Scribd Logo
Upload

Welcome to Scribd!

  • AWS Account Security Onboarding

    Uploaded by

    powerofgametest
    16 views1 page
    The document outlines steps for securing an AWS account including: 1. Configuring IAM roles, enabling security services like CloudTrail and GuardDuty, and integrating with an IDC. 2. Deploying solutions to monitor for critical security findings in services like S3, RDS, and Lambda and sending logs to a SIEM. 3. Setting up alerting for security events through services like SecurityHub, CloudTrail, and GuardDuty to detect threats and anomalies.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document outlines steps for securing an AWS account including: 1. Configuring IAM roles, enabling security services like CloudTrail and GuardDuty, and integrating with an IDC. 2. Deploying solutions to monitor for critical security findings in services like S3, RDS, and Lambda and sending logs to a SIEM. 3. Setting up alerting for security events through services like SecurityHub, CloudTrail, and GuardDuty to detect threats and anomalies.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    16 views1 page

    AWS Account Security Onboarding

    Uploaded by

    powerofgametest
    The document outlines steps for securing an AWS account including: 1. Configuring IAM roles, enabling security services like CloudTrail and GuardDuty, and integrating with an IDC. 2. Deploying solutions to monitor for critical security findings in services like S3, RDS, and Lambda and sending logs to a SIEM. 3. Setting up alerting for security events through services like SecurityHub, CloudTrail, and GuardDuty to detect threats and anomalies.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 1

    Predefine IAM Roles

    Enabled security services


    IDC integration, SSO configuration
    Organization invitation Deploy account from
    Billing, emergency, security contacts predefined IaC template Enable as part of Organization trail
    AWS Cloudtrail
    Root user - distribution emal + MFA Confirm that logs are present in S3 bucket and SIEM

    S3 Block Public Access Deploy solution to alert on at least critical new


    findings
    Disable AMI public sharing
    Apply SecurityHub Central Configuration for
    Block unused regions Organization
    Block tampering with security-related settings and Enable AWS SecurityHub Enable/disable additional standards and controls
    Apply existing SCPs based on OU placement
    services
    Confirm that findings are being visible in the
    Restrict instances types aggregated view
    SCPs
    Block root user Ensure that there are no critical (and considered
    critical) findings present in account
    Add custom SCPs if required
    Enable continuous recording for most of the
    Send DNS Resolvers queries to SIEM resources
    Send VPC Flow Logs (only DENYs) to S3 bucket Consider periodic recording for some resources to
    Enable AWS Config
    Send S3 access logs for critical buckets to separate optimize bill
    Logging
    S3 bucket Confirm that records are present in central
    Establish ready-to-be-enabled pipelines to deliver aggregator
    ALB and CFD to SIEM to toggle in case of
    emergency and investigations Enable as part of central configuration for Organization
    Threat Detection
    Alert on each High finding
    GuardDuty RDS protection
    Alerts based on aggregated findings with severity
    Medium and below Lambda protection
    Critical alert on every root user activity Must S3 protection
    Critical alert on cloudtrail settings changes Malware Scanning
    Alert on rise of ConsoleLoginFailures events Cloudtrail Confirm that events are present in SIEM
    Alert on IAM user changes AWS Account Enable GuardDuty
    Apply suppression filters to "disable" useless findings
    Alert on snapshot manipulations Security Onboarding Include in process of incident response based on events
    Alerts on raised cost anomaly events Cost Anomaly Very new, needs testing
    Alerting Runtime protection
    Alerts based on (at least) each new CRITICAL finding As alternative - another runtime
    SecurityHub Optional protection, if available
    Realert on inactivity in a set period
    EKS protection (if EKS is used)
    Alerts based on rate-based rules
    WAF Apply managed domain name lists for Resolver in
    Alerts based on high amount of blocked requests by
    managed rules block mode

    Alert based on DDoSDetected metric Use strictly AWS VPC DNS resolver
    Shield R53 DNS Resolver Firewall
    Adopt incident response guide and prepared battle card Ban outbound DNS calls from all VPCs to ports 53

    Alert on blocked DNS query R53 DNS Resolver Apply custom threat list for GuardDuty to alert on
    access to DoH servers
    Alert on critical vulnerabilities in AMIs/Images Vulnerability Scanning
    Enable Shield Advanced subscription for public
    Create Cost Anomaly Detection monitors to alert facing account
    Prod
    spending anomalies
    Shield Advanced Export metrics in centralized collector
    Create Cost Anomaly Detection monitors to alert Budget Alarms
    spending anomalies Create DDoS battle card with main info about
    QA protected services
    Configure Budgets Actions to stop services in cases of
    big unexpected spendings CFD + ALB + secret rotation architecture

    Create analyzers in each active regions Predefined set of managed rules


    IAM Access Analyzer Must Global allow- and block-lists
    Verify that events are present in SecurityHub
    aggregated view Blanket rate-based rules
    Deploy WAF setup for each public web service Service-unique exclusion rules
    Consider enabling for critical buckets only Macie

    Enable and configure AWS Inspector Additional managed rules


    EC2 used as servers Discuss
    Export scan results as metrics in centralized collector Scoped-down rate-based rules

    Scan images for vulnerability on upload to ECR Vulnerability Scanning Enable Shield Advanced automatic application For first 2 weeks - in COUNT mode
    WAFv2
    layer DDoS mitigation After that - switch into BLOCK mode
    Deploy solution to periodically rescan currently used
    ECR used as docker images hub
    images and report found vulnerabilities Configure R53 health checks for all protected
    Export scan results as metrics in centralized collector resources
    Configure sensitive fields redaction and send WAF
    logs to SIEM
    Export metrics in centralized collector

    You might also like