Best Pratices
High Level Documentation¶
Link | Notes |
---|---|
Security Pillar - AWS Well-Architected Framework | It provides guidance to help you apply best practices, current recommendations in the design, delivery, and maintenance of secure AWS workloads |
AWS Security Reference Architecture (AWS SRA) | Comprehensive set of examples, guides, and design considerations to deploy the full complement of AWS security services in a multi-account environment managed through AWS Organizations |
OG-AWS | Amazon Web Services — a practical guide |
Map the Cloud |
|
Catalog of AWS Customer Security Incidents | This repository seeks to index all publicly disclosed AWS customer security incidents with a known root cause |
Datadog Cloud Security Atlas |
|
Operational Guides¶
Link | Notes |
---|---|
Summit Route AWS Exposable Resources | Repo maintaining a list of all AWS resources that can be publicly exposed, and eventually, those that can be shared with untrusted accounts |
Summit Route AWS Security Tools Comparison | Comparison of: PacBot, Prowler, Security Monkey, Trusted Advisor, Config, CloudMapper |
Data Perimeter Workshop | Best practices for creating a boundary around resources in AWS |
Building a scalable vulnerability management program on AWS | A guide which covers how to build a successful and scalable vulnerability management program on AWS through preparation, enabling and configuring tools, triaging findings, and reporting |
AWS Control Tower By Example | Hands-on walk-through of the the easiest way to set up and govern a secure, compliant, multi-account AWS environment based on best practices |
CloudConformity | List of manual checks/audit |
Top 10 security best practices for securing data in Amazon S3 | The latest S3 features and AWS services that you can use to help secure your data in S3 |
You should have lots of AWS accounts | Lots of AWS accounts working together in harmony will net you a more secure, more reliable, and more compliant cloud infrastructure |
Approaches for authenticating external applications in a machine-to-machine scenario | Which approach is best to securely connect your applications to your AWS environment when no human interaction comes into play? |
Reducing Attack Surface with AWS Allowlisting | A detailed look at implementing Region & Service allowlisting in AWS |
The illustrated guide to S3 pre-signed URLs | What pre-signed URLs are, how to use them, and some best practices to keep in mind |
A Guide to Delegated Administrator in AWS Organizations and Multi-Account Management | A guide to managing multiple AWS Accounts using AWS Organizations and how to reduce blast radius by leveraging Delegated Administrator capabilities to avoid usage of the management root account |
Marco Lancini Zero Trust Access to Private Webapps on AWS ECS with Cloudflare Tunnel | How to use Cloudflare Tunnel to securely access a Flask webapp running in a private subnet in ECS on Fargate, without exposing the app to the public internet |
Marco Lancini Migrating Terraform state from Terraform Cloud to S3 | A detailed step-by-step process on how to safely migrate away from Terraform Cloud to S3 for state management |
Understanding DDoS simulation testing in AWS | Post explaining when it's appropriate to perform a DDoS simulation test on an application running on AWS, and what options you have for running the test |
Bastion Hosts |
Code Samples¶
Link | Notes |
---|---|
aws-root-account | Terraform for the UK Ministry of Justice AWS root account |
org-kickstart | Kickstart and manage your AWS Organization via Terraform |
Cost Optimization¶
Link | Notes |
---|---|
Cloud Cost Handbook | Set of guides meant to help explain often-times complex pricing of public cloud infrastructure and service providers in easy-to-understand terms |
My Comprehensive Guide to AWS Cost Control |
|
AWS Cost Allocation Guide: Tagging Best Practices |
|
Cost Monitoring and Governance With Kubecost | Dedicated Cluster VS dedicated Node VS dedicated Namespace |
Overview of Data Transfer Costs for Common Architectures | Potential data transfer charges you may encounter while operating your workload on AWS |
IMDS¶
Link | Notes |
---|---|
AWS EC2 IMDS - What You Need to Know | A technical review of IMDSv2 |
Remediating AWS IMDSv1 | How to remediate IMDSv1 in AWS |
How to use policies to restrict where EC2 instance credentials can be used from | Two new global condition context keys (aws:EC2InstanceSourceVPC , aws:EC2InstanceSourcePrivateIPv4 ) that make it simpler to write policies in which EC2 instance credentials work only when used on the instance to which they are issued |
Mitigating SSRF in 2023 | Different ways of triggering SSRF and which mitigation techniques are most effective |
imdsv2_wall_of_shame | List of vendors that do not allow IMDSv2 enforcement |
Get the full benefits of IMDSv2 and disable IMDSv1 across your AWS infrastructure | How to identify IMDSv1-enabled EC2 instances and how to determine if and when your software is making IMDSv1 calls |
Backups¶
Link | Notes |
---|---|
Marco Lancini Automated Github Backups with ECS and S3 | Architecture and implications of an automated process aiming to backup a Github account, relying on ECS Fargate and S3 Glacier |
Marco Lancini Automated GDrive Backups with ECS and S3 | Architecture and implications of an automated process aiming to backup a GDrive account, relying on ECS Fargate and S3 Glacier |
Ransomware Prevention¶
Link | Notes |
---|---|
S3 Ransomware |
|
Summit Route S3 backups and other strategies for ensuring data durability through ransomware attacks | Options for ensuring the durability of data stored on S3, through protections in place and backup strategies |
Protecting Amazon S3 Data from Ransomware | Ransomware targeting S3 is more than likely to simply delete your data and claim that it's being held ransom than actually encrypting it |
Ransomware mitigation: Top 5 protections and recovery preparation actions |
|
Ransomware Risk Management on AWS using the NIST CSF | Implementation of security controls to manage the risks associated with ransomware and other destructive events using the NIST cybersecurity framework |
Ransomware-resistant backups with duplicity and AWS S3 | How to use duplicity with S3 to create ransomware-resistant backups |
Cloud-Native Ransomware – How attacks on availability leverage cloud services |
|
Protect Your Data From Ransomware With S3 Object Lock | S3 Object Lock vs Glacier Vault Lock |
Serverless¶
Link | Notes |
---|---|
OWASP Serverless Top 10 |
|
OWASP DVSA | A Damn Vulnerable Serverless Application |
Security Overview of AWS Lambda | This whitepaper presents a deep dive of the AWS Lambda service through a security lens |
AWS Serverless Security Workshop | Techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora |
Security reference architecture for a serverless application | A walkthrough of security controls for a serverless architecture via a demo application |
Other Writeups¶
Link | Notes |
---|---|
Summit Route Denial of Wallet Attacks on AWS |
|