AWS Security Monitoring Checklist — Part 2

In Part One, we covered some important security configurations checklists relating to AWS objects such as S3, IAM and Cloudtrail. In this installment, we will continue exploring more configurations of other AWS objects.

AWS VPC provides an isolated network within the AWS cloud. It’s like an elongated organization network connected over a VPN network. VPC helps control the configuration of gateways, routers and so forth, and provides an additional layer of security for organizations moving towards use of the AWS cloud. Following is a security monitoring checklist for every security team performing monitoring of VPC:

Security Monitoring Checklist

  • Monitoring of AWS VPC to ensure that no network ACL exists which allow ingress traffic from all ports
  • Monitoring of AWS VPC to ensure that no network ACL exists which allow egress traffic to all ports
  • Monitoring of AWS VPC to find unused virtual private gateways
  • Monitoring of AWS VPC to find if any VPC endpoint is exposed by checking for principal value in policy
  • Monitoring of AWS VPC to find out if flow logs have been enabled or not

AWS EC2 is a unit which can be provisioned on demand and can be scaled up or down as per requirement. Following is the EC2 checklist for security monitoring:

Security Monitoring Checklist

  • Monitoring of AWS EC2 to ensure they are not using any blacklisted AMIs
  • Monitoring of AWS EC2 to ensure they are not using a default security group
  • Monitoring of AWS EC2 to ensure that there is no security group with unrestricted outbound access
  • Monitoring of AWS EC2 to ensure that there is no unrestricted inbound access to following services:
    • FTP
    • MSSql
    • MySql
    • MongoDB
    • SMTP
    • Telnet
    • SSH
    • Netbios access
    • (And so on)
  • Monitoring of AWS EC2 to ensure that unused EC2 keypairs are decommissioned

AWS ELB is a service that (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Security Ninja. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/28ldtL7a6XI/