Best Pratices
High Level Documentation¶
| Link | Notes |
|---|---|
| Security Pillar of the Well-Architected Framework | Best practices and guidance |
| AWS Security Reference Architecture (AWS SRA) | Comprehensive set of examples, guides, and design considerations to deploy the full complement of AWS security services in a multi-account environment managed through AWS Organizations |
| OG-AWS | Amazon Web Services — a practical guide |
| Map the Cloud |
|
| Catalog of AWS Customer Security Incidents | This repository seeks to index all publicly disclosed AWS customer security incidents with a known root cause |
| Datadog Cloud Security Atlas |
|
Operational Guides¶
| Link | Notes |
|---|---|
| Summit Route AWS Exposable Resources | Repo maintaining a list of all AWS resources that can be publicly exposed, and eventually, those that can be shared with untrusted accounts |
| Summit Route AWS Security Tools Comparison | Comparison of: PacBot, Prowler, Security Monkey, Trusted Advisor, Config, CloudMapper |
| AWS Control Tower By Example | Hands-on walk-through of the the easiest way to set up and govern a secure, compliant, multi-account AWS environment based on best practices |
| CloudConformity | List of manual checks/audit |
| Top 10 security best practices for securing data in Amazon S3 | The latest S3 features and AWS services that you can use to help secure your data in S3 |
| You should have lots of AWS accounts | Lots of AWS accounts working together in harmony will net you a more secure, more reliable, and more compliant cloud infrastructure |
| Approaches for authenticating external applications in a machine-to-machine scenario | Which approach is best to securely connect your applications to your AWS environment when no human interaction comes into play? |
| Reducing Attack Surface with AWS Allowlisting | A detailed look at implementing Region & Service allowlisting in AWS |
| The illustrated guide to S3 pre-signed URLs | What pre-signed URLs are, how to use them, and some best practices to keep in mind |
| A Guide to Delegated Administrator in AWS Organizations and Multi-Account Management | A guide to managing multiple AWS Accounts using AWS Organizations and how to reduce blast radius by leveraging Delegated Administrator capabilities to avoid usage of the management root account |
| Marco Lancini Zero Trust Access to Private Webapps on AWS ECS with Cloudflare Tunnel | How to use Cloudflare Tunnel to securely access a Flask webapp running in a private subnet in ECS on Fargate, without exposing the app to the public internet |
| Bastion Hosts |
Code Samples¶
| Link | Notes |
|---|---|
| aws-root-account |
|
Cost Optimization¶
| Link | Notes |
|---|---|
| Cloud Cost Handbook | Set of guides meant to help explain often-times complex pricing of public cloud infrastructure and service providers in easy-to-understand terms |
| My Comprehensive Guide to AWS Cost Control |
|
| AWS Cost Allocation Guide: Tagging Best Practices |
|
| Cost Monitoring and Governance With Kubecost | Dedicated Cluster VS dedicated Node VS dedicated Namespace |
| Overview of Data Transfer Costs for Common Architectures | Potential data transfer charges you may encounter while operating your workload on AWS |
IMDS¶
| Link | Notes |
|---|---|
| AWS EC2 IMDS - What You Need to Know | A technical review of IMDSv2 |
| Remediating AWS IMDSv1 | How to remediate IMDSv1 in AWS |
| How to use policies to restrict where EC2 instance credentials can be used from | Two new global condition context keys (aws:EC2InstanceSourceVPC, aws:EC2InstanceSourcePrivateIPv4) that make it simpler to write policies in which EC2 instance credentials work only when used on the instance to which they are issued |
| Mitigating SSRF in 2023 | Different ways of triggering SSRF and which mitigation techniques are most effective |
| imdsv2_wall_of_shame | List of vendors that do not allow IMDSv2 enforcement |
Backups¶
| Link | Notes |
|---|---|
| Marco Lancini Automated Github Backups with ECS and S3 | Architecture and implications of an automated process aiming to backup a Github account, relying on ECS Fargate and S3 Glacier |
| Marco Lancini Automated GDrive Backups with ECS and S3 | Architecture and implications of an automated process aiming to backup a GDrive account, relying on ECS Fargate and S3 Glacier |
Ransomware Prevention¶
| Link | Notes |
|---|---|
| S3 Ransomware |
|
| Summit Route S3 backups and other strategies for ensuring data durability through ransomware attacks | Options for ensuring the durability of data stored on S3, through protections in place and backup strategies |
| Protecting Amazon S3 Data from Ransomware | Ransomware targeting S3 is more than likely to simply delete your data and claim that it's being held ransom than actually encrypting it |
| Ransomware mitigation: Top 5 protections and recovery preparation actions |
|
| Ransomware Risk Management on AWS using the NIST CSF | Implementation of security controls to manage the risks associated with ransomware and other destructive events using the NIST cybersecurity framework |
| Ransomware-resistant backups with duplicity and AWS S3 | How to use duplicity with S3 to create ransomware-resistant backups |
| Cloud-Native Ransomware – How attacks on availability leverage cloud services |
|
| Protect Your Data From Ransomware With S3 Object Lock | S3 Object Lock vs Glacier Vault Lock |
Other Writeups¶
| Link | Notes |
|---|---|
| Summit Route Denial of Wallet Attacks on AWS |
|