Cloud security

AWS Security Monitoring Checklist [Updated 2019]

Since every organization is moving towards cloud, the roles and responsibilities of in-house security teams have increased a lot. Due to lack of complete ownership, security teams do not have visibility and control of the underlying/leased infrastructure. In this article, we will examine the security checklist for AWS which every security team should keep an eye on. Companies which are onboarding to cloud need to understand that it is their job to maintain the security of the leased infrastructure(logically).We will discuss various AWS objects, their purpose, their associated risks, and checklist to monitor for their attributes.

Learn Cloud Security

Get hands-on experience with cloud service provider security, cloud penetration testing, cloud security architecture and management, and more.

Start Learning

AWS S3

The S3 is a cloud-based offering from AWS. It allows one to store and retrieve an unlimited amount of data from any location at any given point in time. The architecture of S3 is kept simple to provide robustness and efficiency to its end users. The S3 is made of up of 2 main elements: Buckets and Objects.

S3 ACLs

The S3 provides Access Control Lists (aka ACLs) at both the bucket level and the object level. By default, the owner of a bucket or object has the "FULL_CONTROL" permission. The AWS S3 also has predefined groups which are as follows:

All Users group: When this group is assigned to a bucket, permissions are assigned to anyone in the world to access that bucket.
Authenticated group: This group authenticates users to access an AWS account. However, they do not have to be specific users that fall under the bucket owner account

Security Monitoring Checklist

Below is the security monitoring checklist for AWS S3:

Monitoring of S3 Buckets which have FULL CONTROL for Authenticated Group.
Monitoring of S3 buckets which have FULL CONTROL for ALL Users group.
Monitoring of S3 buckets which have default encryption disabled
Monitoring of S3 buckets which have provided READ access to the Authenticated Group
Monitoring of S3 buckets which have provided READ access to the All Users Group
Monitoring of S3 buckets which have provided Write Access to the Authenticated Group
Monitoring of S3 buckets which have provided Write Access to the All Users Group
Monitoring of S3 buckets which have provided READ_ACP access to the Authenticated Group
Monitoring of S3 buckets which have provided READ_ACP access to the All Users Group
Monitoring of S3 buckets which have provided Write_ACP Access to the Authenticated Group
Monitoring of S3 buckets which have provided Write_ACP Access to the All Users Group
Monitoring of S3 buckets to ensure if SSL/TLS is enabled for securing data in transit
Monitoring of S3 buckets to ensure if logging is enabled or not
Monitoring of S3 buckets to ensure if bucket versioning is enabled or not.
Monitoring of S3 buckets to ensure that MFA is enabled for bucket delete operation.

AWS IAM

AWS Identity and Access Management(IAM) is centralized access to manage credentials, access keys, permission levels for users. This is one of the primary and most important AWS services that must be configured properly as all other services access is based on the access provided here.

Security Monitoring Checklist

Below is the security monitoring checklist for AWS IAM:

Monitoring to check if the Root Account has MFA enabled or not.
Monitoring to check if Users Account has MFA enabled or not.
Monitoring to check if Password is set to 'Not Expire.'
Monitoring to check if password reuse is enabled or not.
Monitoring to check if the password policy is weak or not.
Monitoring to check if root account has active keys associated with the account.
Monitoring to check if root account if recently used.
Monitoring to check if there is no key(both active & inactive) rotation.
Monitoring to check if Users has inline policies setup instead of Managed Group and Role policies
Monitoring to check for inactive IAM users, unused IAM users.
Monitoring to check for policies with NotAction attribute setup.
Monitoring to check if access keys are rotated or not.
Monitoring to check if IAM SSH keys are rotated or not.

AWS CloudTrail

AWS CloudTrail is a service which logs all the API calls (which includes calls from AWS SDK, AWS Management Console, command like tools, etc.). This service is very useful for security analysts to monitor/identify account logging through different ways. Hence this service should be enabled and below checks should be performed to ensure the service configuration is correct.

Security Monitoring Checklist

Below is the security monitoring checklist for AWS CloudTrail:

Monitoring of AWS Accounts where CloudTrail is disabled.
Monitoring to ensure if Cloud Trail is enabled for global services like STS, IAM, and CloudFront.
Monitoring to ensure if Cloud Trail log file integration validity is enabled or not.
Monitoring to check if CloudTrail is enabled but logging for a trail is disabled
Monitoring to ensure if bucket to which CloudAware is logging is not publicly accessible.
Monitoring to check if CloudTrail log files are encrypted or not.
Monitoring to check if Trail is enabled for all regions or not.

AWS Virtual Private Cloud (VPC)

AWS VPC provides an isolated network within AWS cloud. It is like an elongated organization network connected over a VPN network. VPC provided an additional layer of security for the organizations moving towards AWS cloud. VPC helps control configuration of gateways, routers, etc. Following is the checklist that should be on the list of every security team performing monitoring of VPC:

Security Monitoring Checklist

Monitoring of AWS VPC to ensure that no network ACL exist which allow ingress traffic from all ports.
Monitoring of AWS VPC to ensure that no network ACL exist which allow egress traffic to all ports.
Monitoring of AWS VPC to find out unused virtual private gateways.
Monitoring of AWS VPC to find out if any VPC endpoint is exposed by checking for the principal value in the policy.
Monitoring of AWS VPC to find out if Flow Logs have been enabled or not for VPC.

AWS Elastic Cloud Compute (EC2)

AWS EC2 is a unit which can be provisioned on demand and can be scaled up or down as per requirement. Following is the checklist around EC2 for security monitoring:

Security Monitoring Checklist

Monitoring of AWS EC2 to ensure they are not using any blacklisted AMIs
Monitoring of AWS EC2 to ensure they do not have any default security group.
Monitoring of AWS EC2 to ensure that there is no Security Group with unrestricted outbound access.
Monitoring of AWS EC2 to ensure that there is no unrestricted inbound access to following services
- FTP
- MSSql
- MySql
- MongoDB
- SMTP
- Telnet
- SSH
- NetBIOS access etc.
Monitoring of AWS EC2 to ensure that unused EC2 keypairs are decommissioned.

AWS Elastic Load Balancer (ELB)

AWS ELB is a service that balances the incoming load among backend EC2 instances. It is like a normal load balancer in traditional IT organization. Following is the checklist around ELB for security monitoring:

Security Monitoring Checklist

Monitoring of AWS ELB to ensure that no insecure protocols or ciphers deployed. This is generally decided by organization per their current compatibility and security standards which should be followed by best practices such as 'Server Order Preference.'
Monitoring of AWS ELB to ensure that they have a valid Security Group associated with it.
Monitoring of AWS ELB to ensure that they have latest security policies deployed.

AWS Elastic Block Storage (EBS)

AWS EBS is a service that provides block-level storage that is attached to EC2. These EBS volumes work independently. Following is the checklist around EBS for security monitoring:

Security Monitoring Checklist

Monitoring of AWS EBS to ensure that it is encrypted.
Monitoring of AWS ELB to ensure that they are encrypted with KMS CMKs to have full control over keys.
Monitoring of AWS ELB to ensure that the EBS snapshots are not publicly available.
Monitoring of AWS ELB to ensure that the EBS snapshot is also encrypted.

AWS Relational Database Service (RDS)

AWS RDS is a service that allows for provisioning operationalized and scale relational databases quickly. Following is the checklist around RDS for security monitoring:

Security Monitoring Checklist

Monitoring of AWS RDS to ensure that the DB security groups do not allow unrestricted inbound access. It should be noted that DB security groups were possible for EC2 classic instances before 04/12/2013. After that date, only EC2-VPC instances are supported which in turn use VPC Security Groups.
Monitoring of AWS RDS to ensure that auto minor version feature is enabled.
Monitoring of AWS RDS to ensure that the RDS instances are encrypted.
Monitoring of AWS RDS to ensure that RDS instances are encrypted using KMS CMK's to have full control
Monitoring of AWS RDS to ensure that the RDS instances are not publicly accessible.
Monitoring of AWS RDS to ensure that RDS snapshots are not publicly accessible
Monitoring of AWS RDS to ensure that RDS snapshots are encrypted.

AWS Redshift

AWS Redshift is a data warehouse service which provides a cost-efficient and simple way to analyze data tends using existing business tools. Following is the checklist around Redshift for security monitoring:

Security Monitoring Checklist

Monitoring of AWS RDS to ensure that Redshift clusters are encrypted.
Monitoring of AWS RDS to ensure that Encrypted Redshift clusters are using KMS CMK's for full control
Monitoring of AWS RDS to ensure that Redshift clusters are not publicly available.
Monitoring of AWS RDS to ensure that activity logging is enabled.
Monitoring of AWS RDS to ensure that Redshift clusters are launched within VPC.

This completed this part of the article with other important AWS objects and their respective checklist for security monitoring.