AWS Compliance Programs
ISO/IEC 27001
ISO/IEC 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO/IEC 27002 best practice guidance.
HIPAA
safeguarding medical information
PCI DSS
handle credit card information
SOC
AWS System and Organization Controls (SOC) Reports are independent third-party examination reports that demonstrate how AWS achieves key compliance controls and objectives.
AWS Artifact
On-demand access to AWS security and compliance reports.
No cost
Amazon Inspector
Hardening
The act of eliminating as many security risks as possible.
Amazon Inspector runs a security benchmark against specific EC2 instances.
AWS WAF
Web application firewall
WAF can either be attached to either CloudFront or an Application Load Balancer
You can either:
- Write your own rules to ALLOW or DENY traffic based on the content of an HTTP request.
- Use a ruleset from a trusted AWS Security Partner in the AWS WAF Rules Marketplace.
AWS Shield
A managed DDoS protection service
When you route your traffic through Route53 or CloudFront you are using AWS Shield Standard
Penetration Testing
All Security Testing must be in line with AWS Security Testing Terms and Conditions.
Permitted Services
Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
Amazon RDS
Amazon CloudFront
Amazon Aurora
Amazon API Gateways
AWS Lambda and Lambda Edge functions
Amazon Lightsail resources
Amazon Elastic Beanstalk environments
Prohibited Activities
DNS zone walking via Amazon Route 53 Hosted Zones
Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS
Port flooding
Protocol flooding
Request flooding (login request flooding, API request flooding)
Amazon Guard Duty
threat detection service. It uses machine learning to analyze the following AWS logs:
- CloudTrail logs
- VPC Flow logs
- DNS logs
KMS
Three things to know:
- KMS is a multi-tenant HSM(hardware security module)
- Many AWS services are integrated to use KMS to encrypt data with a simple checkbox
- KMS uses envelope encryption: encrypt your data key with a master key as an additional layer of security.
Amazon Macie
Monitors S3 data access activities to detect risks of unauthorized access or inadvertent data leaks.
Security Groups and NACLs
Firewalls at instance/subnet level.
Security Group, you create Allow rules
NACLs, you create Allow and Deny rules
AWS VPN
lets you establish a secure and private tunnel from your network/device to the AWS global network.
AWS Site-to-Site VPN
securely connect on-premises network or branch office site to VPC
AWS Client VPN
securely connect users to AWS or on-premises networks
IAM Best practices
Account Root User Access Key: Lock Away!
You use an access key (an access key ID and secret access key) to make programmatic requests to AWS. However, do not use your AWS account root user access key.
Create individual IAM users
Don’t use your AWS account root user credentials to access AWS, and don’t give your credentials to anyone else. Instead, create individual users for anyone who needs access to your AWS account.
Grant Least Privilege
Use Customer Managed Policies Instead of Inline Policies
Configure a Strong Password Policy for Your Users
If you allow users to change their own passwords, require that they create strong passwords and that they rotate their passwords periodically.
Enable MFA
Do Not Share Access Keys
Rotate Credentials Regularly
Change your own passwords and access keys regularly, and make sure that all IAM users in your account do as well.
Use Policy Conditions for Extra Security
There is a condition property in the policy JSON.
For example, you can write conditions to specify a range of allowable IP addresses that a request must come from. You can also specify that a request is allowed only within a specified date range or time range.
Monitor Activity in Your AWS Account
- CloudTrail