GET CLOUD FIT

DISABLE ROOT ACCOUNT API ACCESS KEY

Create IAM admin users. At least 2, no more than 3 per

IAM group.

Grant access to billing information and tools.

Disable/Remove the default AWS root user API access

keys.

ENABLE MFA TOKENS EVERYWHERE Rotating passwords too often: BAD

Using overly complicated passwords no one

remembers: BAD

Using Multi-factor Authentication: GOOD

REDUCE IAM USERS WITH ADMINRIGHTS

How much access does any particular user or

application need in order to perform needed tasks.

What is the risk if the key is lost or compromised?

Is there intellectual property or financial data

somewhere in that equation?

Could the result impact my revenue or reputation?

USE ROLES FOR AWS EC2Reduce the surface area of attack.

Temporary authentication credentials.

Auditable activity with CloudTrail.

Automatically generated authentication credentials.

Limited privilege.

DO NOT ALLOW 0.0.0.0/0 UNLESS YOU MEAN IT

STRENGTHEN S3 BUCKETS

CLOUDTRAIL & ENCRYPTION

USE AUTOSCALING TO COUNTER DDOS

USE IAM ROLES WITH AWS STS

Evident. io is the pioneer and leader in security and compliance automation for

public cloud. The Evident Security Platform (ESP) enables organizations of al l sizes to

proactively manage cloud security risk — minimizing attack surface and improving

overal l security posture, al l from a single dashboard.

ESP continuously monitors an organization’s entire cloud footprint for AWS and Azure,

identifying and assessing security risks, providing security staff with expert remediation

guidance, and enabling painless security auditing and compliance reporting. Bui lt on

Amazon Web Services APIs, ESP is agent-less and can be deployed to even the most

complex environments in minutes.

7901 STONERIDGE DR. , SUITE 150, PLEASANTON, CA 94588 •

(855) 933-1337 • SALES@EVIDENT.IO •

SUPPORT@EVIDENT.IO

COPYRIGHT © 2018 EVIDENT.IO, INC. ALL RIGHTS RESERVED.

11 AWS Cloud Security Best Practices

LEAST PRIVILEGE

ROTATE ALL KEYS REGULARLY

Only give minimal rights to do things on AWS...just

what is needed to accomplish tasks or actions. This

applies to:

Rotate ALL credentials, passwords, and

API access keys on a regular basis.

IAM Users

IAM Groups

IAM Roles / Instance Profiles

Applications or Scripts

Become more secure AND simplify management.

Think of it as one of the cheapest and most effective

insurance policies on the AWS cloud.

Only allow the access from the origin IP and port where

you will admin your instance from.

Only turn this on when needed and remove it when not.

This can all be scripted and if you are going through the

steps to admin an instance, you should factor in turning

on and off remote access to “only when needed.”

Don't let your S3 Buckets atrophy. Ensure they are

configured properly and don't allow global access to

view, list, delete or put content.

Let's make this simple:

Logging, Logging, LOGGING.

Encrypt, Encrypt, ENCRYPT.