AWS Security Best Practices Part Two

If you have not seen Part One of this series it is available for review here.

Peppered in these blog posts are photos from the Astronomy Photographer of the year awards at the Greenwich Maritime Museum. Why? Cos they are cool and interesting.

Jupiters storm that is bigger than Earth.

Logging & Monitoring continued

  • TrustedAdvisor
    • Checks the AWS Account and offers best recommendations and improvements plans.
      • Performs checks based on five categories.
        • Cost optimisation
          • Low utilization EC2 instances
          • Idle load balancers
          • Underutilised AWS EBS volumes
          • Unassociated Elastic IP Address
          • Idle RDS DB instances
        • Fault tolerance
          • Suggestions to improve availability and redundancy of application workloads by taking advantage of various AWS services, such as auto-scaling, multi AZ, and backup capabilities.
          • Amazon EBS Snapshots
          • VPN Tunnel Redundancy
          • AWS RDS Backups
          • AWS RDS Multi-AZ
          • S3 Bucket logging
          • Direct connect connection redundancy
        • Security
          • Suggestions and checks based on best practices.
          • Unrestricted access to specific ports of the security group (
          • AWS S3 bucket permissions
          • MFA on Root Account
          • IAM password policy
          • AWS CloudTrail logging
          • IAM Key rotation
          • Exposed Access Keys
        • Performance
          • By adding to many Firewall rules and associating them to an EC2 instance, you may deteriorate the overall performance.
          • High utilization EC2 instances
          • Large number of rules in security group applied to an instance.
          • Overutilized EBS Magnetic volumes
          • EC2 to EBS throughput optimisation
          • AWS CloudFront CDN optimisation
        • Service limits
          • Information about services usage which have reached more than 80% of their service limit.
        • Important points
          • Many check are only available to Business and Enterprise support customers.
          • Customers with BASIC (Core Checks) support only get
            • Service limits
            • Security
              • S3 Bucket permissions
              • Security groups – specific ports unrestricted
              • IAM Usage
              • MFA on Root account
              • EBS public snapshots
              • RDS Public snapshots
  • AWS Athena
    • Athena is generally used in the use cases, where you want to analyse the logs from S3, such as CloudTrail and VPC Flow logs, with simple SQL Statements in a serverless manner.
    • Analyse data from S3 using standard SQL statements.
      • Run from the query editor.
      • Only pay for queries you run.
    • Use cases
      • Show the number or times user Mark has performed the delete operation between two dates in AWS.
      • Show the number of rejected packets from VPC flow logs and sort them based on IP addresses from the highest to lowest numbers.
  • VPC Flow logs
    • VPC flow logs allow us to capture information related to IP traffic that goes in and out from the network interfaces within the VPC.
      • Important point
        • VPC flow logs are captured at a per network interface level.
    • Options/Config
      • Filter
        • Indicates the type of traffic that needs to be logged. Values can be Accepted, Rejected or All.
      • Role
        • The name of the role which has the permission to push events to CloudWatch. In case you don’t have any role, you can select Set Up Permissions link and that would help you set up a role.
      • Destination log group
        • The name of the log group where the VPC flow logs will be stored.
      • Within the log protocol number are used instead of TCP or UDP etc
        • TCP protocol  number 6
        • ICMP protocol number 1
        • UDP protocol number 17
  • AWS Macie
    • New security service that makes use of machine learning to identify and protect sensitive data stored in AWS from breaches, data leaks and unauthorised access.
    • Can automatically discover and classify the data, post which it assigns a business value and monitors them to detect any suspicious activity based on access patterns.
    • Do remember that Macie CANNOT scan the encrypted objects within a S3 Bucket.
    • Macie shares a lot of information, includes a risk rating, S3 bucket name and the timestamp associated with the object.
    • Offers various built in regex which can identify multiple types of data.
  • S3 Event notifications
    • A feature that allows you to receive notifications when certain events occur in your S3 bucket.
    • S3 can publish notifications for the following events.
      • A new object created, removed or restored event
      • A Reduced Redundancy Storage (RRS) object lost event.

That about wraps up the Incident Response and Logging & Monitoring advice, next Infrastrucutre Security, available here.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close