AWS Virtual Private Cloud (VPC)
AWS VPC provides an isolated network within the AWS cloud. It’s like an elongated organization network connected over a VPN network. VPC helps control the configuration of gateways, routers and so forth, and provides an additional layer of security for organizations moving towards use of the AWS cloud. Following is a security monitoring checklist for every security team performing monitoring of VPC:
Security Monitoring Checklist
Monitoring of AWS VPC to ensure that no network ACL exists which allow ingress traffic from all ports
Monitoring of AWS VPC to ensure that no network ACL exists which allow egress traffic to all ports
Monitoring of AWS VPC to find unused virtual private gateways
Monitoring of AWS VPC to find if any VPC endpoint is exposed by checking for principal value in policy
Monitoring of AWS VPC to find out if flow logs have been enabled or not
AWS Elastic Cloud Compute (EC2)
AWS EC2 is a unit which can be provisioned on demand and can be scaled up or down as per requirement. Following is the EC2 checklist for security monitoring:
Security Monitoring Checklist
Monitoring of AWS EC2 to ensure they are not using any blacklisted AMIs
Monitoring of AWS EC2 to ensure they are not using a default security group
Monitoring of AWS EC2 to ensure that there is no security group with unrestricted outbound access
Monitoring of AWS EC2 to ensure that there is no unrestricted inbound access to following services:
FTP
MSSql
MySql
MongoDB
SMTP
Telnet
SSH
Netbios access
(And so on)
Monitoring of AWS EC2 to ensure that unused EC2 keypairs are decommissioned
AWS Elastic Load Balancer (ELB)
AWS ELB is a service that balances the incoming load among backend EC2 instances. It’s like a normal load balancer in traditional IT organization. Following is the checklist for ELB security monitoring:
Security Monitoring Checklist
Monitoring of AWS ELB to ensure that no insecure protocols or ciphers are deployed. This is generally decided by the organization per their current compatibility and security standards, which should be followed by best practices such as server order preference
Monitoring of AWS ELB to ensure that it has a valid Security Group associated with it
Monitoring of AWS ELB to ensure that it has the latest security policies deployed
AWS Elastic Block Storage (EBS)
AWS EBS is a service that provides block-level storage attached to EC2.These EBS volumes work independently. Following is the checklist for EBS security monitoring:
Security Monitoring Checklist
Monitoring of AWS EBS to ensure that it is encrypted
Monitoring of AWS ELB to ensure that it is encrypted with KMS CMKs, in order to have full control over keys
Monitoring of AWS ELB to ensure that the EBS snapshots are not publicly available
Monitoring of AWS ELB to ensure that the EBS snapshot is also encrypted
AWS Relational Database Service (RDS)
AWS RDS is a service that allows to quickly provision, operationalize and scale relational databases. Following is the checklist for RDS security monitoring:
Security Monitoring Checklist
Monitoring of AWS RDS to ensure that the DB security groups do not allow unrestricted inbound access. It should be noted that DB security groups were possible for EC2 classic instances before 04/12/2013. After that date, only EC2-VPC instances are supported, which in turn use VPC security groups
Monitoring of AWS RDS to ensure that the Auto Minor version feature is enabled
Monitoring of AWS RDS to ensure that the RDS instances are encrypted
Monitoring of AWS RDS to ensure that RDS instances are encrypted using KMS CMKs, in order to have full control
Monitoring of AWS RDS to ensure that the RDS instances are not publicly accessible
Monitoring of AWS RDS to ensure that RDS snapshots are not publicly accessible
Monitoring of AWS RDS to ensure that RDS snapshots are encrypted
AWS Redshift
AWS Redshift is a data warehouse service which provides a cost-efficient and simple way to analyze data trends using existing business tools. Following is the checklist for Redshift security monitoring:
Security Monitoring Checklist
Monitoring of AWS RDS to ensure that Redshift clusters are encrypted
Monitoring of AWS RDS to ensure that encrypted Redshift clusters are using KMS CMKs for full control
Monitoring of AWS RDS to ensure that Redshift clusters are not publicly available
Monitoring of AWS RDS to ensure that activity logging is enabled
Monitoring of AWS RDS to ensure that Redshift clusters are launched within VPC
This completes our coverage of other important AWS objects and their respective checklists for security monitoring.
