Illustration by Freepik Storyset

AWS Security Quickstart

$9,995
  • AWS Multi-Account and Organizations Setup
  • AWS Security Operations
  • AWS IAM Remediation
  • AWS Data At Rest Protection
  • Documentation and Training
  • AWS Security Assessment included

AWS Security Quickstart

AWS Security Quickstart is a service designed to remediate high and critical flaws in AWS accounts, reducing the attack surface and risk exposure. Remediation is sometimes a prerequisite before the integration of DevSecOps work is performed. 

 

All changes are made according to the AWS Well Architected Framework and Current AWS Security Best Practices.

 

Note: Any intrusive security that requires the re-creation of an instance or direct modification of production systems is not in scope by default. Cloud Security Labs will make every effort to communicate detailed instructions for work that requires Cardless engineering support.

Jumpstart Your Security Within 90-Days

We will help you set up your AWS account based on CIS Amazon Web Services Foundations and AWS Foundational Security Best Practices. 

AWS Multi-Account and Organizations Set-Up

One of the most important aspects of any work performed is documentation. Cloud Security Labs will document all work completed so that your engineers and management will have a transparent understanding of the new infrastructure. We will also do live training sessions to bring Engineers and Managers up to speed.

Cloud Security Labs will:

  • Document all configurations in your company’s wiki (Confluence, Notion, Google Docs, etc.)
  • Provide training to your administrators on the implemented configuration (4 x 1 hr sessions
AWS Security Operations

We will configure and enable AWS native security services as necessary as a prerequisite to alerting and investigating issues in AWS. All services are enabled at the Organization level where supported to assure consistent configuration across all existing and new AWS accounts. SIEM setup, configuration, and operation are not included.

Cloud Security Labs will recommend and/or enable the following where applicable:

  • Enable Organization Trail (CloudTrail)
  • Send logs to S3 bucket in Logging account
  • Enable AWS Guardduty
  • Enable Security Hub
  • AWS Inspector (Agentless)
AWS IAM Remediation

Identity is the new perimeter. This service will identify excessive IAM permissions in your account and work with you to create and transition to a role-based access (RBAC) model of authentication for your users.

Cloud Security Labs will recommend and/or enable the following where applicable:

  • Secure AWS Root Accounts
  • Enable MFA for IAM Users
  • Configure password policy
  • Audit AWS IAM Access and create roles based on recent usage and least privilege
  • Audit, review, and deactivate Unused IAM keys in AWS Accounts

*Note: Any IAM changes and modifications require close engagement, coordination, and planning with Senior Cardless Engineers.

AWS Data At Rest Protection

We will review your AWS data assets and provide recommendations on data protection measures to improve resiliency and data protection from accidental or malicious deletion/modification or unauthorized data access. Cloud Security Labs will implement controls where little to no impact to production systems is expected, such as enabling S3 Versioning, MFA Delete, or block public access. Services that can only be created upon creation and not after an instance is created would require Client intervention to enable and are not in scope. Disaster Recovery and Business Continuity are also not included.

Cloud Security Labs will recommend and/or enable the following where applicable:

  • Versioning on critical assets
  • Block Public Access on non-public S3 buckets
  • MFA Delete on critical assets
  • S3 object Lifecycle controls
  • S3 encryption at rest
  • S3 Replication into backup account where applicable
  • Point-in-time recovery (PITR) for DynamoDB
Documentation and Training

One of the most important aspects of any work performed is documentation. Cloud Security Labs will document all work completed so that your engineers and management will have a transparent understanding of the new infrastructure. We will also do live training sessions to bring Engineers and Managers up to speed.

Cloud Security Labs will:

  • Document all configurations in your company’s wiki (Confluence, Notion, Google Docs, etc.)
  • Provide training to your administrators on the implemented configuration (4 x 1 hr sessions)
AWS Security Assessment

Included with all Cloud Security Labs engagements is a security assessment of up to 5 AWS Accounts. Our assessment uses manual and automated tooling to review and inventory your AWS accounts.

The following is a sample of items reviewed during an assessment:

  • Excessive (0.0.0.0/0) security groups or ports accessible
  • MFA on Root Account
  • Active Root Account Access Keys
  • Weak password policy
  • Public RDS snapshots
  • Unencrypted RDS network access
  • EC2 encrypted snapshots
  • CloudTrail enabled
  • Unused security groups
  • Cloudfront TLS configuration
  • Encryption at rest of databases
  • Web Application Firewall (WAF)
  • Redundancy and disaster recovery

Customer Requirements

Delivery of projects is dependent on resources dedicated to the delivery of projects. Cloud Security Labs will coordinate with your company on scheduling and prioritization and integrate into the existing Sprint Workflow.

FAQ

What are some sample roles you will make?

Sample roles include administrator, DevOps, power user, and read-only or security roles.

How will you make my AWS Root Accounts more secure?

We will enable MFA (password vault setup required), disable root keys, rotate passwords, and change emails (as needed).

How long will it take to implement AWS security?

AWS security is an expedited implementation and is expected to be completed in 2-3 weeks, but may extend longer.

How many accounts will this service be available for?

We will be able to provide this service for one of your AWS accounts.