Post

How to improve your account security


TLDR

You already have one or multiple AWS accounts and you want to improve your security approach, the Well-Architected Framework (security pillar) contains a lot of information, I did a full summary here, and you may want to learn about a plan to improve your account.

I will share with you two resources to do it:

  • AWS Security Maturity Model will allow you to know the recommended actions to strengthen your security posture at every stage of your journey to the cloud
    • Contains 4 phases. The first one, quick wins, allows you fast security improvements
  • Article in the AWS security blog: The top 10 most important cloud security tips that Stephen Schmidt, Chief Information Security Officer for AWS, laid out at AWS re:Invent 2019

AWS Security Maturity Model

It is a valuable resource for reviewing the current status and improving the security of your solutions.

The classification of the different recommendations into categories depends on the cost and difficulty of implementing the security control, and the positive impact that it will achieve.

This model is updated monthly by AWS. In fact, a month after writing this article I had to update it because the model had changed and all areas of the organization had changed, although the content is the same.

The official documentation is located here

Introduction

Security Frameworks

Multiple frameworks help you design the construction of a plan to provide security to your loads in the cloud.

How to prioritize

“With so many services, security controls, and recommendations… How do I prioritize? Where do I start?”

All Quick Win recommendations can be implemented in less than a week.

quick-wins

Evolutive path

evolution-path

Phase 1. Quick Wins

Quick Wins are the first thing to focus on, controls that you could implement in an organization within a maximum of one or two weeks, and will significantly improve your security standpoint.

LevelRecommendation
Security governance- Assign Security Contacts
- Select the region(s)
Security assurance- Automate alignment with best practices using AWS Security Hub
Identity and Access management- Multi-Factor Authentication
- Avoid using Root and audit it
- Access and role analysis with IAM Access Analyzer
Thread detection- Thread Detection with Amazon GuardDuty and review your findings
- Audit API calls with AWS CloudTrail
- Remediate security findings found by AWS Trusted Advisor
- Billing alarms for anomaly detection
Vulnerability management 
Infrastructure protection- Limit Security Groups
Data prevention- Amazon S3 Block Public Access
- Analyze data security posture with Amazon Macie
Application security- AWS WAF with managed rules
Incident response- Act on Amazon GuardDuty findings

Link to the updated content and more information on each recommendation

Phase 2. Foundational

The controls and recommendations may take some more effort to implement but are very important.

LevelRecommendation
Security governance- Identify security and regulatory requirements
- Identify the most sensitive data (crown jewels)
- Cloud Security Training Plan
Security assurance- Configuration monitoring with AWS Config
Identity and Access management- Centralized user repository
– Organization Policies (SCPs)
Threat detection- Investigate most Amazon GuardDuty findings
Vulnerability management- Manage vulnerabilities in your infrastructure and perform pentesting
- Manage vulnerabilities in your application
Infrastructure protection- Manage your instances with Fleet Manager
- Network segmentation (Public/Private Networks - VPCs)
- Multi-account management with AWS Control Tower
Data protection- Data Encryption (AWS KMS)
- Backups
- Discover sensitive data with Amazon Macie
Application security- Involve security teams in development
- No secrets in your code AWS Secrets Manager
Incident response- Define Incident response playbooks
- Redundancy using multiple Availability Zones

Link to the updated content and more information on each recommendation

Phase 3. Efficient

There are some controls and recommendations that allow us to manage security efficiently.

LevelRecommendation
Security governance- Perform thread modelling
Security assurance- Create your reports for compliance (such as PCI-DSS)
Identity and Access- Privilege review (Least Privilege)
- Tagging strategy
- Customer IAM: security of your customers
Threat detection- Integration with SIEM/SOAR
- Network Flows analysis (VPC Flow Logs)
Vulnerability management- Security champion in development
Infrastructure protection- Image Generation Pipeline
- Anti-Malware/EDR
- Outbound Traffic Control
- Use abstract services (Serverless)
Data protection- Encryption in transit
Application security- WAF with custom rules
- Shield Advanced Advanced DDoS Mitigation
Incident response- Automate critical and most frequently run Playbooks
- Automate deviation correction in configurations
-Using infrastructure as Code (CloudFormation, CDK)

Link to the updated content and more information on each recommendation

Phase 4. Optimized

And finally, there are those controls and recommendations that allow you to optimize in a continuous improvement cycle, the security posture every day. It will be characterized by security controls that are often seen in more mature organizations, in terms of security or large organizations with very demanding requirements.

LevelRecommendation
Security governance- Forming a Chaos Engineering team (Resilience)
- Sharing Security work and responsibility
Security assurance 
Identity and Access management- Context-based access control
- IAM Policy Generation Pipeline
Threat detection- Amazon Fraud Detector
- Integration with additional Intelligence Feeds
Vulnerability management 
Infrastructure protection- Process standardization with Service Catalog
Data protection 
Application security- DevSecOps
- Forming a Red Team (Attacker’s Point of View)
Incident response- Automate most playbooks
- Amazon Detective: Root cause analysis
- Forming a Blue Team (Incident Response)
- Multi-region disaster recovery automation

Link to the updated content and more information on each recommendation

Complete Maturity Level

This is the complete maturity model with all the phases through all the epics.

I recommend you access to the original page to view the linkable table in the original site.

complete-maturity-level

Top 10 recommendations

These are the top 10 most important cloud security tips that Stephen Schmidt, Chief Information Security Officer for AWS, laid out at AWS re:Invent 2019.

The original article was written in the AWS blog here

  1. Configure account contacts
  2. Use multi-factor authentication (MFA)
    • is the best way to protect accounts from inappropriate access
  3. No hard-coding secrets
  4. Limit security groups
    • use AWS Config and AWS Firewall Manager to programmatically ensure that the virtual private cloud (VPC) security group configuration is what you intended
  5. Intentional data policies
    • design your approach to data classification
  6. Centralize CloudTrail logs
  7. Validate IAM roles
    • Use AWS IAM Access Analyzer
  8. Take action on findings
  9. Rotate keys
  10. Be involved in the dev cycle
    • “raise the security culture of your organization.”
This post is licensed under CC BY 4.0 by the author.