabled. The rule is NON_COMPLIANT if loggingLevel is neither ERROR nor INFO.
  2. S3 buckets:
    • Log to S3 bucket: our bucket receives configuration history and configuration snapshot files, which contain details for the resources that AWS Config records.
    • SNS: Stream configuration changes and notifications to an Amazon SNS topic.
  3. Enable CloudTrail
    https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html
  4. Enable GuardDuty
    https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html#guardduty_enable-gd
  5. Deploy ECS cluster in 02 private subnets

//Updating the CF template