AWS Security implementation Considerations

Owned by John Simmons (Deactivated)
Last updated: 29 Aug 2019
1 min read

 

  • Security Groups (Administrators, Machine Account, OPS, Dev, BA)

  • Granular level security (Least amount of privileges needed to do a job, and nothing more)

  • 2FA physical Yubikey token access required to access Admin Console

  • 2FA physical Yubikey token access required to access machines

  • Bastion access from Security Group IP address list only

  • CloudTrail enabled and configured

  • CloudTrail log file validation

  • Enable access logging for CloudTrail S3 bucket

  • MFA to delete CloudTrail S3 buckets, and encrypt all log files in transit and at rest.

  • IAM policies attached to roles rather than users

  • Enforce Strong password policy and key rotation

  • Ensure that no S3 Buckets are publicly readable/writeable unless required by the business

  • Encrypt data stored in EBS as an added layer of security with a private key held by HEE

  • Encrypt Amazon RDS

  • Run automated tests against Docker images to check for vulnerabilities

  • Ge-replicate data to make sure it's safe and available

  • SSL EV (Extended Validation) Certificates (not wildcard)

  • Only the Root account and Machine account can create resources

  • IP-SEC to be run in tunnel mode, not transport mode

  • Minimum Diffie-Hellman group to be set to level 2

Slack: https://hee-nhs-tis.slack.com/
Jira issues: https://hee-tis.atlassian.net/issues/?filter=14213