Amazon Web Services (AWS) Account Hardening Checklist

Basic AWS Hardening Checklist

Use this checklist as a guide if the account is for individual or small team use, you are primarily concerned with usability and minimizing spend, or you are not subject to security or compliance frameworks.

• Hedge against missed alerts by specifying alternate email contacts for security, billing, and operations.
• Configure security challenge questions that identify you as the account owner if support is needed.
• Create an Identity and Access Management (IAM) account alias to provide users with a consistent, recognizable login portal.
• Use a cryptographically strong root password and store it in a secure password manager.
• Attach a hardware or virtual security token-based multi-factor authentication (MFA) device to the root account.
• Set a strong IAM password policy that includes mixed-case, symbols, numbers, prevents reuse, and password expiration.
• At minimum, create an IAM *AllUsers *group that grants the least privilege needed to work in the account and that all users will belong to.
• Create IAM user(s) for administrators to log in with in lieu of using the root credentials.
• Delete (or do not create) any AWS access keys or X.509 certificates that belong to the root user.
• Enable AWS Organizations or attach to an existing organization to facilitate a policy-based expansion of your footprint beyond a single account.

Advanced AWS Hardening Checklist

Use this checklist to establish a security baseline if you process sensitive data, are part of a large team, are subject to compliance frameworks, or must comply with enterprise security guidelines.

• Leverage AWS Organizations Service Control Policies (SCPs) to deny access to services not in the scope of your compliance programs or internal policies.
• Using the root account, create an audit key in Key Management Service (KMS) with a key policy that allows CloudTrail to encrypt and decrypt.
• Create an *audit *CloudTrail that applies to all regions, captures read/write management events, captures all S3 and Lambda activity, utilizes log file validation, and encrypts logs using the KMS key created above.
• Require MFA Delete in the bucket versioning statement for the S3 bucket that stores CloudTrail logs.
• Add an S3 bucket policy to the S3 bucket where CloudTrail logs are stored that requires Secure Sockets Layer (SSL) and denies all plaintext requests.
• Enable CloudTrail to send events to a CloudWatch log group and create a set of alerts to notify users of suspicious or abnormal activity.
• Attach an IAM policy to the *AllUsers *group that forces MFA for all IAM users and prevents access to other AWS services until MFA is enabled.
• Attach an IAM policy to the AllUsers *group that denies access to your CloudTrail *audit trail, KMS audit key, S3 bucket hosting your CloudTrail logs, and your Organizations roles.
• Consider enabling AWS Single Sign-On (SSO) to allow federated login from your external identity provider (IdP), e.g., Active Directory.
• Enable AWS Config rules that continually audit and assess your cloud footprint for potential security vulnerabilities.

About Levvel

Levvel’s Cloud Practice combines decades of traditional architecture, development, security, and infrastructure experience with a complete mastery of available and emerging cloud offerings. Our client-centric approach focuses first on understanding your business needs and goals, then selecting the right cloud technology to make you efficient, agile, and scalable. We tailor custom solutions to fit within your business processes, simultaneously reducing TCO and downtime while increasing productivity, security, ROI, and speed to market. For more information, contact hello@levvel.io.