Standard AWS Security by area for DevOps and beyond
|DevOps||AWS Platform||Tools from AWS Security White Paper||Comments|
|SSL, CLI, RDP, API,
|Use Best Practices Templates from other projects
(DevOps & Post DevOps)
AMI process (2nd page)
AMI build & patch
Logs & Audit
3rd party plug-ins
|Integrated with Splunk, Perhaps PAM
AMIs (2nd page)
|Elastic Beanstalk rolling patching
Instance scanning with TM
Principle of Least Privilege
|Cryptographic functions: encryption, hashing, compression
Oracle Transparent Data Encryption
|MSDN Link for SQL crypto.
AWS RDS for Oracle BYOB encryption
|Add to patterns|
|IAM & Policies
|S3 bucket policies
Lifecycle Object Management
Signed URLs (web content)
(Part of setup)
Route 53 f/over
AWS Security WhitePaper related to DevOps –LINK
The below key processes need to be written out and identified with AMS. Assumption is that AMS security is similar to AWS general-platform security.
The following are quotes taken directly from the AWS Security Best Practices 2016 White Paper.
- p. 40 Pre-built AMIs
You can build and test a pre-configured AMI to meet your security requirements.
- Disable root API access keys and secret key
- Restrict access to instances from limited IP ranges using Security Groups
- Password protect the .pem file on user machines
- Delete keys from the authorized_keys file on your instances when someone leaves your organization or no longer requires access
- Rotate credentials (DB, Access Keys)
- Regularly run least privilege checks using IAM user Access Advisor and IAM user Last Used Access Keys
- Use bastion hosts to enforce control and visibility
2. p. 43 Bootstrapping
- After the hardened AMI is instantiated, can edit and update security controls by using bootstrapping applications.
- Common bootstrapping applications include Puppet, Chef, Capistrano, Cloud-Init and Cfn-Init.
- You can also run custom bootstrapping Bash or Microsoft Windows PowerShell scripts without using third-party tools.
Here are a few bootstrap actions to consider:
- Security software updates install the latest patches, service packs, and critical updates beyond the patch level of the AMI.
- Initial application patches install application level updates, beyond the current application level build as captured in the AMI.
- Contextual data and configuration enables instances to apply configurations specific to the environment in which they are being launched–production, test, or DMZ/internal, for example
- Register instances with remote security monitoring and management systems.
3. p. 43 Managing Patches
We recommend that you institutionalize patch management and maintain a written procedure.
While you can use third-party patch management systems for operating systems and major applications, it is a good practice to keep an inventory of all software and system components, and to compare the list of security patches installed
Tutorial on how to securely share and use public AMIs: http://aws.amazon.com/articles/0155828273219400
AWS Security Centre Resources: https://aws.amazon.com/security/security-resources/