How to Increase your Security Score in AWS.

Security score in SecurityHub

OBJECTIVE: This article provides the checklist of the AWS services that impact the security score in the security hub. The following is the list of AWS services and their components that have to be taken care of to mitigate all the security issues in AWS

IAM:

• IAM users’ access keys should be rotated every 90 days or less.
• IAM customer-managed policies that you create should not allow wildcard actions for services.
• IAM root user access key should not exist.
• IAM policies should not allow full “*” administrative privileges.
• MFA should be enabled for all IAM users that have a console password.
• Password policies for IAM users should have strong configurations.
• Unused IAM user credentials should be removed.
• IAM users should not have IAM policies attached.

EC2 :

• EC2 instances should not have a public IPv4 address.
• EC2 instances should use Instance Metadata Service Version 2 (IMDSv2).
• Security groups should only allow unrestricted incoming traffic for authorized ports.
• The attached EBS volumes should be encrypted at rest.
• Stopped EC2 instances should be removed after a specified time period.
• Both VPN tunnels for an AWS Site-to-Site VPN connection should be up.
• Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 80.
• EBS snapshots should not be publicly restorable.
• Security groups should not allow unrestricted access to ports with high risk.
• The VPC default security group should not allow inbound and outbound traffic.
• Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service.
• EC2 subnets should not automatically assign public IP addresses.
• Unused EC2 security groups should be removed.
• VPC flow logging should be enabled in all VPCs.
• EBS default encryption should be enabled.
• Unused Network Access Control Lists should be removed.
• EC2 instances should not use multiple ENIs.

S3 :

• S3 Block Public Access setting should be enabled at the bucket level.
• S3 buckets should have event notifications enabled.
• S3 buckets should require requests to use the Secure Socket Layer.
• S3 access control lists (ACLs) should not be used to manage user access to buckets.
• S3 buckets should prohibit public read access.
• S3 buckets should prohibit public write access.
• S3 buckets with versioning enabled should have lifecycle policies configured.
• S3 buckets should have server-side encryption enabled.
• S3 bucket server access logging should be enabled.
• S3 buckets should have lifecycle policies configured.

ECR :

• ECR private repositories should have image scanning configured.
• ECR private repositories should have tag immutability configured.
• ECR repositories should have at least one lifecycle policy configured.

RDS :

• RDS DB instances should have deletion protection enabled.
• Enhanced monitoring should be configured for RDS DB instances.
• RDS DB instances should be configured to copy tags to snapshots.
• RDS DB clusters should be configured to copy tags to snapshots.
• Database logging should be enabled.
• RDS DB instances should have encryption at rest enabled.
• RDS Database Clusters should use a custom administrator username.
• RDS instances should have automatic backups enabled.
• RDS cluster snapshots and database snapshots should be encrypted at rest.
• RDS instances should not use a database engine default port.
• RDS database instances should use a custom administrator username.
• IAM authentication should be configured for RDS instances.

ELASTIC SEARCH :

• Elastic search domains should have audit logging enabled.
• Connections to Elastic search domains should be encrypted using TLS 1.2.
• Elastic search domains should have encryption at rest enabled.
• Elastic search domains should encrypt data sent between nodes.
• Elastic search domains should be in a VPC.
• Elastic search domain error logging to CloudWatch Logs should be enabled.

CONCLUSION :

while creating any of the above AWS services, ensure all the security issues are taken care, of so that the security score doesn’t get impacted. Maintain a daily/weekly checklist and run the Boto3 scripts for services like S3, ECR, and IAM, as they are the most used services in any organization. Give least privilege access to the users as per need and try to automate the infra creation using any IAC so that you have control over the security.