AWS Security Best Practices



Work In Progress: This is a collection of resources guided to help you with your everyday AWS Security.



AWS Organizations Structure

If you have many AWS Accounts you will want to take advanatge of AWS Organizations. AWS Organizations allos

OU Structure

  • Root OU
    • Prod OU
    • Staging OU
    • Dev OU
      • Individual Accounts OU
    • Core Services OU



Standard AWS Accounts



Security Account

This account is where you will run any security type services, tools, or sofware.

For example, this can be:

  • AWS Guardduty Delegated Admininistrator
  • ScoutSuite Scanning Tool
  • HashiCorp Vault

Logging Account

This account is where your immutable logs will go. It's purpose is to house important security logs that must have a high degree of integrity for security and possibly compliance reasons. This would include Object-Lock and Service Control Policies that prevent the deletion of data.

For example, logs sent here would include:

  • AWS CloudTrail Logs
  • Authentication and Access Logs

AWS CloudTrail Configuration



AWS Cloud Trail - Creating The S3 Bucket In Your Logging Account

The following are details on how to best securely create your S3 bucket for CloudTrail use.

Much of this is very similar to AWS S3 Bucket Security Best Practices.

This S3 bucket must live your Logging account. An account



Summary:

  • Enable Block ALL public access
  • Enable Bucket Versioning
  • Enable Encryption (SEE-S3)
  • Enable Object Lock

Enable Block Public Access

Document image

Enable Bucket Versioning

Document image

Enable Default Encryption

Document image

Enable Object Lock

Document image



Document image



Add This Bucket Policy To Allow Cloudtrail Logging

JSON



Create An Organizational Cloudtrail

  1. Go to your management AWS Account (Organizational Root) and select the CloudTrail services
Document image

^ The AWS Console will default you to "Quick trail create" as shown below... please DISREGARD. Instead click on the menu icon on the left and select "Trails"

 ***DO NOT CREATE A QUICK TRAIL***
***DO NOT CREATE A QUICK TRAIL***

2. Go to Trails



Document image



This is the screen you should see
This is the screen you should see

3. Create the Organizational Cloudtrail

  1. Select a name like company-org-trail
  2. Check the box Enable for all accounts in my organization
  3. Select Use existing S3 bucket and enter the S3 bucket created in the previous step



Document image



AWS S3 Security

Database Security

RDS Security

EKS Security

EC2 Security

AWS Amplify Security