/
AWS Security implementation Considerations

AWS Security implementation Considerations

 

  • Security Groups (Administrators, Machine Account, OPS, Dev, BA)

  • Granular level security (Least amount of privileges needed to do a job, and nothing more)

  • 2FA physical Yubikey token access required to access Admin Console

  • 2FA physical Yubikey token access required to access machines

  • Bastion access from Security Group IP address list only

  • CloudTrail enabled and configured

  • CloudTrail log file validation

  • Enable access logging for CloudTrail S3 bucket

  • MFA to delete CloudTrail S3 buckets, and encrypt all log files in transit and at rest.

  • IAM policies attached to roles rather than users

  • Enforce Strong password policy and key rotation

  • Ensure that no S3 Buckets are publicly readable/writeable unless required by the business

  • Encrypt data stored in EBS as an added layer of security with a private key held by HEE

  • Encrypt Amazon RDS

  • Run automated tests against Docker images to check for vulnerabilities

  • Ge-replicate data to make sure it's safe and available

  • SSL EV (Extended Validation) Certificates (not wildcard)

  • Only the Root account and Machine account can create resources

  • IP-SEC to be run in tunnel mode, not transport mode

  • Minimum Diffie-Hellman group to be set to level 2

Related content

AWS Standards
More like this
Starting the migration - technical decisions and strategy
Starting the migration - technical decisions and strategy
More like this
AWS the moon on a stick
AWS the moon on a stick
Read with this
Sprint 02 Review (2016-07-05)
Sprint 02 Review (2016-07-05)
More like this
Post Migration - A Postmortem
Post Migration - A Postmortem
Read with this
Sprint 03 Review (2016-07-19)
Sprint 03 Review (2016-07-19)
More like this