【Table of contents】
- 1. Introduction
- 2. Best practices for opening an account
- 3. Best practices during service design and construction
- 4. Best practices after the service is released
- 5. Conclusion
-
1. Introduction
We're going to describe AWS security best practices, which can be found in the following white paper.
AWS Security Best Practices
https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdfHowever, since this PDF is 100 pages long, this article will describe what you need to be aware of in terms of security in the following three phases.
・Opening an account
・Service design to construction
・After the release of the service
Let's take a look at AWS security best practices.
-
2. Best practices for opening an account
Here are some best practices for opening an account.
-
a) Things to understand before opening an account
Before you open an account, understand AWS's shared responsibility model. The shared responsibility model defines the scope of responsibility between AWS and the user. For example, data centers and other facilities are managed by AWS, so users don't have to be responsible for them. Conversely, for IaaS such as EC2, the layer above the OS is the responsibility of the user, and it is necessary to take security measures such as periodic patching.
※The shared responsibility model is described in detail below.
https://aws.amazon.com/compliance/shared-responsibility-model/
-
b) Account design
Let's design your account so that you can open an account. Account design is hard to change once the service is published, so you need to do the design first. It is recommended that the account be divided into accounts such as an audit account that collects logs and a payment account that collects charges, and the authority be distributed. You can implement your account design using a service called Organizations.
-
c) Configure the root account and CloudTrail
After opening the account, the root account will be paid out. After being paid off, let's carry out the following four things.
-
・Set the MFA (Multi-Factor Authentication)
External dictionary attacks can be largely prevented by setting this up.
-
・Deleting or disabling access keys and secret keys
In order to operate AWS with commands, access keys and secret keys are required, but if these keys are leaked, they can cause a lot of damage. AWS recommends deleting or deactivating them, so please delete them as soon as possible after creating an account.
-
・Create an IAM user for administrators
It is not recommended to use the root user to manipulate the account; once you have configured the MFA and removed the access key, create an IAM user to manipulate it and log back in as an IAM user.
-
・Configuration of CloudTrail
Please enable CloudTrail after logging back in as an administrative IAM user. CloudTrail has a function to log operations performed in AWS. For example, if your account is hijacked by unauthorized external access and any operations are performed, it will all be documented in CloudTrail.
-
・Set the MFA (Multi-Factor Authentication)
-
-
3. Best practices during service design and construction
We will describe best practices during service design and construction. Here are two basics to watch out for:
・Minimize "permission".
・Encrypt the data.-
a) Design of the network
This section describes network design. Consider the following three points.
- ・Basically, let's use one service and one VPC.
- ・Please minimize the communication that is allowed in the security group.
- ・The servers you place on public and private subnets should be scrutinized. For example, servers running critical applications should be placed in a private subnet.
-
b) IAM
This section describes IAM. Consider the following four points.
- ・Disable the access key and secret key for IAM users after creating them.
- ・Minimize the permissions given to IAM roles and IAM users.
- ・When you want to give permissions to services such as EC2, attach the IAM role.
- ・When linking with an external account, please pass the authority to the IAM role’s AssumeRole, and do not link with the account by IAM user or access key unless there is a very serious problem.
-
c) Encryption of the data
The data to be placed should be encrypted. For example, if you are storing critical data in EBS, RDS, or S3, you should enable encryption, as AWS automatically rotates the encryption key to ensure a secure implementation. You may also want to consider using KMS.
-
d) Protection of services
Prepare for application attacks and DDos with AWS WAF and AWS Shield. It is inexpensive and can be implemented. In addition, AWS does not currently provide anti-malware services. We recommend that you use a third party product that can scan for malware if necessary.
-
e) Use of SystemsManager
With SystemsManager, you can achieve the following security measures. It's a good idea to consider using it from the construction.
・You can access without using SSH. You can configure the security group to not allow SSH from the Internet.
・You can use the function to automatically apply patches to the server.
・The user IDs and passwords for accessing RDS can be kept private, so there is no need to write them in plain text on the application.
-
f) Use of TrustedAdvisor
Trusted Advisor allows you to check the security group to see if any unwanted ports are open. It's a good idea to use it as a final check before releasing the service.
-
-
4. Best practices after the service is released
We will explain security best practices after the service is released. It is important to continuously improve your security measures.
-
a) Reporting
Delete unnecessary privileges such as reporting the account usage history of IAM users and deleting users who are not using the account. You should also consider periodically analyzing the VPC flow log and blocking any suspicious IP addresses with the network ACL.
-
-
5. Conclusion
Learn about AWS security best practices and what you need to do in each phase, from account design to post-service release, to keep your AWS secure. Depending on your requirements, you should also use third party products to implement stronger security measures.
