AWS presigned URL vigilance
Summary
Prevent presigned URLs for all of your resources, not just S3
Applicable to
Unless there are active measures taken in AWS SCP, Resource policies, or IAM policies
Base Image Used and is only N days old
Summary
Base images can provide a wealth of security benefits, but are also point-in-time snapshots that become stale. Ensure that the base image used for any new image creation is sufficiently fresh.
Deploy all resources in multiple AZ's (including the Load Balancers)
Summary
Deploy all resources to multiple availability zones to facilitative seamless failover.
Summary
Utilize Cloudfront OAI with origin type of s3/ Allow ONLY action s3:GetObject to the specific OAI in the bucket policy.
Applicable to
Anyone using Cloudfront with S3 as an origin.
Guardrails to prevent removal of security services/tooling
Summary
Set up baseline security services by default (logging, monitoring, IAM, etc.) and prevent them from being removed.
Applicable to
This best practice applies particularly when using AWS Organizations to centrally manage multiple AWS accounts as a single entity.
Summary
Use single-sign on for user access to simplify the login process and reduce the number of credentials that need to be managed.
prefer CDN fronted private buckets for serving static assets
Summary
To securely serve static assets over the internet, use a private bucket with a Content Delivery Network (CDN) front-end, instead of making the bucket itself public. This provides several advantages over using a public bucket to serve static assets.
Applicable to
This only applies when you want to use an S3 bucket to serve static content.
Explicity chose what AWS services to allow
Summary
Limit via an allowlist what AWS services you want your teams to use in that account.
Applicable to
Account setup
Use SystemsManager if you need to SSH
Summary
Use SystemsManager for SSH, as it is integrated into IAM for access.
Limit public IP addresses, centralize network access through ingress proxies
Summary
The use of public IP address by services running in the cloud should be restricted.
Defend against Subdomain Takeover
Summary
Tightly couple any processes that involve Route53 to their Alias resources to avoid subdomain takeover.
Applicable to
When you point DNS records to cloud infrastructure
Approval for reconfiguration of sensitive resources
Summary
Examine configuration changes for all resources with production impact.
EBS Volume Encryption at Account Level
Summary
Enforce volume encryption at the account level by default.
Applicable to
Compliance driven
Use application-specific roles
Summary
Use application-specific roles wherever possible, enabling least-privilege to your roles versus shared roles with a superset of permissions.
Applicable to
Setting this up requires some investment, the practice is probably more relevant for larger companies that have the basics addressed.
Avoid relying on control plane AWS calls during an application/AWS issue
Summary
Control planes prioritize consistency over availability when issues occur. Setup Route53 so failover is already setup using heath checks.
Applicable to
Application Availability
Protect against data deletion
Summary
Block delete calls on persistent data resources by default on IAM roles to avoid accidentally deleting all your data.
Use reserved concurrency limits on lambdas by default
Summary
Lambdas suffer from the noisy neighbor problem if you don't set a reserve concurrency value
Applicable to
When using lambda
External-facing services must implement protections against DoS - use a WAF
Summary
External-facing services should implement protections against DoS through a WAF, to ensure availability of your service(s)
IAM Service Users can only assume into a role which has actual permissions
Summary
Creating IAM roles that have the necessary permissions, and then assigning those roles to the IAM users who require access to the resources allows you to centralize the management of permissions.
Uniform bucket-level access
Summary
Individual object permissions can create surprising ACL issues and should be avoided in favor of explicit policies on buckets.