AWS Security Configuration Checklist

Amazon Web Services (AWS), the leader in the public cloud infrastructure-as-a-service (IaaS) market, offers a broad set of global compute, storage, database, analytics, application, and deployment services that help organizations move faster, lower IT costs, and scale applications. According to Amazon, over one million active AWS customers are reaping the cost and productivity advantages they have to offer. Like most cloud providers, AWS operates under a shared responsibility model. AWS takes care of security ‘of’ the cloud while AWS customers are responsible for security ‘in’ the cloud. This document guides customers on how to ensure the highest level of protection for their AWS infrastructure and the sensitive data stored in AWS with a security configuration checklist to ensure that AWS services are configured with the highest level of security while still allowing employees to fulfill their job responsibilities.

1. Enable CloudTrail logging across all AWS.
2. Turn on CloudTrail log file validation.
3. Enable CloudTrail multi-region logging.
4. Integrate CloudTrail with CloudWatch.
5. Enable access logging for CloudTrail S3 buckets.
6. Enable access logging for Elastic Load Balancer (ELB).
7. Enable Redshift audit logging.
8. Enable Virtual Private Cloud (VPC) flow logging.
9. Require multifactor authentication (MFA) to delete CloudTrail buckets.
10. Turn on multifactor authentication for the “root” account.
11. Turn on multi-factor authentication for IAM users. Enable IAM users for multi-mode access.
12. Attach IAM policies to groups or roles.
13. Rotate IAM access keys regularly, and standardize on the selected number of days.
14. Set up a strict password policy.
15. Set the password expiration period to 90 days.
16. Don’t use expired SSL/TLS certificates.
17. User HTTPS for CloudFront distributions.
18. Restrict access to CloudTrail bucket.
19. Encrypt CloudTrail log files at rest.
20. Encrypt Elastic Block Store (EBS) database.
21. Provision access to resources using IAM roles.
22. Ensure EC2 security groups don’t have large ranges of ports open.
23. Configure EC2 security groups to restrict inbound access to EC2.
24. Avoid using root user accounts.
25. Use secure SSL ciphers when connecting between the client and ELB.
26. Use secure SSL versions when connecting between client and ELB.
27. Use a standard naming (tagging) convention for EC2.
28. Encrypt Amazon’s Relational Database Service (RDS).
29. Ensure access keys are not being used with root accounts.
30. Use secure CloudFront SSL versions.
31. Enable the require_ssl parameter in all Redshift clusters.
32. Rotate SSH keys periodically.
33. Minimize the number of discrete security groups.
34. Reduce number of IAM groups.
35. Terminate unused access keys.
36. Disable access for inactive or unused IAM users.
37. Remove unused IAM access keys.
38. Delete unused SSH Public Keys.
39. Restrict access to Amazon Machine Images (AMIs).
40. Restrict access to EC2 security groups. 
41. Restrict access to RDS instances.
42. Restrict access to Redshift clusters.
43. Restrict access to outbound access.
44. Disallow unrestricted ingress access on uncommon ports.
45. Restrict access to well-known ports such as CIFS, FTP, ICMP, SMTP, SSH, Remote desktop.
46. Inventory and categorize all existing custom applications by the types of data stored, compliance requirements and possible threats they face.
47. Involve IT security throughout the development process.
48. Grant the fewest privileges as possible for application users.
49. Enforce a single set of data loss prevention policies across custom applications and all other cloud services.