AWS Security Checklist
This checklist provides customer recommendations that align with the Well-Architected Framework Security Pillar.
Identity & Access Management Detection
1. Secure your AWS account. 1. Enable foundational services: AWS CloudTrail,
Use AWS Organizations to manage your accounts, Amazon GuardDuty, and AWS Security Hub.
use the root user by exception with multi-factor For all your AWS accounts configure CloudTrail to log
authentication (MFA) enabled, and configure account API activity, use GuardDuty for continuous
contacts. monitoring, and use AWS Security Hub for a
comprehensive view of your security posture..
2. Rely on centralized identity provider.
Centralize identities using either AWS Single Sign-On 2. Configure service and application level logging.
or a third-party provider to avoid routinely creating In addition to your application logs, enable logging at
IAM users or using long-term access keys—this the service level, such as Amazon VPC Flow Logs
approach makes it easier to manage multiple AWS and Amazon S3, CloudTrail, and Elastic Load
accounts and federated applications. Balancer access logging, to gain visibility into events.
Configure logs to flow to a central account, and
3. Use multiple AWS accounts to separate
protect them from manipulation or deletion.
workloads and workload stages such as
production and non-production. 3. Configure monitoring and alerts, and investigate
Multiple AWS accounts allow you to separate data events.
and resources, and enable the use of Service Control Enable AWS Config to track the history of resources,
Policies to implement guardrails. AWS Control Tower and Config Managed Rules to automatically alert or
can help you easily set up and govern a multi-account remediate on undesired changes. For all your sources
AWS environment. of logs and events, from AWS CloudTrail, to Amazon
GuardDuty and your application logs, configure alerts
4. Store and use secrets securely.
for high priority events and investigate.
Where you cannot use temporary credentials, like
tokens from AWS Security Token Service, store your Infrastructure Protection
secrets like database passwords using AWS Secrets
Manager which handles encryption, rotation, and 1. Patch your operating system, applications, and
access control.. code.
Use AWS Systems Manager Patch Manager to
automate the patching process of all systems and
code for which you are responsible, including your
OS, applications, and code dependencies.
AWS Security Checklist
2. Implement distributed denial-of-service (DDoS) 3. Use mechanisms to keep people away from data.
protection for your internet facing resources. Keep all users away from directly accessing sensitive
Use Amazon Cloudfront, AWS WAF and AWS Shield data and systems. For example, provide an Amazon
to provide layer 7 and layer 3/layer 4 DDoS QuickSight dashboard to business users instead of
protection. direct access to a database, and perform actions at a
distance using AWS Systems Manager automation
3. Control access using VPC Security Groups and
documents and Run Command.
subnet layers.
Use security groups for controlling inbound and Incident Response
outbound traffic, and automatically apply rules for
both security groups and WAFs using AWS Firewall 1. Ensure you have an incident response (IR) plan.
Manager. Group different resources into different Begin your IR plan by building runbooks to respond to
subnets to create routing layers, for example unexpected events in your workload. For details, see
database resources do not need a route to the the AWS Security Incident Response Guide.
internet. 2. Make sure that someone is notified to take action
on critical findings.
Data Protection Begin with GuardDuty findings. Turn on GuardDuty
1. Protect data at rest. and ensure that someone with the ability to take
Use AWS Key Management Service (KMS) to protect action receives the notifications. Automatically
data at rest across a wide range of AWS services and creating trouble tickets is the best way to ensure that
your applications. Enable default encryption for GuardDuty findings are integrated with your
Amazon EBS volumes, and Amazon S3 buckets. operational processes.
2. Encrypt data in transit. 3. Practice responding to events.
Enable encryption for all network traffic, including Simulate and practice incident response by running
Transport Layer Security (TLS) for web based regular game days, incorporating the lessons learned
network infrastructure you control using AWS into your incident management plans, and
Certificate Manager to manage and provision continuously improving them.
certificates.
For more best practices, see the Security Pillar of the Well-Architected Framework and Security Documentation.
Notices
Customers are responsible for making their own independent assessment of the information in this document. This document: (a) is for informational purposes only, (b)
represents current AWS product offerings and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from AWS and
its affiliates, suppliers or licensors. AWS products or services are provided “as is” without warranties, representations, or conditions of any kind, whether express or implied.
The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between
AWS and its customers.
© 2020 Amazon Web Services, Inc. or its affiliates. All rights reserved.