by Shawn Bower
As part of the Cloudification effort before deploying applications to the cloud we go through a rigorous security checklist.
- Network and security group (firewall) review
- Application scan/review mitigation suggestions
- Configuration of monitoring and logging
- Confidential data encryption
- Verification that root accounts are protected and limited in use
- Prod and non-prod application separation
- Mechanisms in place to quickly/easily grant access to ITSO incase of compromise
- Multi factor authentication for Developers and admins (anyone with Console access)
- Outbound transmission of data encrypted (ssl/apache)
After the application has been moved to the cloud it is important to stay vigilant and observe security best practices. At re:invent this last year a session was given on IAM Best Practices. You can also find detailed information on best practices on the AWS documentation site. Today I would like to take some time to point out a few key practices but I encourage folks to watch the presentation and read the IAM documentation thoroughly.
Do not use your AWS root account to access AWS.
Use Shibboleth integration to provide authorization through AD groups and to ensure MFA for all accounts to login to the AWS console. If you need programatic access through the API create IAM users to.
Grant least privilege.
Apply fine-grained permissions to ensure that IAM users have least privilege to perform only the tasks they need to perform. Start with a minimum set of permissions and grant additional permissions as necessary.
Enable logging of AWS API calls to gain greater visibility into users’ activity in your AWS resources. Turn on CloudTrail in all regions to ensure that all API access is logged. We provided a script that uses the AWS CLI to help with this process.
Rotate security credentials.
Change your own passwords and access keys regularly, and make sure that all IAM users in your AWS account do as well. You can apply a password policy to your AWS account to require all your IAM users to rotate their passwords, and you can choose how often they must do so. If a password is compromised without your knowledge, regular credential rotation limits how long that password can be used to access your AWS account.
Use IAM roles for Amazon EC2 instances.
Use IAM roles to manage credentials for your applications that run on EC2 instances. Because role credentials are temporary and rotated automatically, you don’t have to manage credentials. Also, any changes you make to a role used for multiple instances are propagated to all such instances, again simplifying credential management.