The document provides an overview of lessons learned from the front lines of incident response. It discusses common causes of customer security events like insecure AWS resource configurations, unintended disclosure of credentials, and lack of vulnerability management. It outlines critical security patterns to prevent and detect these issues using AWS services like IAM, GuardDuty, and Security Hub. The presentation aims to help customers reduce security risks and recommends next steps like improving the top 10 security items in their AWS accounts.
In our Security Best Practices whitepaper it’s been broken down into 3 categories
Infrastructure Services – Where everything from the operating system upwards is on the customer – example EC2
Container Services – not to be confused with the likes of Kubernetes/Docker, AWS handles the OS and the platform running on it – and the rest is the customer – example RDS, ECS
Abstracted Services – where the customer just needs to decide where their data goes, who has access to it – and if client-side encryption is used – example S3
AWS account and resource best practices:https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/AWS Account email reset:https://aws.amazon.com/premiumsupport/knowledge-center/admin-left-need-acct-access/AWS Health events:https://docs.aws.amazon.com/health/latest/ug/cloudwatch-events-health.htmlBilling Alarms:https://aws.amazon.com/blogs/aws-cost-management/preview-anomaly-detection-and-alerting-now-available-in-aws-cost-management/
AWS Secrets Manager – Creating and retrieving a secret:https://docs.aws.amazon.com/secretsmanager/latest/userguide/tutorials_basic.html
Security best practices in IAMhttps://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
GuardDuty IAM findingshttps://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html
CloudTrail insights:https://aws.amazon.com/about-aws/whats-new/2019/11/aws-cloudtrail-announces-cloudtrail-insights/
IAM Credential Report:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
IAM Access Advisor:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html
IAM Access Analyzer:
https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
IAM Policy Simulator:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html
AWS Git-secretshttps://github.com/awslabs/git-secrets
GitRob (no longer being updated)
https://github.com/michenriksen/gitrob
Trufflehoghttps://github.com/trufflesecurity/truffleHog