{"id":22217,"date":"2023-02-13T20:56:46","date_gmt":"2023-02-13T13:56:46","guid":{"rendered":"https:\/\/renovacloud.com\/?p=22217"},"modified":"2024-12-05T13:22:54","modified_gmt":"2024-12-05T06:22:54","slug":"26-aws-security-best-practices-to-adopt-in-production-part-3","status":"publish","type":"post","link":"https:\/\/renovacloud.com\/en\/26-aws-security-best-practices-to-adopt-in-production-part-3\/","title":{"rendered":"26 AWS Security Best Practices to Adopt in Production &#8211; Part 3"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">One of the most important pillars of a well-architected framework is security. Thus, it is important to follow these AWS security best practices to prevent unnecessary security situations.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">There are many things you must set up if you want your solution to be operative, secure, reliable, performant, and cost effective. And, first things first, the best time to do that is now \u2013 right from the beginning, before you start to design and engineer. Continuing Part 1 and Part 2, here are some AWS security best practices to adopt in Production.<\/span><\/p>\n<h2><b>AWS Database Migration Service (DMS)<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">AWS Database Migration Service (AWS DMS) is a cloud service that makes it easy to migrate relational databases, data warehouses, NoSQL databases, and other types of data stores. You can use AWS DMS to migrate your data into the AWS Cloud or between combinations of cloud and on-premises setups.<\/span><\/p>\n<h3><b>20_Verify AWS Database Migration Service replication instances are not public \ud83d\udfe5\ud83d\udfe5\ud83d\udfe5<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Ensure that your Amazon Database Migration Service (DMS) is not publicly accessible from the Internet in order to avoid exposing private data and minimize security risks. A DMS replication instance should have a private IP address and the Publicly Accessible feature disabled when both the source and the target databases are in the same network that is connected to the instance\u2019s VPC through a VPN, VPC peering connection, or using an AWS Direct Connect dedicated connection.<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Sign in to AWS Management Console at <\/span><a href=\"https:\/\/console.aws.amazon.com\/dms\/\" rel=\"noopener\"><span style=\"font-weight: 400;\">https:\/\/console.aws.amazon.com\/dms\/<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">In the left navigation panel, choose Replication instances.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Select the DMS replication instance that you want to examine to open the panel with the resource configuration details.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Select the Overview tab from the dashboard bottom panel and check the Publicly accessible configuration attribute value. If the attribute value is set to Yes, the selected Amazon DMS replication instance is accessible outside the Virtual Private Cloud (VPC) and can be exposed to security risks. To fix it, do the following:<\/span>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Click the Create replication instance button from the dashboard top menu to initiate the launch process.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">On Create replication instance page, perform the following:<\/span>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"3\"><span style=\"font-weight: 400;\">Uncheck Publicly accessible checkbox to disable the public access to the new replication instance. If this setting is disabled, Amazon DMS will not assign a public IP address to the instance at creation and you will not be able to connect to the source\/target databases outside the VPC.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"3\"><span style=\"font-weight: 400;\">Provide a unique name for the new replication instance within the Name box, then configure the rest of the instance settings using the configuration information copied at step No. 5.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"3\"><span style=\"font-weight: 400;\">Click Create replication instance to launch your new Amazon DMS instance.<\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Update your database migration plan by developing a new migration task to include the newly created AWS DMS replication instance.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">To stop adding charges for the old replication instance:<\/span>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"3\"><span style=\"font-weight: 400;\">Select the old DMS instance, then click the Delete button from the dashboard top menu.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"3\"><span style=\"font-weight: 400;\">Within the Delete replication instance dialog box, review the instance details then click Delete to terminate the selected DMS resource.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Repeat step Nos. 3 and 4 for each AWS DMS replication instance provisioned in the selected region.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Change the region from the console navigation bar and repeat the process for all the other regions.<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">Learn more about <\/span><a href=\"https:\/\/docs.aws.amazon.com\/dms\/latest\/userguide\/CHAP_BestPractices.html\" rel=\"noopener\"><span style=\"font-weight: 400;\">AWS security best practices for AWS Database Migration Service<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h2><b>Amazon Elastic Block Store (EBS)<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Amazon Elastic Block Store (Amazon EBS) provides block level storage volumes for use with EC2 instances. EBS volumes behave like raw, unformatted block devices. You can mount these volumes as devices on your instances. EBS volumes that are attached to an instance are exposed as storage volumes that persist independently from the life of the instance. You can create a file system on top of these volumes, or use them in any way you would use a block device (such as a hard drive).<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You can dynamically change the configuration of a volume attached to an instance.<\/span><\/p>\n<h3><b>21_Ensure Amazon EBS snapshots are not public, or to be restored by anyone \ud83d\udfe5\ud83d\udfe5\ud83d\udfe5<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">EBS snapshots are used to back up the data on your EBS volumes to Amazon S3 at a specific point in time. You can use the snapshots to restore previous states of EBS volumes. It is rarely acceptable to share a snapshot with the public. Typically, the decision to share a snapshot publicly was made in error or without a complete understanding of the implications. This check helps ensure that all such sharing was fully planned and intentional.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Get the list of all EBS volume snapshots:<\/span><\/p>\n<blockquote><p><span style=\"font-weight: 400;\">aws ec2 describe-snapshots<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;region REGION<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;owner-ids ACCOUNT_ID<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;filters Name=status,Values=completed<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;output table<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;query &#8216;Snapshots[*].SnapshotId&#8217;<\/span><\/p><\/blockquote>\n<p><span style=\"font-weight: 400;\">For each snapshot, check its <\/span><span style=\"font-weight: 400;\">createVolumePermission<\/span><span style=\"font-weight: 400;\"> attribute:<\/span><\/p>\n<blockquote><p><span style=\"font-weight: 400;\">aws ec2 describe-snapshot-attribute<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;region REGION<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;snapshot-id SNAPSHOT_ID<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;attribute createVolumePermission<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;query &#8216;CreateVolumePermissions[]&#8217;<\/span><\/p><\/blockquote>\n<p><span style=\"font-weight: 400;\">The output from the previous command returns information about the permissions for creating EBS volumes from the selected snapshot:<\/span><\/p>\n<blockquote><p><span style=\"font-weight: 400;\">{<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0&#8220;Group&#8221;: &#8220;all&#8221;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">}<\/span><\/p><\/blockquote>\n<p><span style=\"font-weight: 400;\">If the command output is <\/span><span style=\"font-weight: 400;\">&#8220;Group&#8221;: &#8220;all&#8221;<\/span><span style=\"font-weight: 400;\">, the snapshot is accessible to all AWS accounts and users. If this is the case, take your time to run this command to fix it:<\/span><\/p>\n<blockquote><p><span style=\"font-weight: 400;\">aws ec2 modify-snapshot-attribute<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;region REGION<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;snapshot-id SNAPSHOT_ID<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;attribute createVolumePermission<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;operation-type remove<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;group-names all<\/span><\/p><\/blockquote>\n<h2><b>Amazon OpenSearch Service<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Amazon OpenSearch Service is a managed service that makes it easy to deploy, operate, and scale OpenSearch clusters in the AWS Cloud. Amazon OpenSearch Service is the successor to Amazon Elasticsearch Service and supports OpenSearch and legacy Elasticsearch OSS (up to 7.10, the final open source version of the software). When you create a cluster, you have the option of which search engine to use.<\/span><\/p>\n<h3><b>22_Ensure Elasticsearch domains have encryption at rest enabled \ud83d\udfe5\ud83d\udfe5\ud83d\udfe5<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">For an added layer of security for your sensitive data in OpenSearch, you should configure your OpenSearch to be encrypted at rest. Elasticsearch domains offer encryption of data at rest. The feature uses AWS KMS to store and manage your encryption keys. To perform the encryption, it uses the Advanced Encryption Standard algorithm with 256-bit keys (AES-256).<\/span><\/p>\n<p><span style=\"font-weight: 400;\">List all Amazon OpenSearch domains currently available:<\/span><\/p>\n<blockquote><p><span style=\"font-weight: 400;\">aws es list-domain-names &#8211;region REGION<\/span><\/p><\/blockquote>\n<p><span style=\"font-weight: 400;\">Now determine if <\/span><span style=\"font-weight: 400;\">data-at-rest encryption<\/span><span style=\"font-weight: 400;\"> feature is enabled with:<\/span><\/p>\n<blockquote><p><span style=\"font-weight: 400;\">aws es describe-elasticsearch-domain<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;region REGION<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;domain-name DOMAIN_NAME<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;query &#8216;DomainStatus.EncryptionAtRestOptions&#8217;<\/span><\/p><\/blockquote>\n<p><span style=\"font-weight: 400;\">If the <\/span><span style=\"font-weight: 400;\">Enabled<\/span><span style=\"font-weight: 400;\"> flag is false, the data-at-rest encryption is not enabled for the selected Amazon ElasticSearch domain. Fix it with:<\/span><\/p>\n<blockquote><p><span style=\"font-weight: 400;\">aws es create-elasticsearch-domain<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;region REGION<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;domain-name DOMAIN_NAME<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;elasticsearch-version 5.5<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;elasticsearch-cluster-config InstanceType=m4.large.elasticsearch,InstanceCount=2<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;ebs-options EBSEnabled=true,VolumeType=standard,VolumeSize=200<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;access-policies file:\/\/source-domain-access-policy.json<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;vpc-options SubnetIds=SUBNET_ID,SecurityGroupIds=SECURITY_GROUP_ID<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;encryption-at-rest-options Enabled=true,KmsKeyId=KMS_KEY_ID<\/span><\/p><\/blockquote>\n<p><span style=\"font-weight: 400;\">Once the new cluster is provisioned, upload the existing data (exported from the original cluster) to the newly created cluster.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">After all the data is uploaded, it is safe to remove the unencrypted OpenSearch domain to stop incurring charges for the resource:<\/span><\/p>\n<blockquote><p><span style=\"font-weight: 400;\">aws es <\/span><b>delete<\/b><span style=\"font-weight: 400;\">-elasticsearch-domain<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;region REGION<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;domain-name DOMAIN_NAME<\/span><\/p><\/blockquote>\n<h2><b>Amazon SageMaker<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Amazon SageMaker is a fully-managed machine learning service. With Amazon SageMaker, data scientists and developers can quickly build and train machine learning models, and then deploy them into a production-ready hosted environment.<\/span><\/p>\n<h3><b>23_Verify SageMaker notebook instances do not have direct internet access \ud83d\udfe8\ud83d\udfe8<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">If you configure your SageMaker instance without a VPC, then, by default, direct internet access is enabled on your instance. You should configure your instance with a VPC and change the default setting to Disable \u2014 Access the internet through a VPC.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To train or host models from a notebook, you need internet access. To enable internet access, make sure that your VPC has a NAT gateway and your security group allows outbound connections. To learn more about how to connect a notebook instance to resources in a VPC, see \u201c<\/span><a href=\"https:\/\/docs.amazonaws.cn\/en_us\/sagemaker\/latest\/dg\/notebook-interface-endpoint.html\" rel=\"noopener\"><span style=\"font-weight: 400;\">Connect a notebook instance to resources in a VPC<\/span><\/a><span style=\"font-weight: 400;\">\u201d in the Amazon SageMaker Developer Guide.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You should also ensure that access to your SageMaker configuration is limited to only authorized users. Restrict users\u2019 IAM permissions to modify SageMaker settings and resources.<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Sign in to the AWS Management Console at <\/span><a href=\"https:\/\/console.aws.amazon.com\/sagemaker\/\" rel=\"noopener\"><span style=\"font-weight: 400;\">https:\/\/console.aws.amazon.com\/sagemaker\/<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">In the navigation panel, under Notebook, choose Notebook instances.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Select the SageMaker notebook instance that you want to examine and click on the instance name (link).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">On the selected instance configuration page, within the Network section, check for any VPC subnet IDs and security group IDs. If these network configuration details are not available, instead the following status is displayed: \u201cNo custom VPC settings applied.\u201d The notebook instance is not running inside a VPC network, therefore you can follow the steps described in this conformity rule to deploy the instance within a VPC. Otherwise, if the notebook instance is running inside a VPC, check the Direct internet access configuration attribute value. If the attribute value is set to Enabled, the selected Amazon SageMaker notebook instance is publicly accessible.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-size: 16px; font-weight: 400;\">If the notebook has direct internet access enabled, fix it by recreating it with this CLI command:<\/span><\/li>\n<\/ol>\n<blockquote><p><span style=\"font-weight: 400;\">aws sagemaker create-notebook-instance<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;region REGION<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;notebook-instance-name NOTEBOOK_INSTANCE_NAME<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;instance-type INSTANCE_TYPE<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;role-arn ROLE_ARN<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;kms-key-id KMS_KEY_ID<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;subnet-id SUBNET_ID<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;security-group-ids SECURITY_GROUP_ID<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;direct-internet-access Disabled<\/span><\/p><\/blockquote>\n<h2><b>AWS Lambda<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">With AWS Lambda, you can run code without provisioning or managing servers. You pay only for the compute time that you consume \u2014 there\u2019s no charge when your code isn\u2019t running. You can run code for virtually any type of application or backend service \u2014 all with zero administration.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">It is important to mention the problems that could occur if we do not secure or audit the code we execute in our lambda functions, as you could be the <\/span><a href=\"https:\/\/sysdig.com\/blog\/exploit-mitigate-aws-lambdas-mitre\/\" rel=\"noopener\"><span style=\"font-weight: 400;\">initial access for attackers<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h3><b>24_Use supported runtimes for Lambda functions \ud83d\udfe8\ud83d\udfe8<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">This AWS security best practice recommends checking that the Lambda function settings for runtimes match the expected values set for the supported runtimes for each language. This control checks function settings for the following runtimes: nodejs16.x, nodejs14.x, nodejs12.x, python3.9, python3.8, python3.7, ruby2.7, java11, java8, java8.al2, go1.x, dotnetcore3.1, and dotnet6.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The AWS Config rule ignores functions that have a package type of image.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Lambda runtimes are built around a combination of operating system, programming language, and software libraries that are subject to maintenance and security updates. When a runtime component is no longer supported for security updates, Lambda deprecates the runtime. Even though you cannot create functions that use the deprecated runtime, the function is still available to process invocation events. Make sure that your Lambda functions are current and do not use out-of-date runtime environments.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Get the names of all Amazon Lambda functions available in the selected AWS cloud region:<\/span><\/p>\n<blockquote><p><span style=\"font-weight: 400;\">aws lambda list-functions<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0&#8211;region REGION<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0&#8211;output table<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0&#8211;query &#8216;Functions[*].FunctionName&#8217;<\/span><\/p><\/blockquote>\n<p><span style=\"font-weight: 400;\">Now examine the runtime information available for each functions:<\/span><\/p>\n<blockquote><p><span style=\"font-weight: 400;\">aws lambda get-function-configuration<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0&#8211;region REGION<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0&#8211;function-name FUNCTION_NAME<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0&#8211;query &#8216;Runtime&#8217;<\/span><\/p><\/blockquote>\n<p><span style=\"font-weight: 400;\">Compare the value returned with the updated list of Amazon Lambda runtimes supported by AWS, as well as the end of support plan listed in the AWS documentation.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">If the runtime is unsupported, fix it to use the latest runtime version. For example:<\/span><\/p>\n<blockquote><p><span style=\"font-weight: 400;\">aws lambda update-function-configuration<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0&#8211;region REGION<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0&#8211;function-name FUNCTION_NAME<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0&#8211;runtime &#8220;nodejs16.x&#8221;<\/span><\/p><\/blockquote>\n<h2><b>AWS Key Management Service (AWS KMS)<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">AWS Key Management Service (AWS KMS) is an encryption and key management service scaled for the cloud. AWS KMS keys and functionality are used by other AWS services, and you can use them to protect data in your own applications that use AWS.<\/span><\/p>\n<h3><b>25_Do not unintentionally delete AWS KMS keys \ud83d\udfe8\ud83d\udfe8<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">KMS keys cannot be recovered once deleted. Data encrypted under a KMS key is also permanently unrecoverable if the KMS key is deleted. If meaningful data has been encrypted under a KMS key scheduled for deletion, consider decrypting the data or re-encrypting the data under a new KMS key unless you are intentionally performing a cryptographic erasure.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">When a KMS key is scheduled for deletion, a mandatory waiting period is enforced to allow time to reverse the deletion if it was scheduled in error. The default waiting period is 30 days, but it can be reduced to as short as seven days when the KMS key is scheduled for deletion. During the waiting period, the scheduled deletion can be canceled and the KMS key will not be deleted.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">List all Customer Master keys available in the selected AWS region:<\/span><\/p>\n<blockquote><p><span style=\"font-weight: 400;\">aws kms list-<\/span><b>keys<\/b><span style=\"font-weight: 400;\"> &#8211;region REGION<\/span><\/p><\/blockquote>\n<p><span style=\"font-weight: 400;\">Run the describe-key command for each CMK to identify any keys scheduled for deletion:<\/span><\/p>\n<blockquote><p><span style=\"font-weight: 400;\">aws kms describe-key &#8211;key-id KEY_ID<\/span><\/p><\/blockquote>\n<p><span style=\"font-weight: 400;\">The output for this command shows the selected key metadata. If the <\/span><span style=\"font-weight: 400;\">KeyState<\/span><span style=\"font-weight: 400;\"> value is set to <\/span><span style=\"font-weight: 400;\">PendingDeletion<\/span><span style=\"font-weight: 400;\">, the key is scheduled for deletion. But if this is not what you actually want (the most common case), unschedule the deletion with:<\/span><\/p>\n<blockquote><p><span style=\"font-weight: 400;\">aws kms cancel-key-deletion &#8211;key-id KEY_ID<\/span><\/p><\/blockquote>\n<h2><b>Amazon GuardDuty<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Amazon GuardDuty is a continuous security monitoring service. Amazon GuardDuty can help to <\/span><a href=\"https:\/\/sysdig.com\/blog\/hunting-malware-with-amazon-guardduty-and-sysdig\/\" rel=\"noopener\"><span style=\"font-weight: 400;\">identify unexpected and potentially unauthorized or malicious activity<\/span><\/a><span style=\"font-weight: 400;\"> in your AWS environment.<\/span><\/p>\n<h3><b>26_Enable GuardDuty \ud83d\udfe8\ud83d\udfe8<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">It is highly recommended that you enable GuardDuty in all supported AWS Regions. Doing so allows GuardDuty to generate findings about unauthorized or unusual activity, even in Regions that you do not actively use. This also allows GuardDuty to monitor CloudTrail events for global AWS services, such as IAM.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">List the IDs of all the existing Amazon GuardDuty detectors. A detector is an object that represents the AWS GuardDuty service. A detector must be created in order for GuardDuty to become operational:<\/span><\/p>\n<blockquote><p><span style=\"font-weight: 400;\">aws guardduty list-detectors<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;region REGION<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;query &#8216;DetectorIds&#8217;<\/span><\/p><\/blockquote>\n<p><span style=\"font-weight: 400;\">If the list-detectors command output returns an empty array, then there are no GuardDuty detectors available. In this instance, the Amazon GuardDuty service is not enabled within your AWS account. If this is the case, create a detector with the following command:<\/span><\/p>\n<blockquote><p><span style=\"font-weight: 400;\">aws guardduty create-detector<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;region REGION<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;enable<\/span><\/p><\/blockquote>\n<p><span style=\"font-weight: 400;\">Once the detector is enabled, it will start to pull and analyze independent streams of data from AWS CloudTrail, VPC flow logs, and <\/span><a href=\"https:\/\/sysdig.com\/blog\/dns-security-cloud-protection\/\" rel=\"noopener\"><span style=\"font-weight: 400;\">DNS logs in order to generate findings<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h2><b>AWS Compliance Standards &amp; Benchmarks<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Setting up and maintaining your AWS infrastructure to keep it secure is a never-ending effort that will require a lot of time.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For this, you will be better off following the compliance standard(s) relevant to your industry, since they provide all the requirements needed to effectively secure your cloud environment.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Because of the ongoing nature of securing your environment and complying with a security standard, you might also want to recurrently run policies, such as CIS Amazon Web Services Foundations Benchmark, which will audit your system and report any non-conformity it finds.<\/span><\/p>\n<h2><b>Conclusion<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Going all cloud opens a new world of possibilities, but it also opens a wide door to attacking vectors. Each new AWS service you leverage has its own set of potential dangers you need to be aware of and well prepared for.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Luckily, cloud native security tools like <\/span><span style=\"font-weight: 400;\">Renova Cloud, an AWS Consulting Partner with a focus on Security, can guide you through these best practices<\/span><span style=\"font-weight: 400;\">, and help you meet your compliance requirements.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Learn more about <\/span><a href=\"https:\/\/docs.aws.amazon.com\/awscloudtrail\/latest\/userguide\/best-practices-security.html\" rel=\"noopener\"><span style=\"font-weight: 400;\">security best practices in AWS<\/span><\/a><span style=\"font-weight: 400;\"><a href=\"https:\/\/renovacloud.com\/en\/26-aws-security-best-practices-to-adopt-in-production-part-1\/\" target=\"_blank\" rel=\"noopener\"> part 1<\/a> and <a href=\"https:\/\/renovacloud.com\/en\/26-aws-security-best-practices-to-adopt-in-production-part-2\/\" target=\"_blank\" rel=\"noopener\">part 2<\/a> here<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>One of the most important pillars of a well-architected framework is security. Thus, it is important to follow these AWS security best practices to prevent unnecessary security situations. There are many things you must set up if you want your solution to be operative, secure, reliable, performant, and cost effective. And, first things first, the [&#8230;]\n","protected":false},"author":19,"featured_media":22213,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[861],"tags":[],"class_list":["post-22217","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/posts\/22217","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/users\/19"}],"replies":[{"embeddable":true,"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/comments?post=22217"}],"version-history":[{"count":4,"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/posts\/22217\/revisions"}],"predecessor-version":[{"id":27385,"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/posts\/22217\/revisions\/27385"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/media\/22213"}],"wp:attachment":[{"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/media?parent=22217"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/categories?post=22217"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/tags?post=22217"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}