AWS Security Configuration Checklist

By on Aug 27, 2018

Amazon Web Services (AWS), the leader in the public cloud infrastructure-as-a-service (IaaS) market, offers a broad set of global compute, storage, database, analytics, application, and deployment services that help organizations move faster, lower IT costs, and scale applications. According to Amazon, over one million active AWS customers are reaping the cost and productivity advantages they have to offer.

Like most cloud providers, AWS operates under a shared responsibility model. AWS takes care of security ‘of’ the cloud while AWS customers are responsible for security ‘in’ the cloud. This means customers wholly own the responsibility of ensuring that AWS services are configured in a secure manner. The recent spate of misconfigured AWS S3 buckets is just one example of what could happen when customers ignore their cloud security responsibility.

To help customers fulfill their end of AWS’s shared security responsibility, we’ve published a 51-point security checklist (Download your copy here) that AWS customers should follow to ensure that AWS services are configured to the highest level of security.

Amazon’s responsibility

Since Amazon can’t fully control how AWS is used by its customers, they have focused on the security of AWS infrastructure, including protecting its computing, storage, networking, and database services against intrusions. Amazon is responsible for the security of the software, hardware, and the physical facilities that host AWS services. Amazon also takes responsibility for the security configuration of its managed services such as Amazon DynamoDB, RDS, Redshift, Elastic MapReduce, WorkSpaces, and others.

Download the full checklist

Download to learn about AWS security challenges, and a comprehensive checklist to ensure your AWS environment is configured securely

Download Now

Customer’s responsibility

AWS customers are responsible for secure usage of AWS services that are considered unmanaged. For example, while Amazon has built several layers of security features to prevent unauthorized access to AWS, including multifactor authentication, it is the responsibility of the customer to make sure multifactor authentication is turned on for users, particularly for those with the most extensive IAM permissions in AWS.

Furthermore, the default security settings of AWS services are often the least secure. Correcting misconfigured AWS security settings, therefore is a low hanging fruit that organizations should prioritize in order to fulfill their end of AWS security responsibility.

Here is a sample of AWS configuration checklist security experts recommend you follow:

  1. Enable CloudTrail logging across all AWS
  2. Turn on CloudTrail log file validation
  3. Enable CloudTrail multi-region logging
  4. Require multifactor authentication (MFA) to delete CloudTrail buckets
  5. Turn on MFA for the “root” account
  6. Minimize or completely avoid using the “root’ account
  7. Ensure S3 buckets don’t have public write permissions
  8. Ensure S3 buckets containing sensitive data don’t have public read permissions
  9. Encrypt Elastic Block Store (EBS) database
  10. Disallow unrestricted ingress access on uncommon ports

Download the complete checklist here

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs