AWS Security Links and Resources

Security

AWS Cloud Adoption Framework Security Perspective https://d1.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf

AWS Security Documentation https://docs.aws.amazon.com/security/

Amazon Web Services: Overview of Security Processes

https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf-

• AWS Well-Architected Security Labs https://wellarchitectedlabs.com/Security/README.html

• Security Centre https://aws.amazon.com/security/
• Security Best Practices White Papers https://aws.amazon.com/whitepapers/aws-security-best-practices/
• AWS and the CLOUD Act https://aws.amazon.com/blogs/security/aws-and-the-cloud-act/
• Compliance Programs https://aws.amazon.com/compliance/programs/

Security Standards and Benchmarking

• Atlas – Compliance Centre https://atlas.aws
• Centre for Internet Security https://www.cisecurity.org/cis-benchmarks/ CIS Benchmarks: 100+ configuration guidelines for various technology groups to safeguard systems against cyber threats.
• SCAP Security Guide https://www.open-scap.org/security-policies/scap-security-guide/
• A SOC 1 Report (System and Organization Controls Report) https://www.ssae-16.com/soc-1/ is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting.

Secure Account Management

• AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
• AWS Services That Work with IAM https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html AWS services grouped by their AWS product categories and include information about what IAM features they support.
• How IAM evaluates policies https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
• Policy Summaries https://aws.amazon.com/blogs/security/move-over-json-policy-summaries-make-understanding-iam-policies-easier/ Make Understanding IAM Policies Easier.
• Configuring MFA-Protected API Access https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html   provides the additional security of requiring users to be authenticated with AWS multi-factor authentication (MFA) before you allow them to perform particularly sensitive actions.
• AWS Process Credential Providers https://github.com/awslabs/awsprocesscreds process-based credential providers to be used with the AWS CLI and related tools. Includes examples for okta and adfs.
• AWS Security Hub https://aws.amazon.com/security-hub/ gives you a comprehensive view of your high-priority security alerts and compliance status across AWS accounts.
• AWS Control Tower https://aws.amazon.com/controltower/ automates the set-up of a baseline environment, or landing zone, that is a secure, well-architected multi-account AWS environment.
• AWS Data-safe Cloud https://pages.awscloud.com/AWS-Data-safe-Cloud-S.html
• AWS License Manager – Manage Software Licenses and Enforce Licensing Rules https://aws.amazon.com/blogs/aws/new-aws-license-manager-manage-software-licenses-and-enforce-licensing-rules/ You can define your licensing rules, taking in to account any enterprise agreements and other terms that govern your use of the licensed software.

Encryption and Security Keys

• AWS Key Management Service Cryptographic Details https://d1.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf white paper.
• Signing AWS Requests with Signature Version 4 https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html how to create a signature and add it to an HTTP request to AWS.
• TLS 1.3: better for individuals – harder for enterprises https://www.ncsc.gov.uk/blog-post/tls-13-better-individuals-harder-enterprises – blog post from the National Cyber Security Centre.
• How to quickly launch encrypted EBS-backed EC2 instances from unencrypted AMIs https://aws.amazon.com/blogs/security/how-to-quickly-launch-encrypted-ebs-backed-ec2-instances-from-unencrypted-amis/
• Sharing an AMI with Specific AWS Accounts https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html

Firewalls and packet inspection

• Gateway Load Balancer https://aws.amazon.com/elasticloadbalancing/gateway-load-balancer one gateway for distributing traffic across multiple virtual appliances
• Deployment models for AWS Network Firewall https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/

Security Monitoring, Logging and Auditing

• Trusted Advisor https://aws.amazon.com/premiumsupport/technology/trusted-advisor/ Reduce Costs, Increase Performance, and Improve Security
• Viewing Events with CloudTrail Event History https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html
• CloudTrail Supported Services and Integrations https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html
• Validating CloudTrail Log File Integrity https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html
• AWS Service Limits https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html
• Cloud Custodian https://github.com/cloud-custodian/cloud-custodian is a rules engine for managing public cloud accounts and resources
• AWS Security Incident Response Guide https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf
• VPC Traffic Mirroring https://aws.amazon.com/blogs/aws/new-vpc-traffic-mirroring/ Capture & Inspect Network Traffic
• AWS Config Conformance Pack Sample Templates https://docs.aws.amazon.com/config/latest/developerguide/conformancepack-sample-templates.html

Cross-Region Replication and Failover

• S3 Cross-Region Replication https://docs.aws.amazon.com/AmazonS3/latest/dev/crr-what-is-isnot-replicated.html – what Amazon S3 does/does not replicate after you add a replication configuration on a bucket.
• Replicating Objects Created with Server-Side Encryption (SSE) Using AWS KMS-Managed Encryption Keys https://docs.aws.amazon.com/AmazonS3/latest/dev/crr-replication-config-for-kms-objects.html

Web Application Security

• AWS Acceptable Use Policy https://aws.amazon.com/aup/
• Guidelines for Shared Linux AMIs https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/building-shared-amis.html to reduce the attack surface and improve the reliability of the AMIs you create.
• Amazon Inspector FAQs https://aws.amazon.com/inspector/faqs/
• Amazon Inspector Agents https://docs.aws.amazon.com/inspector/latest/userguide/inspector_agents.html
• Amazon Inspector Rules Packages for Supported Operating Systems https://docs.aws.amazon.com/inspector/latest/userguide/inspector_rule-packages_across_os.html
• AWS Systems Manager Features https://aws.amazon.com/systems-manager/features/ and Use Cases and Best Practices https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-best-practices.html
• Recommended NACL rules for VPCs https://docs.aws.amazon.com/vpc/latest/userguide/vpc-recommended-nacl-rules.html
• Security Group Rules Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html

Data Security

• Security features of Amazon DocumentDB https://docs.aws.amazon.com/documentdb/latest/developerguide/security.html
• AWS Resource Access Manager https://docs.aws.amazon.com/ram/latest/userguide/what-is.html (AWS RAM) enables you to share your resources with any AWS account or through AWS Organizations.

Hybrid Environment Security

• The OWASP Foundation https://www.owasp.org/index.php/Main_Page
• Trend Micro Managed Rules for AWS WAF – Content Management System (CMS) https://aws.amazon.com/marketplace/pp/B0779N3B6Q
• How To Protect SSH With Fail2Ban on CentOS 7 https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-centos-7
• AWS Marketplace: CloudLink Data Encryption https://aws.amazon.com/marketplace/pp/CloudLink-CloudLink-Data-Encryption/B00BJB0RW0
• How to Implement Federated API and CLI Access Using SAML 2.0 and AD FS https://aws.amazon.com/blogs/security/how-to-implement-federated-api-and-cli-access-using-saml-2-0-and-ad-fs/
• Amazon Route 53 Resolver for Hybrid Clouds https://aws.amazon.com/blogs/aws/new-amazon-route-53-resolver-for-hybrid-clouds/

Serverless Security

• Security Overview of AWS Lambda https://d1.awsstatic.com/whitepapers/Overview-AWS-Lambda-Security.pdf