Best Pratices
High Level Documentation¶
Link | Notes |
---|---|
Security Pillar of the Well-Architected Framework | Best practices and guidance |
AWS Security Reference Architecture (AWS SRA) | Comprehensive set of examples, guides, and design considerations to deploy the full complement of AWS security services in a multi-account environment managed through AWS Organizations |
OG-AWS | Amazon Web Services — a practical guide |
Map the Cloud |
|
Catalog of AWS Customer Security Incidents | This repository seeks to index all publicly disclosed AWS customer security incidents with a known root cause |
Datadog Cloud Security Atlas |
|
Operational Guides¶
Link | Notes |
---|---|
Summit Route AWS Exposable Resources | Repo maintaining a list of all AWS resources that can be publicly exposed, and eventually, those that can be shared with untrusted accounts |
Summit Route AWS Security Tools Comparison | Comparison of: PacBot, Prowler, Security Monkey, Trusted Advisor, Config, CloudMapper |
AWS Control Tower By Example | Hands-on walk-through of the the easiest way to set up and govern a secure, compliant, multi-account AWS environment based on best practices |
CloudConformity | List of manual checks/audit |
Top 10 security best practices for securing data in Amazon S3 | The latest S3 features and AWS services that you can use to help secure your data in S3 |
You should have lots of AWS accounts | Lots of AWS accounts working together in harmony will net you a more secure, more reliable, and more compliant cloud infrastructure |
Approaches for authenticating external applications in a machine-to-machine scenario | Which approach is best to securely connect your applications to your AWS environment when no human interaction comes into play? |
Reducing Attack Surface with AWS Allowlisting | A detailed look at implementing Region & Service allowlisting in AWS |
The illustrated guide to S3 pre-signed URLs | What pre-signed URLs are, how to use them, and some best practices to keep in mind |
A Guide to Delegated Administrator in AWS Organizations and Multi-Account Management | A guide to managing multiple AWS Accounts using AWS Organizations and how to reduce blast radius by leveraging Delegated Administrator capabilities to avoid usage of the management root account |
Marco Lancini Zero Trust Access to Private Webapps on AWS ECS with Cloudflare Tunnel | How to use Cloudflare Tunnel to securely access a Flask webapp running in a private subnet in ECS on Fargate, without exposing the app to the public internet |
Bastion Hosts |
Code Samples¶
Link | Notes |
---|---|
aws-root-account |
|
Cost Optimization¶
Link | Notes |
---|---|
Cloud Cost Handbook | Set of guides meant to help explain often-times complex pricing of public cloud infrastructure and service providers in easy-to-understand terms |
My Comprehensive Guide to AWS Cost Control |
|
AWS Cost Allocation Guide: Tagging Best Practices |
|
Cost Monitoring and Governance With Kubecost | Dedicated Cluster VS dedicated Node VS dedicated Namespace |
Overview of Data Transfer Costs for Common Architectures | Potential data transfer charges you may encounter while operating your workload on AWS |
IMDS¶
Link | Notes |
---|---|
AWS EC2 IMDS - What You Need to Know | A technical review of IMDSv2 |
Remediating AWS IMDSv1 | How to remediate IMDSv1 in AWS |
How to use policies to restrict where EC2 instance credentials can be used from | Two new global condition context keys (aws:EC2InstanceSourceVPC , aws:EC2InstanceSourcePrivateIPv4 ) that make it simpler to write policies in which EC2 instance credentials work only when used on the instance to which they are issued |
Mitigating SSRF in 2023 | Different ways of triggering SSRF and which mitigation techniques are most effective |
imdsv2_wall_of_shame | List of vendors that do not allow IMDSv2 enforcement |
Backups¶
Link | Notes |
---|---|
Marco Lancini Automated Github Backups with ECS and S3 | Architecture and implications of an automated process aiming to backup a Github account, relying on ECS Fargate and S3 Glacier |
Marco Lancini Automated GDrive Backups with ECS and S3 | Architecture and implications of an automated process aiming to backup a GDrive account, relying on ECS Fargate and S3 Glacier |
Ransomware Prevention¶
Link | Notes |
---|---|
S3 Ransomware |
|
Summit Route S3 backups and other strategies for ensuring data durability through ransomware attacks | Options for ensuring the durability of data stored on S3, through protections in place and backup strategies |
Protecting Amazon S3 Data from Ransomware | Ransomware targeting S3 is more than likely to simply delete your data and claim that it's being held ransom than actually encrypting it |
Ransomware mitigation: Top 5 protections and recovery preparation actions |
|
Ransomware Risk Management on AWS using the NIST CSF | Implementation of security controls to manage the risks associated with ransomware and other destructive events using the NIST cybersecurity framework |
Ransomware-resistant backups with duplicity and AWS S3 | How to use duplicity with S3 to create ransomware-resistant backups |
Cloud-Native Ransomware – How attacks on availability leverage cloud services |
|
Protect Your Data From Ransomware With S3 Object Lock | S3 Object Lock vs Glacier Vault Lock |
Other Writeups¶
Link | Notes |
---|---|
Summit Route Denial of Wallet Attacks on AWS |
|