Best Practices
High Level Documentation¶
| Link | Notes |
|---|---|
| Security Pillar - AWS Well-Architected Framework | It provides guidance to help you apply best practices, current recommendations in the design, delivery, and maintenance of secure AWS workloads |
| AWS Security Reference Architecture (AWS SRA) | Comprehensive set of examples, guides, and design considerations to deploy the full complement of AWS security services in a multi-account environment managed through AWS Organizations |
| OG-AWS | Amazon Web Services β a practical guide |
| Map the Cloud |
|
| AWS Region Comparison Tool | This tool fetches the CloudFormation resource spec from each Region and compares them, allowing you to see differences in service parity |
| Catalog of AWS Customer Security Incidents | This repository seeks to index all publicly disclosed AWS customer security incidents with a known root cause |
| Datadog Cloud Security Atlas |
|
Operational Guides¶
| Link | Notes |
|---|---|
| AWS Security Services Best Practices | Best practices for configuring AWS security services
|
| Summit Route AWS Exposable Resources | Repo maintaining a list of all AWS resources that can be publicly exposed, and eventually, those that can be shared with untrusted accounts |
| Summit Route AWS Security Tools Comparison | Comparison of: PacBot, Prowler, Security Monkey, Trusted Advisor, Config, CloudMapper |
| Building a scalable vulnerability management program on AWS | A guide which covers how to build a successful and scalable vulnerability management program on AWS through preparation, enabling and configuring tools, triaging findings, and reporting |
| AWS Control Tower By Example | Hands-on walk-through of the the easiest way to set up and govern a secure, compliant, multi-account AWS environment based on best practices |
| CloudConformity | List of manual checks/audit |
| Top 10 security best practices for securing data in Amazon S3 | The latest S3 features and AWS services that you can use to help secure your data in S3 |
| You should have lots of AWS accounts | Lots of AWS accounts working together in harmony will net you a more secure, more reliable, and more compliant cloud infrastructure |
| Approaches for authenticating external applications in a machine-to-machine scenario | Which approach is best to securely connect your applications to your AWS environment when no human interaction comes into play? |
| Reducing Attack Surface with AWS Allowlisting | A detailed look at implementing Region & Service allowlisting in AWS |
| The illustrated guide to S3 pre-signed URLs | What pre-signed URLs are, how to use them, and some best practices to keep in mind |
| A Guide to Delegated Administrator in AWS Organizations and Multi-Account Management | A guide to managing multiple AWS Accounts using AWS Organizations and how to reduce blast radius by leveraging Delegated Administrator capabilities to avoid usage of the management root account |
| Marco Lancini Zero Trust Access to Private Webapps on AWS ECS with Cloudflare Tunnel | How to use Cloudflare Tunnel to securely access a Flask webapp running in a private subnet in ECS on Fargate, without exposing the app to the public internet |
| Marco Lancini Building an AppRunner on EC2 with Cloudflare Zero Trust Access | How to automate the deployment of a private AppRunner instance on AWS that hosts multiple internal apps securely behind Cloudflare's zero-trust access controls |
| Marco Lancini Migrating Terraform state from Terraform Cloud to S3 | A detailed step-by-step process on how to safely migrate away from Terraform Cloud to S3 for state management |
| Understanding DDoS simulation testing in AWS | Post explaining when it's appropriate to perform a DDoS simulation test on an application running on AWS, and what options you have for running the test |
| SaaS Tenant Isolation Strategies | Isolating Resources in a Multi-Tenant Environment |
| Organizing Your AWS Environment Using Multiple Accounts | In-depth guide on how to set up an AWS multi-account environment |
| The Risk You Can't Afford to Ignore: AWS SES and Email Spoofing | This article discusses AWS SES email spoofing vulnerabilities, potentially enabling phishing attacks |
| File Sharing | |
| Bastion Hosts |
Code Samples¶
| Link | Notes |
|---|---|
| aws-root-account | Terraform for the UK Ministry of Justice AWS root account |
| org-kickstart | Kickstart and manage your AWS Organization via Terraform |
| AWS Well-Architected Labs - Security | Hands on labs and real world design scenarios for Well-Architected workloads |
Cost Optimization¶
| Link | Notes |
|---|---|
| Cloud Cost Handbook | Set of guides meant to help explain often-times complex pricing of public cloud infrastructure and service providers in easy-to-understand terms |
| My Comprehensive Guide to AWS Cost Control |
|
| AWS Cost Allocation Guide: Tagging Best Practices |
|
| Cost Monitoring and Governance With Kubecost | Dedicated Cluster VS dedicated Node VS dedicated Namespace |
| Overview of Data Transfer Costs for Common Architectures | Potential data transfer charges you may encounter while operating your workload on AWS |
IMDS¶
| Link | Notes |
|---|---|
| AWS EC2 IMDS - What You Need to Know | A technical review of IMDSv2 |
| Remediating AWS IMDSv1 | How to remediate IMDSv1 in AWS |
| How to use policies to restrict where EC2 instance credentials can be used from | Two new global condition context keys (aws:EC2InstanceSourceVPC, aws:EC2InstanceSourcePrivateIPv4) that make it simpler to write policies in which EC2 instance credentials work only when used on the instance to which they are issued |
| Mitigating SSRF in 2023 | Different ways of triggering SSRF and which mitigation techniques are most effective |
| SSRF: A complete guide to exploiting advanced SSRF vulnerabilities | This article provides a comprehensive guide on Server-Side Request Forgery (SSRF) vulnerabilities, covering detection, exploitation techniques, and mitigation strategies |
| imdsv2_wall_of_shame | List of vendors that do not allow IMDSv2 enforcement |
| Get the full benefits of IMDSv2 and disable IMDSv1 across your AWS infrastructure | How to identify IMDSv1-enabled EC2 instances and how to determine if and when your software is making IMDSv1 calls |
| IMDSpoof | Spoofs the AWS IMDS service to return HoneyTokens that can be alerted on |
| Our Journey Migrating to AWS IMDSv2 - Slack Engineering | Slack moved their entire fleet and tools to IMDSv2. In this article, they discuss the pitfalls of using IMDSv1 and their journey towards fully migrating to IMDSv2 |
| From Detection to Enforcement: Migrating from IMDSv1 to IMDSv2 | Concrete advice on approaching a migration to IMDSv2 |
Backups & Disaster Recovery¶
| Link | Notes |
|---|---|
| Marco Lancini Automated Github Backups with ECS and S3 | Architecture and implications of an automated process aiming to backup a Github account, relying on ECS Fargate and S3 Glacier |
| Marco Lancini Automated GDrive Backups with ECS and S3 | Architecture and implications of an automated process aiming to backup a GDrive account, relying on ECS Fargate and S3 Glacier |
| Disaster Tolerance Patterns Using AWS Serverless Services | A collection of discrete patterns used to add DT capabilities |
| Disaster Recovery (DR) Architecture on AWS, Part I: Strategies for Recovery in the Cloud | How to architect for disaster recovery (DR), which is the process of preparing for and recovering from a disaster |
Ransomware Prevention¶
| Link | Notes |
|---|---|
| AWS Recommendations |
|
| Rhino Security S3 Ransomware |
|
| pht-awsbackup-management |
|
| Summit Route S3 backups and other strategies for ensuring data durability through ransomware attacks | Options for ensuring the durability of data stored on S3, through protections in place and backup strategies |
| Ransomware-resistant backups with duplicity and AWS S3 | How to use duplicity with S3 to create ransomware-resistant backups |
| What You Need to Know About Ransomware in AWS |
|
Serverless¶
| Link | Notes |
|---|---|
| OWASP Serverless Top 10 |
|
| OWASP DVSA | A Damn Vulnerable Serverless Application |
| Security Overview of AWS Lambda | This whitepaper presents a deep dive of the AWS Lambda service through a security lens |
| AWS Serverless Security Workshop | Techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora |
| Security reference architecture for a serverless application | A walkthrough of security controls for a serverless architecture via a demo application |
| Under the Hood of Amazon ECS on EC2: Agents, IAM Roles, and Task Isolation | This deep-dive explores Amazon ECS on EC2's internals, focusing on the ECS agent's role, IAM credential delivery mechanisms, and task isolation boundaries between containers sharing the same host |
Data Perimeter¶
| Link | Notes |
|---|---|
| Announcing the Data Solutions Framework on AWS | The Data Solutions Framework on AWS is an open source framework to simplify and accelerate the implementation of data solutions |
| Data Perimeter Workshop | Best practices for creating a boundary around resources in AWS |
| Building a Data Perimeter on AWS | Paper outlining the best practices and available services for creating a perimeter around your identities, resources, and networks in AWS |
| Establishing a data perimeter on AWS | How the new condition keys can be part of a wider security strategy to create a perimeter around your data |
| Establishing a data perimeter on AWS: Allow only trusted resources from my organization | Post explaining the resource perimeter, the control objectives achieved by the perimeter, and how to write SCPs and VPC endpoint policies that help achieve these objectives for your organization |
Other Writeups¶
| Link | Notes |
|---|---|
| Summit Route Denial of Wallet Attacks on AWS |
|
| Holding Cloud Vendors to a Higher Security Bar | An opinionated, critical look at the state of security of vendor cloud integrations, along with recommendations for documenting and adhering to cloud security best practices for both vendors and customers. |
| A SaaS provider's guide to securely integrating with customers' AWS accounts | An opinionated guide on best practices that these vendors should follow to ensure an appropriate level of security when integrating with customers' AWS environments |
AWS Whitepapers¶
- AWS Best Practices for DDoS Resiliency
- AWS Key Management Best Practices
- AWS KMS Best Practices
- AWS Overview
- AWS Ramp-Up Guide: Security
- AWS Security Best Practices
- AWS Security Fundamentals
- AWS Well Architected Framework
- AWS Well-Architected Security Labs
- AWS Well-Architected Security Pillar
- AWS: Overview of Security Processes
- Building a Scalable and Secure Multi-VPC AWS Network Infrastructure
- Introduction to AWS Security Whitepaper
- Introduction to Security By Design
- Overview of AWS Lambda Security
- Security & Compliance Quick Reference Guide
- Security at Scale: Logging in AWS
- Security at the Edge: Core Principles
- Security of AWS CloudHSM backups
- Security Overview of AWS Fargate