Hal yang perlu dilakukan untuk memastikan keamanan minimum di lingkungan AWS anda

Pada kali ini, sesuai dengan topik diatas, banyak interaksi saya dengan pelanggan yang berkonsultasi mengenai bagaimana memastikan kemananan lingkungan AWS mereka secara minimum.

Sebenarnya mekanisme ini dibahas lebih detail dengan me-refer pada dokumen-dokumen sebagai berikut https://awssecworkshops.com/, https://wellarchitectedlabs.com/security/, https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf dan lain-lain.

Secara garis besar, topik-topik minimum yang perlu kita lakukan adalah:

  • Asset Management
  • Identity & Access Control
  • Detective Controls
  • Data Protection
  • Infrastructure Protection
  • Incident Response
  • Top 12 Controls for Start!

Mari kita bahas satu persatu, yaitu:

  • Asset Management
  1. All accounts must have accurate account contact information (billing, operations, security)
  2. All accounts must be enrolled in the AWS Organization structure for centralized management
  3. Use AWS Config for inventory management (AWS Resources)
  4. Use AWS Systems Manager Inventory to inventory software and apps
  • Identity & Access Control
  1. Enable SSO to access your AWS accounts (AWS SSO, Third-Party, or Onpremises IdP)
  2. All console access must have multi-factor authentication enforced
  3. Strong password policy must be enforced
  4. Long term access keys should be replaced with temporary credentials (IAM Assume Role)
  5. Long term access keys if required should be rotated regularly
  6. Users should have their own accounts. No shared user accounts
  7. Users should have permissions appropriate for their job role
  8. AWS IAM roles should be validated frequently (Review permissions)
  • Detective Controls
  1. Enable Multi-region CloudTrails
  2. Enable Amazon GuardDuty
  3. Enable IAM Access Analyzer
  4. Enable Amazon S3 access logs
  5. Enable AWS Security Hub (Enable applicable compliance standard: Security Foundations, PCI-DSS, CIS Benchmark)
  6. Leverage and integrate Trusted Advisor findings
  7. Optional: Enable VPC Flow Logs
  8. Centralize all logs (Cloudtrail, config, GuardDuty, SecurityHub, VPC Flow Logs) to SOC and review and action on alerts
  9. Act on alerts – what do you do when GuardDuty triggers a ‘high’?
  • Data Protection
  1. Data-at-rest is encrypted (KMS)
  2. Data-in-transit is encrypted (TLS + ACM)
  3. Backups are restored in secure non-deletable locations (WORM)
  4. Certificates are managed appropriately and renewed before expiry (Leverage ACM)
  5. Resources are private (S3, EBS Snapshots and Volumes, RDS Snapshots, etc)
  6. Public S3 buckets are denied by default at an account level
  7. Public S3 buckets that are required are whitelisted and reviewed for sensitive content, frequent attestation.
  8. Secrets/keys/tokens should not be hard-coded. Use AWS Secrets Manager to store application/database secrets.
  • Infrastructure Protection
  1. Patch your resources frequently (Optional: Use AWS Systems Manager to do this)
  2. Vulnerability scan compute resource frequently (Amazon Inspector if available, Nessus/Qualys)
  3. Security Groups should be limited to only required flows (inbound and outbound)
  4. Internet facing applications are protected by WAF and Shield
  5. Internet facing applications leverage Route53 for DNS
  6. Internet facing applications leverage CloudFront for CDN
  7. Management services (SSH, RDP, etc) are not exposed to Internet
  8. Private resources must be in a private subnet with Internet access only provided via Nat Gateway
  9. Optional: Resources connect out to the Internet via egress filtering/proxy to inspect traffic (Sophos UTM, Palo Alto, etc)
  10. Optional: Use AWS Systems Manager (Session Manager) to access production servers if ever needed. System Manager logs all commands executed on the production host to be reviewed by the security team.
  • Incident Response
  1. All AWS accounts have read-only infosec role created and granted to infosec team
  2. All AWS accounts have break-glass admin infosec role created for emergency incident response
  3. All AWS accounts/workloads have IR and BCP plans documented and regularly tested
  4. Incident alerting thresholds are established (CloudWatch Alarms, GuardDuty)
  • Top 12 Domain Controls untuk memulai mengamankan AWS anda
  1. Asset >> Management All accounts must have accurate account contact information (especially for security)
  2. Identity >> All console access must have multi-factor authentication enforced
  3. Identity >> Long term access keys should be replaced with temporary credentials (IAM Assume Role)
  4. Detective >> Enable Multi-region CloudTrails
  5. Detective >> Enable Amazon GuardDuty
  6. Detective >> Enable Security Hub (Security Foundations Benchmark)
  7. Detective >> Act on alerts – get the alerts from detective controls to the right people as fast as possible
  8. Data Protection >> Data-at-rest is encrypted (KMS)
  9. Data Protection >> Public S3 buckets are denied by default at an account level
  10. Infrastructure Sec >> Patch your systems frequently
  11. Infrastructure Sec >> Vulnerability scan your compute and application resources frequently
  12. Incident Response >> Develop an incident response runbook for your application

Kind Regards,
Doddi Priyambodo

Leave a Reply