Amazon AWS network security checklist

This post presents with a few bunches of AWS network security checklist. It is basically a curated list of items that needs to checked in AWS control panel/console for improved security. Please be noted that, this checklist is tailored specifically for AWS and can be implemented only by configuring the AWS console. Other code level and server level security measures should be done seperately.

AWS network security checklist

1Enable CloudTrail logging across all AWS.
2Turn on CloudTrail log file validation.
3Enable CloudTrail multi-region logging.
4Integrate CloudTrail with CloudWatch.
5Enable access logging for CloudTrail S3 buckets.
6Enable access logging for Elastic Load Balancer (ELB).
7Enable Redshift audit logging.
8Enable Virtual Private Cloud (VPC) flow logging.
9Require multifactor authentication (MFA) to delete CloudTrail buckets.
10Turn on multifactor authentication for the “root” account.
11Turn on multi-factor authentication for IAM users.
12Enable IAM users for multi-mode access.
13Attach IAM policies to groups or roles.
14Rotate IAM access keys regularly, and standardize on the selected number of days.
15Set up a strict password policy.
16Set the password expiration period to 90 days and prevent reuseCustomer Visualforce pages with standard headers.
17Don’t use expired SSL/TLS certificates.
18User HTTPS for CloudFront distributions.
19Restrict access to CloudTrail bucket.
20Encrypt CloudTrail log files at rest.
21Encrypt Elastic Block Store (EBS) database.
22Provision access to resources using IAM roles.
23Ensure EC2 security groups don’t have large ranges of ports open.
24Configure EC2 security groups to restrict inbound access to EC2.
25Avoid using root user accounts.
26Use secure SSL ciphers when connecting between the client and ELB.
27Use secure SSL versions when connecting between client and ELB.
28Use a standard naming (tagging) convention for EC2.
29Encrypt Amazon’s Relational Database Service (RDS).
30Ensure access keys are not being used with root accounts.
31Use secure CloudFront SSL versions.
32Enable the require_ssl parameter in all Redshift clusters.
33Rotate SSH keys periodically.
34Minimize the number of discrete security groups.
35Reduce number of IAM groups.
36Terminate unused access keys.
37Disable access for inactive or unused IAM users.
38Remove unused IAM access keys.
39Delete unused SSH Public Keys.
40Restrict access to Amazon Machine Images (AMIs).
41Restrict access to EC2 security groups.
42Restrict access to RDS instances.
43Restrict access to Redshift clusters.
44Restrict access to outbound access.
45Disallow unrestricted ingress access on uncommon ports.
46Restrict access to well-known ports such as CIFS, FTP, ICMP, SMTP, SSH, Remote desktop.
47Inventory and categorize all existing custom applications by the types of data stored, compliance requirements and possible threats they face
48Involve IT security throughout the development process.
49Grant the fewest privileges as possible for application users.
50Enforce a single set of data loss prevention policies across custom applications and all other cloud services.
51Encrypt highly sensitive data such as protected health information (PHI) or personally identifiable information (PII).
Leave a Comment

View Comments

  • thank you for this awesome content. I was preparing for my exam and this helped me a lot.

Recent Posts

How to migrate from LastPass to Bitwarden

As a LastPass user, you might have noticed the changes introduced last day. The message… Read More

2 years ago

The long curated web security checklist based on OWASP

What is this web security checklist? Here is a curated web security checklist for developers… Read More

3 years ago

Penetration Testing for dummies – Part 3: Networking basics

In the last part of the blog series we have seen the history of internet… Read More

4 years ago

Penetration Testing for dummies – Part 2: Understanding web applications

Welcome back budding pen-testers. :) In the first part of the blog series we have… Read More

4 years ago

How to enable SSH on Google Cloud Compute Engine

Last day I was riddling with Evilginx, a phishing attack tool. It needs to be… Read More

4 years ago

Kali/Ubuntu stuck at blank screen; No icons, unity or gnome : Fixed

I have been using an older version of Kali Linux. I used to update occasionally.… Read More

4 years ago