Skip to content

Best Pratices

High Level Documentation

Link Notes
Security Pillar of the Well-Architected Framework Best practices and guidance
AWS Ramp-Up Guide: Security Learning plan to teach cloud security, governance, and compliance developments
OG-AWS Amazon Web Services — a practical guide

Operational Guides

Link Notes
Summit Route AWS Exposable Resources Repo maintaining a list of all AWS resources that can be publicly exposed, and eventually, those that can be shared with untrusted accounts
Summit Route AWS Security Tools Comparison Comparison of: PacBot, Prowler, Security Monkey, Trusted Advisor, Config, CloudMapper
AWS Control Tower By Example Hands-on walk-through of the the easiest way to set up and govern a secure, compliant, multi-account AWS environment based on best practices
CloudConformity List of manual checks/audit

IAM

Link Notes
Summit Route How to audit AWS IAM and resource policies
    Some general rules:
    • Beware that anything with Allow and Principal "*" is public
    • Never use Allow with NotPrincipal
    • Never use Allow with NotAction

Other Writeups

Link Notes
Summit Route Denial of Wallet Attacks on AWS Attacks where the goal is to increase the financial burden on the victim
Summit Route Managing AWS root passwords and MFA How not use the root user account, and how to manage the credentials (password and MFA) for the root user effectively