Skip to main content

Security Guidelines

Access Management

S.No.ChecklistReasonPrioritiesComments
1Root should not be used at all.Obivisouly using root account always increase the risk of security breachMust have
2Enable MFA for all the accounts that have Web Console accessFor accessing Web UI. Two factor authentication should be enabled.Must have
3Access key should not be usedUse IAM role. In case if access key is required, make sure that it's usable from a specified source ip onlyMust have with exception1. legacy application might not work with IAM role, if iam user is created, should be created for a source ip specifically. 2. IAM users should use the IAM role by assuming it
4IAM roles should be very granularGood to have
5Integrate SSO with AWS for access managementMust have with exceptioncould be deprioritized but needs to be done if client uses any OIDC

Networking

S.No.ChecklistReasonPrioritiesComments
1Beyond 80,443 none port should be opened for world 0.0.0.0Must have
Beyond 80,443 port any port access should be given to whitelisted IPMust have
2Within AWS all SG access should only be given via a SG and not by IPMust have with exception
3use CDN on top of ALB and allow traffic from CDN onlyEven if caching is not require, it's good practice to CDN recieving all the traffic as it's surface area much larger then ALBMust have
4segerate networking subnets according to the componetsweb server, application server and database server should have their own subnets so that proper isolation is there. Avoid having all the components in one type of subnetMust have
5Proper NACL rules allowing what is required onlySubnets should have it's own NACL to allow traffic only which is requiredMust have
6use waf wherever possbllewe use use waf and allow traffic to our infra which is legitGood to havecost could be a factor here

Object Storage

S.No.ChecklistReasonPrioritiesComments
1Bucket should never be public for accessIn case a bucket need be made public do it via CDNMust haveIf anything needs to be exposed publically it should be done via CDN
Bucket should never be public for writingWhitelisting should be doneMust have
2Versioning should be enabled for buckets which holds data which customer can't afford to loose as per compliance processIn case of deletion it can be recoveredMust have
3bucket should be encrypted at restIt's good practice to encrypte the object, cloud won't even have access to this in this case. Also it's recommended to use CMK instead of default KMSMust have with exceptionIn case of Fintech. could be "good to have" for other field

Generic

S.No.ChecklistReasonPrioritiesComments
1Cloud trail should be enabledMust have
2Cost Budgets should be definedMust have
3OpsTree recommended SCP policies should be implementedGood to have
4OpsTree recommended IAM designing should be implementedGood to have
5Logging should be enabled for every resourceGood to have
6AWS security tooling should be implementedGood to have
7Infra should be managed via IAACGood to have
8Backup of every data storage resource should be enabledFrequency should be discussed with OpsTree architectsMust haveNot a security concern but rather a HA concern
9Wherever privalte link can be used, we should useCost implicationGood to havecost could be a factor here