Skip to content

Best Practices

High Level Documentation

Link Notes
Security Pillar - AWS Well-Architected Framework It provides guidance to help you apply best practices, current recommendations in the design, delivery, and maintenance of secure AWS workloads
AWS Security Reference Architecture (AWS SRA) Comprehensive set of examples, guides, and design considerations to deploy the full complement of AWS security services in a multi-account environment managed through AWS Organizations
OG-AWS Amazon Web Services β€” a practical guide
Map the Cloud
  • Find information about public cloud provider regional services availability fast, from AWS, Azure, Google Cloud, CloudFlare and Fastly
  • Get stats of services, regions and edge locations
AWS Region Comparison Tool This tool fetches the CloudFormation resource spec from each Region and compares them, allowing you to see differences in service parity
Catalog of AWS Customer Security Incidents This repository seeks to index all publicly disclosed AWS customer security incidents with a known root cause
Datadog Cloud Security Atlas
  • A risk register for Threats and Vulnerabilities
  • This database gives you the ability to search and filter on your cloud provider platform, risk type, and sort by impact, exploitability, and recency

Operational Guides

Link Notes
AWS Security Services Best Practices Best practices for configuring AWS security services
  • Detective
  • GuardDuty
  • Inspector
  • Macie
  • Security Hub
  • WAF
  • Network Firewall
Summit Route AWS Exposable Resources Repo maintaining a list of all AWS resources that can be publicly exposed, and eventually, those that can be shared with untrusted accounts
Summit Route AWS Security Tools Comparison Comparison of: PacBot, Prowler, Security Monkey, Trusted Advisor, Config, CloudMapper
Building a scalable vulnerability management program on AWS A guide which covers how to build a successful and scalable vulnerability management program on AWS through preparation, enabling and configuring tools, triaging findings, and reporting
AWS Control Tower By Example Hands-on walk-through of the the easiest way to set up and govern a secure, compliant, multi-account AWS environment based on best practices
CloudConformity List of manual checks/audit
Top 10 security best practices for securing data in Amazon S3 The latest S3 features and AWS services that you can use to help secure your data in S3
You should have lots of AWS accounts Lots of AWS accounts working together in harmony will net you a more secure, more reliable, and more compliant cloud infrastructure
Approaches for authenticating external applications in a machine-to-machine scenario Which approach is best to securely connect your applications to your AWS environment when no human interaction comes into play?
Reducing Attack Surface with AWS Allowlisting A detailed look at implementing Region & Service allowlisting in AWS
The illustrated guide to S3 pre-signed URLs What pre-signed URLs are, how to use them, and some best practices to keep in mind
A Guide to Delegated Administrator in AWS Organizations and Multi-Account Management A guide to managing multiple AWS Accounts using AWS Organizations and how to reduce blast radius by leveraging Delegated Administrator capabilities to avoid usage of the management root account
Marco Lancini Zero Trust Access to Private Webapps on AWS ECS with Cloudflare Tunnel How to use Cloudflare Tunnel to securely access a Flask webapp running in a private subnet in ECS on Fargate, without exposing the app to the public internet
Marco Lancini Building an AppRunner on EC2 with Cloudflare Zero Trust Access How to automate the deployment of a private AppRunner instance on AWS that hosts multiple internal apps securely behind Cloudflare's zero-trust access controls
Marco Lancini Migrating Terraform state from Terraform Cloud to S3 A detailed step-by-step process on how to safely migrate away from Terraform Cloud to S3 for state management
Understanding DDoS simulation testing in AWS Post explaining when it's appropriate to perform a DDoS simulation test on an application running on AWS, and what options you have for running the test
SaaS Tenant Isolation Strategies Isolating Resources in a Multi-Tenant Environment
Organizing Your AWS Environment Using Multiple Accounts In-depth guide on how to set up an AWS multi-account environment
The Risk You Can't Afford to Ignore: AWS SES and Email Spoofing This article discusses AWS SES email spoofing vulnerabilities, potentially enabling phishing attacks
File Sharing
Bastion Hosts

Code Samples

Link Notes
aws-root-account Terraform for the UK Ministry of Justice AWS root account
org-kickstart Kickstart and manage your AWS Organization via Terraform
AWS Well-Architected Labs - Security Hands on labs and real world design scenarios for Well-Architected workloads

Cost Optimization

Link Notes
Cloud Cost Handbook Set of guides meant to help explain often-times complex pricing of public cloud infrastructure and service providers in easy-to-understand terms
My Comprehensive Guide to AWS Cost Control
  • Stage 1: Track Cost
  • Stage 2: Reduce Cost
  • Stage 3: Include Cost In Your Process
AWS Cost Allocation Guide: Tagging Best Practices
  • Hierarchical Account Separation
  • Brand Accounts
  • Third-Party Tools
  • How can you audit compliance?
Cost Monitoring and Governance With Kubecost Dedicated Cluster VS dedicated Node VS dedicated Namespace
Overview of Data Transfer Costs for Common Architectures Potential data transfer charges you may encounter while operating your workload on AWS

IMDS

Link Notes
AWS EC2 IMDS - What You Need to Know A technical review of IMDSv2
Remediating AWS IMDSv1 How to remediate IMDSv1 in AWS
How to use policies to restrict where EC2 instance credentials can be used from Two new global condition context keys (aws:EC2InstanceSourceVPC, aws:EC2InstanceSourcePrivateIPv4) that make it simpler to write policies in which EC2 instance credentials work only when used on the instance to which they are issued
Mitigating SSRF in 2023 Different ways of triggering SSRF and which mitigation techniques are most effective
SSRF: A complete guide to exploiting advanced SSRF vulnerabilities This article provides a comprehensive guide on Server-Side Request Forgery (SSRF) vulnerabilities, covering detection, exploitation techniques, and mitigation strategies
imdsv2_wall_of_shame List of vendors that do not allow IMDSv2 enforcement
Get the full benefits of IMDSv2 and disable IMDSv1 across your AWS infrastructure How to identify IMDSv1-enabled EC2 instances and how to determine if and when your software is making IMDSv1 calls
IMDSpoof Spoofs the AWS IMDS service to return HoneyTokens that can be alerted on
Our Journey Migrating to AWS IMDSv2 - Slack Engineering Slack moved their entire fleet and tools to IMDSv2. In this article, they discuss the pitfalls of using IMDSv1 and their journey towards fully migrating to IMDSv2
From Detection to Enforcement: Migrating from IMDSv1 to IMDSv2 Concrete advice on approaching a migration to IMDSv2

Backups & Disaster Recovery

Link Notes
Marco Lancini Automated Github Backups with ECS and S3 Architecture and implications of an automated process aiming to backup a Github account, relying on ECS Fargate and S3 Glacier
Marco Lancini Automated GDrive Backups with ECS and S3 Architecture and implications of an automated process aiming to backup a GDrive account, relying on ECS Fargate and S3 Glacier
Disaster Tolerance Patterns Using AWS Serverless Services A collection of discrete patterns used to add DT capabilities
Disaster Recovery (DR) Architecture on AWS, Part I: Strategies for Recovery in the Cloud How to architect for disaster recovery (DR), which is the process of preparing for and recovering from a disaster

Ransomware Prevention

Link Notes
AWS Recommendations
Rhino Security S3 Ransomware
pht-awsbackup-management
Summit Route S3 backups and other strategies for ensuring data durability through ransomware attacks Options for ensuring the durability of data stored on S3, through protections in place and backup strategies
Ransomware-resistant backups with duplicity and AWS S3 How to use duplicity with S3 to create ransomware-resistant backups
What You Need to Know About Ransomware in AWS
  • How do the attackers get in?
  • What’s the attack sequence?
  • How can I detect the attack?
  • How can I prevent the attack?

Serverless

Link Notes
OWASP Serverless Top 10
  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entities (XXE)
  5. Broken Access Control
  6. Security Misconfiguration
  7. Cross-Site Scripting (XSS)
  8. Insecure Deserialization
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging and Monitoring
OWASP DVSA A Damn Vulnerable Serverless Application
Security Overview of AWS Lambda This whitepaper presents a deep dive of the AWS Lambda service through a security lens
AWS Serverless Security Workshop Techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora
Security reference architecture for a serverless application A walkthrough of security controls for a serverless architecture via a demo application
Under the Hood of Amazon ECS on EC2: Agents, IAM Roles, and Task Isolation This deep-dive explores Amazon ECS on EC2's internals, focusing on the ECS agent's role, IAM credential delivery mechanisms, and task isolation boundaries between containers sharing the same host

Data Perimeter

Link Notes
Announcing the Data Solutions Framework on AWS The Data Solutions Framework on AWS is an open source framework to simplify and accelerate the implementation of data solutions
Data Perimeter Workshop Best practices for creating a boundary around resources in AWS
Building a Data Perimeter on AWS Paper outlining the best practices and available services for creating a perimeter around your identities, resources, and networks in AWS
Establishing a data perimeter on AWS How the new condition keys can be part of a wider security strategy to create a perimeter around your data
Establishing a data perimeter on AWS: Allow only trusted resources from my organization Post explaining the resource perimeter, the control objectives achieved by the perimeter, and how to write SCPs and VPC endpoint policies that help achieve these objectives for your organization

Other Writeups

Link Notes
Summit Route Denial of Wallet Attacks on AWS
Holding Cloud Vendors to a Higher Security Bar An opinionated, critical look at the state of security of vendor cloud integrations, along with recommendations for documenting and adhering to cloud security best practices for both vendors and customers.
A SaaS provider's guide to securely integrating with customers' AWS accounts An opinionated guide on best practices that these vendors should follow to ensure an appropriate level of security when integrating with customers' AWS environments

AWS Whitepapers