AWS gives you access to this security audit service for free, and you should be using it.
Trusted Advisor is an AWS service that performs an automated audit of your cloud resources. It runs through a checklist of AWS Best Practices and identifies any resulting flaws in your architecture.
Every AWS Customer has free access to 6 trusted advisor checks:
- Service Limits
- Security Groups — Specific Ports Unrestricted
- IAM Use
- MFA on Root Account
- EBS Public Snapshots
- RDS Public Snapshots
While some of these aren’t necessarily issues for EVERY deployment, it can be surprising to see how many of these you’re missing, especially if you have sensitive data.
Sadly, the free tier of Trusted Advisor doesn’t include checks for Amazon S3 Bucket Permissions (the source of several recent major cloud data leaks). You’ll have to upgrade to a Business or Enterprise support plan for that and other checks, for a total of over 50 items.
The cost of the Business and Enterprise Support plans depends on your monthly AWS Spend. If you spend $85k/mo on AWS, you’ll pay ~$6k for the Business Plan for example. Either way, it’s still up to you to run Trusted Advisor and act on any major flaws.
If you don’t want to spend that much, you can simply have your engineers look up the Trusted Advisor checklist and manually go through the items: https://aws.amazon.com/premiumsupport/trustedadvisor/best-practices/
It doesn’t matter whether you do it manually, outsource it, or shell out for the support plan. If you’re a company that’s transitioning sensitive data or workloads to the cloud, you can quickly eliminate a large number of potential threats by using Trusted Advisor.
