This guide lists resources for setting up a new AWS account. The guide includes customizable configuration items and guides for setting up IAM, logging & monitoring, encryption, network security, cost & usage monitoring, EC2 security, backups, and more.
A root user is created by default with an AWS account. It is recommended to not use the root user for operations other than billing or support contract modifications. For all other operations, IAM should be used.
The first step should be to enable MFA on the root user to ensure its security. IAM Users can be configured with granular IAM policies to govern their access in the environment, or AWS SSO can be utilized (especially in multi-account environments).
AWS Budgets allows you to set custom budgets to track your cost and usage from the simplest to the most complex use cases. With AWS Budgets, you can choose to be alerted by email or SNS notification when actual or forecasted cost and usage exceed your budget threshold:
Another option is to use CloudWatch to set up billing alarms for notifications when an AWS bill reaches a specific threshold:
Ensure governance, compliance, operational auditing, and risk auditing of AWS accounts by configuring AWS CloudTrail and AWS Config:
CloudTrail and Config store their logs in S3 buckets. CloudTrail also provides an option to forward logs to a CloudWatch Log Group, which can allow for better search capability and notification creation using CloudWatch metrics and alarms.
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior by analyzing CloudTrail, VPC Flow Log and DNS Log activity in an AWS Account.
AWS WAF helps protect internet-facing applications and API endpoints. AWS WAF integrates with CloudFront, Load Balancers, and API Gateway to inspect (and optionally drop) traffic deemed malicious. Use the AWS Managed Rules package to get started or one of the partner-managed rule packages (e.g. F5, Imperva, Fortinet, etc.)
AWS provides several services to help monitor configuration and ensure compliance with security standards and best-practices:
Configure AWS CloudWatch Events to send real-time notifications for security events and findings based on the AWS security and compliance services enabled (GuardDuty, Security Hub, Trusted Advisor, Config Rules, etc.).
Additional notifications can be configured with CloudWatch Alarms based on specific CloudTrail events in the environment
AWS services such as S3 and EMR provide features to ensure public access is not permitted in the account. For other services, set up Config rules to detect if public access is allowed:
AWS provides data-at-rest options and key management (AWS KMS) to support the encryption process. Use KMS to create customer-managed keys to be used to encrypt AWS resources.
AWS services such as EC2 include settings to enable default encryption for all instances.
In new AWS accounts, it is recommended to delete the default VPC, and create new VPCs with separate subnet tiers for public and private resources, and utilize multiple availability zones (AZs) for high availability. Build a custom VPC that fits your environment using the following templates:
Define Security Groups to govern network access within the VPC. Security groups whitelist traffic by protocols, ports, and source IP addresses (or security groups). For an additional layer of security, use Network Access Lists (NACLs) to allow or deny traffic on the subnet level.
Choose from one of the following predefined templates to deploy security groups and NACLs (or build custom ones) into an existing VPC :
Add IPS, URL Filtering, Rate Limit rule capabilities by using AWS Network Firewall in a VPC:
AWS provides capabilities to log network activity for resources deployed in VPCs using the following options:
Use AWS SSM Session Manager or EC2 Connect to access EC2 instances without relying on long-term keys, and to provide an audit trail for users access instances. Session Manager also allows logging users' sessions to CloudWatch Logs or S3:
Both services use IAM for authentication (which can be federated to Active Directory or other providers), and CloudTrail for audit logging.
Set up automated vulnerability and patching for EC2 instances to ensure they are not affected by the latest vulnerabilities and have the latest patches applied regularly: