AWS Security Quickstart

One of the most important aspects of any work performed is documentation. Cloud Security Labs will document all work completed so that your engineers and management will have a transparent understanding of the new infrastructure. We will also do live training sessions to bring Engineers and Managers up to speed.

Cloud Security Labs will:

• Document all configurations in your company’s wiki (Confluence, Notion, Google Docs, etc.)
• Provide training to your administrators on the implemented configuration (4 x 1 hr sessions

We will configure and enable AWS native security services as necessary as a prerequisite to alerting and investigating issues in AWS. All services are enabled at the Organization level where supported to assure consistent configuration across all existing and new AWS accounts. SIEM setup, configuration, and operation are not included.

Cloud Security Labs will recommend and/or enable the following where applicable:

• Enable Organization Trail (CloudTrail)
• Send logs to S3 bucket in Logging account
• Enable AWS Guardduty
• Enable Security Hub
• AWS Inspector (Agentless)

Identity is the new perimeter. This service will identify excessive IAM permissions in your account and work with you to create and transition to a role-based access (RBAC) model of authentication for your users.

Cloud Security Labs will recommend and/or enable the following where applicable:

• Secure AWS Root Accounts
• Enable MFA for IAM Users
• Configure password policy
• Audit AWS IAM Access and create roles based on recent usage and least privilege
• Audit, review, and deactivate Unused IAM keys in AWS Accounts

*Note: Any IAM changes and modifications require close engagement, coordination, and planning with Senior Cardless Engineers.

We will review your AWS data assets and provide recommendations on data protection measures to improve resiliency and data protection from accidental or malicious deletion/modification or unauthorized data access. Cloud Security Labs will implement controls where little to no impact to production systems is expected, such as enabling S3 Versioning, MFA Delete, or block public access. Services that can only be created upon creation and not after an instance is created would require Client intervention to enable and are not in scope. Disaster Recovery and Business Continuity are also not included.

Cloud Security Labs will recommend and/or enable the following where applicable:

• Versioning on critical assets
• Block Public Access on non-public S3 buckets
• MFA Delete on critical assets
• S3 object Lifecycle controls
• S3 encryption at rest
• S3 Replication into backup account where applicable
• Point-in-time recovery (PITR) for DynamoDB

One of the most important aspects of any work performed is documentation. Cloud Security Labs will document all work completed so that your engineers and management will have a transparent understanding of the new infrastructure. We will also do live training sessions to bring Engineers and Managers up to speed.

Cloud Security Labs will:

• Document all configurations in your company’s wiki (Confluence, Notion, Google Docs, etc.)
• Provide training to your administrators on the implemented configuration (4 x 1 hr sessions)

Included with all Cloud Security Labs engagements is a security assessment of up to 5 AWS Accounts. Our assessment uses manual and automated tooling to review and inventory your AWS accounts.

The following is a sample of items reviewed during an assessment:

• Excessive (0.0.0.0/0) security groups or ports accessible
• MFA on Root Account
• Active Root Account Access Keys
• Weak password policy
• Public RDS snapshots
• Unencrypted RDS network access
• EC2 encrypted snapshots
• CloudTrail enabled
• Unused security groups
• Cloudfront TLS configuration
• Encryption at rest of databases
• Web Application Firewall (WAF)
• Redundancy and disaster recovery