Hi there👋,
Thanks for checking this blog post out. In this blog, I compiled resources on the AWS security checklist expected of a cloud security engineer and other interesting resources related to cloud security.
If you haven’t checked out my previous blog post on “Practical Steps to Starting a Career in Cloud Security — 2024 (RoadMap)”, feel free to check that out.
Disclaimer
This information is shared for educational and knowledge-sharing purposes regarding AWS security. The content is sourced from various references, with all rights and credits reserved for the respective owners.
The rapid growth of cloud computing adoption has been driven by the need for scalability, flexibility, and efficiency in software and application development. Among top cloud service providers, Amazon Web Services (AWS) stands out as a leader, alongside Microsoft Azure and Google Cloud Platform (GCP). AWS’s comprehensive services and robust infrastructure attract businesses of all sizes, from startups to large enterprises, for its reliable computing power, scalable storage, and advanced machine learning and AI capabilities. This widespread adoption highlights AWS’s significant impact on transforming business operations in the digital age. — — AWS Cloud Adoption Framework (AWS CAF).
It’s your responsibility as cloud security 👨💻 , whether working individually or as part of a team, to continuously adhere to AWS security best practices and conduct regular reviews to safeguard cloud configurations and applications from potential cloud threats. By proactively managing cloud security, you enable your organization to stay ahead of threat actors and protect data and applications from potential breaches, ensuring compliance with relevant laws and regulations.
This proactive approach strengthens an organization’s security posture in the AWS cloud environment. Regular security audits, threat assessments, and keeping up with the latest security trends and AWS updates are crucial for maintaining robust cloud security.
Cloud Security Periodic Table by Wiz.
AWS Security Checklist For Beginners
New to AWS security, here are security checklist to note and configure:
Security Disclaimer: AWS root account should not be used for regular activities. This account has unrestricted access to your AWS environment, making it highly sensitive.
On the AWS ROOT Account
- [ ] Store root account credentials securely and do not share them.
- [ ] Only use the root account for tasks that specifically require root privileges, such as managing billing information or changing account settings.
- [ ] Set-up MFA on Root Account & Customize Password Policy. READ-MORE
- [ ] Create an IAM User with Administrator-Access for web console Access. READ-MORE. Assign permissions based on the principle of least privilege.
- [ ] Set-up Budget and CloudWatch Billing Preference Alert. READ-MORE
- [ ] Regularly monitor root account activity. Turn on CloudTrail, GuardDuty, and IAM Access Analyzer for all accounts to send their logs and alerts to the Security account.
On IAM USER with Administrator-Access
- [ ] Set-up MFA
- [ ] Enable AWS Organization (Don’t enable Organizations or Control Tower from a workload account)
- [ ] Use the AWS Account Inventory template below to keep track of your cloud Environment. READ-MORE
- [ ] Create OU based on Company Requirements and update the Account Inventory template. READ-MORE
- [ ] On AWS Org, create AWS Accounts or Invite Accounts and Add to OU (Organization Unit). READ-MORE
- [ ] Set-Up IAM Identity Center (successor to AWS Single Sign-On) by creating and adding different users in groups and assigning each group or Users to AWS Accounts under an OU.
Example: In AWS ORG, an OU with an account for Development is created. Next, Two Users are created and Added to a group called “Dev-Team” and Attached with necessary permissions for Development. Then, the Group “Dev-Team” is Assigned to the OU with Development Account. Thus the Users in the group have Access ONLY to the AWS Account under the OU Development.
- [ ] Apply SCPs to OUs based on the principle of Least privilege. READ-MORE
AWS Security Maturity Roadmap by Scott Piper
Check the AWS Security Maturity Roadmap for a full description of each Checklist Stage below.
New to cloud security, you can start with SLAW — One cloudsec lab. 15–30 minutes. Every week. It covers the stages listed below.
The table below can be used by cloud security engineers for managing and tracking AWS accounts within an organization.
Stage 1: Inventory
- [ ] Identify all AWS accounts in the company and their points of contact.
- [ ] Integrate AWS accounts into AWS Organizations.
- [ ] Ensure all account root emails are on distribution lists.
- [ ] Opt-out of AI services using your data.
- [ ] Have an AWS account for Security.
- [ ] Create budget alarms.
Stage 2: Have backups
- [ ] Create regular backups with the AWS Backup service and S3 replication policies
Stage 3: Visibility and Initial Remediation
- [ ] Turn on CloudTrail, GuardDuty, and Access Analyzer for all accounts to send their logs and alerts to the Security account.
- [ ] Create an IAM role in every account that grants view access into the account from the Security account.
- [ ] Run a one-time scanning tool to identify tactical remediations.
- [ ] Turn on S3 Public Block Access.
- [ ] Develop an account initialization script and a new account creation process.
Stage 4: Detection
- [ ] Send alerts to a ticketing system. (most companies will create a CloudWatch Event rule that sends the alerts directly to an SNS that goes to email or Slack message)
- [ ] Enable investigations to logs.
- [ ] Perform regular scanning of the accounts for security issues.
- [ ] Document your security guidelines for your company.
- [ ] Consider turning on other logging sources.
Stage 5: Secure IAM access
- [ ] Use SSO for access.
- [ ] Remove all IAM users.
- [ ] Remove all unused IAM roles.
- [ ] Reduce the privileges of service roles to necessary services.
- [ ] Implement pre-commit hooks for secret detection.
- [ ] Plan how accounts will be connected.
Stage 6: Reduce attack surface and mitigate compromises
- [ ] Apply SCPs.
- [ ] Have no publicly facing EC2s or S3 buckets.
- [ ] Enforce IMDSv2 on all EC2s
The SCPs to apply should include:
Check the link for more SCP Samples
- [ ] Deny root user access
- [ ] Allow only approved regions.
- [ ] Allow only approved services.
- [ ] Deny ability to create IAM access keys.
- [ ] Require the use of IMDSv2.
- [ ] Deny ability to leave Organization.
- [ ] Deny ability to make a VPC accessible from the Internet that isn’t already for specific accounts.
- [ ] Deny ability to disrupt GuardDuty, Access Analyzer, CloudTrail, S3 Public Block Access, and other security services.
- [ ] Deny ability to disrupt CloudWatch Event collection or other aspects of your monitoring and alerting pipeline.
- [ ] Deny ability to modify important IAM roles, such as one used for Stack Sets, incident response, or vendors performing monitoring.
Stage 7: Reproducibility and ownership
- [ ] Use Infrastructure as Code.
- [ ] Control AMI and package sourcing.
- [ ] Apply tagging strategy
Stage 8: Enhance detection and least privilege refinement
- [ ] Implement real-time monitoring.
- [ ] Implement automated remediation.
- [ ] Refine IAM policies.
- [ ] Deploy honey tokens
Stage 9: Secure network communications
- [ ] Move all non-public network resources into private subnets and proxy outbound requests so you can filter and block them
- [ ] Restrict egress network traffic
Stage 10: Incident preparation
- [ ] Limit the blast radius of incidents.
- [ ] Practice responding to incidents
AWS Security Maturity Model
Mastering AWS Cloud Security: A Practical 6-Step Checklist
https://www.getastra.com/blog/cloud/aws/aws-cloud-security-checklist/
SANS Cloud Security Practical Guide to Security in the AWS Cloud.pdf
AWS Well-Architected Security Workshop
The workshop contains hands-on-labs to help you learn, measure, and improve the security of your architecture using best practices from the Security pillar of the AWS Well-Architected Framework.
The CloudSec Engineer by Marco Lancini
A practical guide on how to enter, establish yourself, and thrive in the Cloud Security industry as an individual contributor.
https://engineer.cloudsecbooks.com/
Cloud Security Strategies
A collection of articles providing actionable advice for anyone looking to establish a cloud security program aimed at protecting cloud-native offerings. || A Cloud Security Roadmap Template.
Cloud Security Lab a Week (S.L.A.W) by Rich Mogull
SLAW is a One cloudsec lab. 15–30 minutes. Every week. — Highly Recommended if you are new to AWS security.
AWS Cloud Security Checklist by SecurityCipher
It offers a GUI AWS Cloud Security Checklist for different AWS Services.
Cloud Threat Landscape by Wiz Research.
A comprehensive threat intelligence database of cloud security incidents, actors, tools, and techniques.
AWS Mapping to MITRE ATT&CK
This project maps the security controls native to the (AWS) platform to MITRE ATT&CK®, providing resources to assess how to protect, detect, and respond to real-world threats as described in the ATT&CK knowledge base.
CIS Amazon Web Services Foundations Benchmark v3.0.0
This Foundational Benchmark v3.0.0 released on 01–31–2024 offers guidance for configuring AWS security Services.
https://learn.cisecurity.org/l/799323/2024-01-25/4tgglx
AWS Course by Christophe Limpalair (Cybr — Highly recommended)
AWS-focused Cloud Security Tools (Open-sources)
Stratus Red Team by DataDog
Stratus Red Team can be used to detonate offensive attack techniques on AWS environments. Cloud Security engineers can use this tool to simulate and understand potential APT activities related to Mitre attack techniques. Check this Article on “Cloud Pen-testing with Stratus Red Team tool”.
Cloud Console Cartographer by Permiso
Cloud Console Cartographer is an open-source tool with both a CLI and a Python-based UI Visualizer. It can be used by cloud security engineers to condense and group cloud events (e.g., CloudTrail logs) and map them to the original user actions in the management console UI. This tool distills the noise generated by cloud log events, providing a clearer view of activities performed in the AWS console.
AWS Threat-Composer Tool
The threat composer tool is used to simplify threat modelling (identify security issues and develop a strategy to address them) in AWS.
https://awslabs.github.io/threat-composer/workspaces/Threat Composer/dashboard
AWS Security Review by Bour Abdelhadi
Streamline your AWS security assessment process with our comprehensive review tool — love this tool ❤️
CloudSploit by Aqua
CloudSploit by Aqua serves as a comprehensive cloud security monitoring and management platform designed to safeguard cloud infrastructure from threats and vulnerabilities.
With its extensive security checks and user-friendly interface, CloudSploit by Aqua is a robust and dependable tool for securing cloud infrastructure. It is indispensable for any organization aiming to protect its cloud resources effectively.
Scout Suite tool
Scout Suite is an open-source, multi-cloud security auditing tool that enables security posture assessment of cloud environments. It can be used in an AWS environment to provide detailed reports of any vulnerabilities or misconfigurations, along with recommendations for addressing them.
All in 1- Aws Security Tools — GitHub by Toni de la Fuente
The GitHub repo contains the list of open-source tools for AWS security: defensive, offensive, auditing, DFIR, etc.
Turns AWS unique IDs into ARNs
Wut.Dev tools by Matthew Fuller
Wut.Dev is a visualization tool for AWS Organizations, providing instant access to an interactive tree diagram that reflects the Organizational Units (OUs), account structure, policies, and tags.
Pwnedlabs Free AWS Labs
Sign-up at Pwnedlabs for Real-World Cloud Security Labs for AWS (offensive and defensive)
Whizlabs
Gain Hands-on Labs experience
Cloud Security Challenge
Check out Flaws Cloud walkthough labs designed by Scott Piper (summitroute.com)
Awesome AWS Security
https://github.com/jassics/awesome-aws-security#AWS-Whitepapers
AWS Security Interview Questions
Additional Resources
Here are some AWS cloud security resources
https://cloudsecdocs.com/aws/services/iam/organizations/
https://www.getastra.com/blog/cloud/aws/aws-security-checklist/
https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Checklist.pdf
