Note: IAM is used to provide permissions to all of the AWS Services, so it is not mentioned under each service.
- Enable Encryption at Rest
- Enable Encryption in Transit
- Block Public Access at AWS Account level
- Block Public Access at Bucket level
- Use VPC endpoint for S3
- Use GuardDuty for threat detection
- Use Macie to detect sensitive data
- Configure MFA Delete for applicable buckets.
- Use S3 Object Lock to meet regulatory requirements
- Set appropriate bucket policies
- Enable Encryption at Rest
- Allow specific and limited IP addresses and ports in security group for both inbound and outbound
- Create EC2 in private subnet if applicable.
- Install recommended security tools (anti virus, threat detection, etc.,)
- Use secure AMI from known provider
- Use only required permissions for the IAM role attached to EC2 instance.
- Use end-to-end encryption in transit.
- Use Gateway endpoints for S3 and Dynamo DB
- Use VPC endpoints for other AWS services where applicable
- Enable VPC Flow Logs
- Remove the default inbound and outbound entries in default security group of the VPC
- Set VPC Endpoint policy
- Restrict RDS access to specific IP addresses
- Place RDS in private subnet
- Disable Public access to instance and snapshots
- Enable encryption at rest
- Enable and Force access by SSL
- Enable auto minor version upgrade
- Rotate passwords periodically
- Use KMS Key for encrypting CloudWatch Log Groups.
- Enable encryption at rest
- Enable encryption at rest
- Assign appropriate SQL policy
- Disable public S3 bucket access
- Enable MFA for root account
- Delete access key and secret for root account
- Encrypt environment variables
- Limit IAM role permissions
- IAM based security
- AWS Batch uses ECS which in turn uses EC2 instances. Hence the security for ECS & EC2 instance apply.
- Enable encryption for the resource that is being backed up. The AWS Backup uses the same KMS Key used for encrypting the resource.
- Enable encryption at rest
- Use Lambda@Edge to add additional security headers
- Use appropriate SSL certificates
- Enable WAF
- Use regional restriction if applicable
- If integrating with S3, use origin identity
- Use latest TLS version
- Use custom error pages that do not reveal too much information
- Use signed cookies or signed urls if applicable
- Prevent unauthorized transfer to another registrar by enabling domain lock
- Use Service Control Policies/Organizational Units to control access in child AWS accounts.
- Enable drift detection
- Enable deletion protection if applicable
- Use IAM role for stack creation
- Use External ID if integrating with lots of third party AWS accounts
- Utilize password rotation
- Use MTLS for authentication
- Use API Key
- Set throttling in usage plans
- Use private API endpoint if invoking from within VPC