AWS Account Setup Guide

This guide lists resources for setting up a new AWS account. The guide includes customizable configuration items and guides for setting up IAM, logging & monitoring, encryption, network security, cost & usage monitoring, EC2 security, backups, and more.

     

Identity & Access Management

A root user is created by default with an AWS account. It is recommended to not use the root user for operations other than billing or support contract modifications. For all other operations, IAM should be used.

The first step should be to enable MFA on the root user to ensure its security. IAM Users can be configured with granular IAM policies to govern their access in the environment, or AWS SSO can be utilized (especially in multi-account environments).

Enable MFA on Root Account
External: Solution/Guide
This documentation page shows how to enable MFA for the root user account (instructions support both hardware and virtual tokens)
How to Create your First IAM Admin User and Group
External: Solution/Guide
This documentation page shows how to create an IAM administrator user and group. The same documentation page also shows how to create delegated IAM users
How to Enable MFA for IAM Users in AWS
External: Solution/Guide
This documentation page list the steps for enabling different types of MFA devices for IAM users
How to Create and Manage Users within AWS Single Sign-On
External: Solution/Guide
This blog post shows how to manage users and groups within AWS SSO and grant them permissions to multiple AWS accounts. It also covers how users sign into the user portal to access their assigned AWS accounts.
Custom IAM Policy Templates
Collection
A repository of customizable IAM policies for various AWS services
How to Create and Manage Users within AWS Single Sign-On
External: Solution/Guide
This blog post shows how to manage users and groups within AWS SSO and grant them permissions to multiple AWS accounts. It also covers how users sign into the user portal to access their assigned AWS accounts.

Cost and Usage

AWS Budgets allows you to set custom budgets to track your cost and usage from the simplest to the most complex use cases. With AWS Budgets, you can choose to be alerted by email or SNS notification when actual or forecasted cost and usage exceed your budget threshold:

AWS Cost Budget with Notification
Configuration Item
Add to Stack
AWS Budgets provide the ability to set custom budgets that can alert when costs exceed (or are forecasted to exceed) the budgeted amount. A notification has been configured when the actual costs exceed 80% of the budget (Default is 1000 USD).

Another option is to use CloudWatch to set up billing alarms for notifications when an AWS bill reaches a specific threshold:

AWS Billing CloudWatch Alarm
Configuration Item
Add to Stack
A CloudWatch Alarm that triggers when the AWS bill reaches the specified threshold

Logging

Ensure governance, compliance, operational auditing, and risk auditing of AWS accounts by configuring AWS CloudTrail and AWS Config:

  • AWS CloudTrail provides event-history of an AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command-line tools, and other AWS services.
  • AWS Config tracks changes in configurations and relationships between AWS resources and provides detailed resource configuration histories. Config can also be used for overall configuration compliance using Config Rules.

CloudTrail and Config store their logs in S3 buckets. CloudTrail also provides an option to forward logs to a CloudWatch Log Group, which can allow for better search capability and notification creation using CloudWatch metrics and alarms. 

Enable AWS CloudTrail with CloudWatch Logs Integration
Configuration Item
Add to Stack
Configuration to enable AWS CloudTrail including configuration to stream CloudTrail events to CloudWatch Logs.
Enable AWS Config
Configuration Item
Add to Stack
Configuration to enable AWS Config including support configuration such as S3 Buckets and Iam Roles as required.
Using Amazon CloudWatch Features (Log Insights, Contributor Insights and Metric Filters) to Analyze CloudTrail logs
External: Solution/Guide
This post shows how to ingest AWS CloudTrail log data into Amazon CloudWatch to monitor and identify AWS account activity against security threats, and create a governance framework for security best practices. It also shows how to analyze log trail event data in CloudWatch using features such as Logs Insight, Contributor Insights, Metric filters and CloudWatch Alarms.

Threat Detection

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior by analyzing CloudTrail, VPC Flow Log and DNS Log activity in an AWS Account.

Amazon GuardDuty
Configuration Item
Add to Stack
Configuration to enable Amazon GuardDuty.
Alert on Amazon GuardDuty Findings with CloudWatch Events
Configuration Item
Add to Stack
A CloudWatch Event Rule that triggers on Amazon GuardDuty findings.
Configuration Package: Amazon GuardDuty with Alerting and Compliance Checks
Configuration Package
A configuration package to enable Amazon GuardDuty in an AWS account as well as email notifications for GuardDuty findings (using a CloudWatch Event Rule), and an AWS Config Rule to verify that GuardDuty is continuously enabled.

AWS WAF helps protect internet-facing applications and API endpoints. AWS WAF integrates with CloudFront, Load Balancers, and API Gateway to inspect (and optionally drop) traffic deemed malicious. Use the AWS Managed Rules package to get started or one of the partner-managed rule packages (e.g. F5, Imperva, Fortinet, etc.)

AWS WAF Configuration Templates
Collection
A collection of AWS Security controls for AWS WAF. Configuration items include templates to set up AWS Managed Rules for AWS WAF Rules in an AWS account to protect CloudFront, API Gateway and ALB resources.
How to use AWS Managed Rules for AWS WAF
External: Solution/Guide
This blog post introduces AWS Managed Rules for AWS WAF that helps you protect your applications without needing to create or manage the rules directly.

Compliance

AWS provides several services to help monitor configuration and ensure compliance with security standards and best-practices: 

  • AWS Security Hub runs automated, continuous security checks based on industry standards and best practices, such as the Center for Internet Security (CIS) AWS Foundations Benchmark, AWS Foundational Security Best Practices and Payment Card Industry Data Security Standard (PCI DSS)
  • AWS Config Rules define conditions that describe the target ideal configuration. When resource configuration changes, AWS Config continuously tracks these changes and checks whether they violate the defined rules.
  • Amazon Macie is used to discover, monitor, and help you protect sensitive data in Amazon S3. Macie automates the discovery of sensitive data, such as personal identifying information (PII) and intellectual property. Macie also identifies overly permissive or unencrypted buckets across AWS accounts.  
  • IAM Access Analyzer helps identify resources in AWS accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity, and alert when that happens. 
  • Trusted Advisor provides real-time guidance to help provision resources following AWS best practices including security checks. 
Configuration Package: AWS Security Hub with Alerting and Compliance Checks
Configuration Package
A configuration package to enable Amazon GuardDuty in an AWS account as well as email notifications for GuardDuty findings (using a CloudWatch Event Rule), and an AWS Config Rule to verify that GuardDuty is continuously enabled.
A Collection of AWS Config Compliance Rules
Collection
Repository of AWS Config rules examples - both AWS managed and custom Config rules.
Amazon Macie (S3 Security and Data Classification)
Configuration Item
Add to Stack
Configuration to enable Amazon Macie in an AWS Account. Amazon Macie is used to discover, monitor, and help protect sensitive data in Amazon S3 Buckets
IAM Access Analyzer
Configuration Item
Add to Stack
Configure Access Analyzer to discover which resources in an AWS account are shared with external principals outside of the account. Access Analyzer analyzes generates findings for supported resources in the region it was enabled, with the exception of IAM resources which generates findings in each region (as IAM is a global service)

Monitoring and Alerting

Configure AWS CloudWatch Events to send real-time notifications for security events and findings based on the AWS security and compliance services enabled (GuardDuty, Security Hub, Trusted Advisor, Config Rules, etc.).

Additional notifications can be configured with CloudWatch Alarms based on specific CloudTrail events in the environment

Alert on Amazon GuardDuty Findings with CloudWatch Events
Configuration Item
Add to Stack
A CloudWatch Event Rule that triggers on Amazon GuardDuty findings.
Alert on AWS Security Hub Findings with CloudWatch Events
Configuration Item
Add to Stack
A CloudWatch Event Rule that triggers on AWS Security Hub findings.
Alert on IAM Access Analyzer Findings with CloudWatch Events
Configuration Item
Add to Stack
A CloudWatch Event Rule that triggers on IAM Access Analyzer findings.
Alert on Config Rule Compliance Changes with CloudWatch Events
Configuration Item
Add to Stack
A CloudWatch Event Rule that triggers on Config Rule Compliance Changes.
Alert on Trusted Advisor Findings with CloudWatch Events
Configuration Item
Add to Stack
A CloudWatch Event Rule that triggers on Trusted Advisor findings.
Common CloudWatch Alarm Configuration Templates
Collection
A repository of common CloudWatch Alarm configurations

Block Public Access

AWS services such as S3 and EMR provide features to ensure public access is not permitted in the account. For other services, set up Config rules to detect if public access is allowed:

S3 Block Public Access (Account-Level)
Configuration Item
Add to Stack
Configure S3 Block Public Access on the AWS account level (applies to all S3 buckets in all regions).
EMR Block Public Access (Account-Level)
Configuration Item
Add to Stack
Configure EMR Block Public Access on the AWS account level, for all EMR clusters in that region. This feature prevents a cluster from launching when any security group associated with the cluster has a rule that allows inbound traffic from IPv4 0.0.0.0/0 or IPv6 ::/0 (public access) on a port, unless the port has been specified as an exception.
Config Rule: EC2 Instances No Public IP Check
Configuration Item
Add to Stack
A Config rule that checks whether Amazon Elastic Compute Cloud (Amazon EC2) instances have a public IP association.
Config Rule: RDS Instances Public Access Prohibited Check
Configuration Item
Add to Stack
A config rule that checks whether the Amazon Relational Database Service instances are not publicaly accessible
Config Rule: Lambda Public Access Prohibited Check
Configuration Item
Add to Stack
A Config rule that checks whether the AWS Lambda function policy attached to the Lambda resource prohibits public access.
Config Rule: EKS No Public Endpoint Access Check
Configuration Item
Add to Stack
A config rule that checks whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible.
Config Rule: Amazon Elasticsearch In VPC (Not Public) Check
Configuration Item
Add to Stack
A Config rule that checks whether Amazon Elasticsearch Service (Amazon ES) domains are in Amazon Virtual Private Cloud (Amazon VPC).
Config Rule: Redshift No Public Access Check
Configuration Item
Add to Stack
A Config rule that checks whether Amazon Redshift clusters are not publicly accessible.

Encryption

AWS provides data-at-rest options and key management (AWS KMS) to support the encryption process. Use KMS to create customer-managed keys to be used to encrypt AWS resources.

AWS services such as EC2 include settings to enable default encryption for all instances.

KMS Encryption Customer Master Key (CMK) with Automatic Key Rotation
Configuration Item
Add to Stack
Configuration to create an AWS KMS Customer Master Key (CMK) with automatic key rotation enabled.
Enable EC2 Default Encryption
Configuration Item
Add to Stack
This configuration template enables EBS default encryption for all EC2 instances in that region.
S3 Bucket with Server-Side Encryption (AWS KMS)
Configuration Item
Add to Stack
Configuration to create an S3 bucket with security configuration options including s3 block public access configuration, encryption, logging, and versioning
Automatic Remediation Rule: Enable S3 Bucket Encryption If Not Configured
Configuration Item
Add to Stack
Auto remediation configuration to enable S3 Bucket Encryption if an S3 bucket created without server side encryption. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

VPC

In new AWS accounts, it is recommended to delete the default VPC, and create new VPCs with separate subnet tiers for public and private resources, and utilize multiple availability zones (AZs) for high availability. Build a custom VPC that fits your environment using the following templates:

Custom Amazon VPC Configuration Template
Configuration Package
A configuration package to deploy an Amazon VPC with predefined presets to select: Subnet Tiers (Public and Private), Availability Zones, and Internet Connectivity. Configuration includes Subnets, Routing Tables, Internet Gateway, Nat Gateways, VPC Endpoints, Flow Logs, and Security Groups
Private-Only Amazon VPC Template
Configuration Package
A configuration package to deploy an Amazon VPC with no Internet Connectivty. Connectivity to AWS services can be enabled using VPC Endpoints. Configuration items includes number of Subnets, Routing Tables, Security Groups, and VPC Flow Logs.

Define Security Groups to govern network access within the VPC. Security groups whitelist traffic by protocols, ports, and source IP addresses (or security groups). For an additional layer of security, use Network Access Lists (NACLs) to allow or deny traffic on the subnet level.

Choose from one of the following predefined templates to deploy security groups and NACLs (or build custom ones) into an existing VPC :

Common Security Groups and NACL Configuration Templates
Collection
A repository of common AWS Security Group and network ACL configurations

Add IPS, URL Filtering, Rate Limit rule capabilities by using AWS Network Firewall in a VPC:

AWS Network Firewall Custom Configuration Template
Collection
Configuration templates to create AWS Network Firewall related settings including Firewall endpoints, Firewall Rule Policies, and Firewall Rule Groups (Stateful and Stateless) used to deploy network protections for VPC resources by enforcing traffic flows, filtering URLs, and inspecting traffic for vulnerabilities using IPS signatures.

AWS provides capabilities to log network activity for resources deployed in VPCs using the following options:

  • VPC Flow Logs capture network flow information for IP traffic going to and from network interfaces in a VPC (includes source/destination IP address and ports, bytes transferred, firewall action, and more). Flow log data can be published to Amazon CloudWatch Logs or Amazon S3
  • VPC Traffic Mirroring creates a copy of the network traffic to/from a specific interface in a VPC and streams it to a specified destination for analysis
  • VPC DNS Logging monitor DNS queries in a VPC by configuring Route53 Resolver Query Logging
VPC Flow Logs
Configuration Item
Add to Stack
Enable VPC Flow Logs for an existing VPC, subnet or network interface. Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
VPC Traffic Mirroring
Configuration Item
Add to Stack
Configuration to enable Traffic Mirroring from a network interface (ENI) of an Amazon EC2 instance, which can then be used for monitoring and security analysis. Traffic Mirroring supports filters and packet truncation so that only traffic of interest is monitored.
VPC DNS Query Logging (Route53 Resolver Query Logging)
Configuration Item
Add to Stack
Configuration to enable logging the DNS queries that originate in an Amazon VPC using the Route53 Resolver Query Logging feature. Query logs can be sent to CloudWatch logs, S3 Buckets, or Kinesis Data Firehose

EC2 Instance Security

Use AWS SSM Session Manager or EC2 Connect to access EC2 instances without relying on long-term keys, and to provide an audit trail for users access instances. Session Manager also allows logging users' sessions to CloudWatch Logs or S3:

  • AWS Session Manager: Uses the AWS Systems Manager (SSM) agent to provide a bash or powershell session for the IAM user, without having to open any inbound ports on the instance. 
  • EC2 Connect: Supported on CentOs and Amazon Linux, and allows pushing a temporary SSH key for one-time sessions over SSH.

Both services use IAM for authentication (which can be federated to Active Directory or other providers), and CloudTrail for audit logging.

Start an Interactive Browser-Based Bash or PowerShell Session to Instances using Systems Manager
External: Solution/Guide
With the Session Manager feature of AWS Systems Manager, you can start a new browser-based interactive shell and a command-line interface (CLI) to manage Windows and Linux instances.
Use EC2 Instance Connect to Manage SSH to Instances with Short Lived Keys
External: Solution/Guide
This blog post presents EC2 Instance Connect as an alternative to complicated SSH key management strategies and includes the benefits of using built-in auditability with CloudTrail. By integrating with IAM and the EC2 instance metadata available on all EC2 instances, EC2 Connect provides a secure way to distribute short-lived keys and control access by IAM policy.
Configure the required EC2 IAM Role for AWS Systems Manager
Configuration Item
Add to Stack
Configuration to create an IAM role for EC2 instances to access to AWS Systems Manager (SSM) services, with the least permissions required.

Set up automated vulnerability and patching for EC2 instances to ensure they are not affected by the latest vulnerabilities and have the latest patches applied regularly:

  • Amazon Inspector is an agent-based solution that can be used to run recurring vulnerability assessments (as well as other packaged assessments such as CIS standards and security best practices).
  • AWS Systems Manager (SSM) Patch Manager scans and installs missing patches on EC2 instances. Create SSM Maintenance Windows to regularly run these operations and control how patching is applied. 
Recurring Inspector Assessments with Custom Template
Configuration Item
Add to Stack
Set up scheduled assessments using Amazon Inspector to assess the security state of EC2 instances, including testing applications for exposure, vulnerabilities, and deviations from best practices. Templates can be restricted to select EC2 instances by Tag or apply to all EC2 instances. Configuration includes options to enable automatically recurring assessments based on a schedule.
Amazon Inspector Configuration Templates
Collection
AWS security controls to set up Amazon Inspector as well as solutions that use Amazon Inspector.
Set Up Scheduled EC2 Instance Patching
Configuration Guide
This guide provides a walkthrough for setting up the necessary configuration for AWS Systems Manager Patch Manager to automatically scan and/or apply patches to EC2 instances in an AWS environment. The following is included:
EC2 IAM Role for AWS Systems Manager
Configuration Item
Add to Stack
Configuration to create an IAM role for EC2 instances to access to AWS Systems Manager (SSM) services, with the least permissions required.

Backup

AWS Backup provides a centralized service for creating and managing backups for different AWS services such as DynamoDB, EFS, RDS, Storage Gateway and EC2. For other AWS services, native backup or snapshot features might be available.
Configure AWS Backup
Configuration Item
Add to Stack
Configuration to create AWS Backup plans and vaults. AWS Backup automates the process of backing up of data across AWS services including EFS, DynamoDB, EC2, EBS, Aurora, RDS, and Storage Gateway, as well as setting custom retention policies, access policies, and encryption