AWS Security implementation Considerations

Security Groups (Administrators, Machine Account, OPS, Dev, BA)

Granular level security (Least amount of privileges needed to do a job, and nothing more)

2FA physical Yubikey token access required to access Admin Console

2FA physical Yubikey token access required to access machines

Bastion access from Security Group IP address list only

CloudTrail enabled and configured

CloudTrail log file validation

Enable access logging for CloudTrail S3 bucket

MFA to delete CloudTrail S3 buckets, and encrypt all log files in transit and at rest.

IAM policies attached to roles rather than users

Enforce Strong password policy and key rotation

Ensure that no S3 Buckets are publicly readable/writeable unless required by the business

Encrypt data stored in EBS as an added layer of security with a private key held by HEE

Encrypt Amazon RDS

Run automated tests against Docker images to check for vulnerabilities

Ge-replicate data to make sure it's safe and available

SSL EV (Extended Validation) Certificates (not wildcard)

Only the Root account and Machine account can create resources

IP-SEC to be run in tunnel mode, not transport mode

Minimum Diffie-Hellman group to be set to level 2