Friday, September 3, 2021

Cloud security test cases - part 1

 

Overview of Security

This report presents suggested best practices and techniques that an organization should acknowledge when building a full-fledged cloud strategy. This article covers the leading cloud providers Security Checklist.

AWS Security Checklist

  • Permit CloudTrail logging across all Amazon Web Services.
  • Set on CloudTrail log file validation.
  • Permit CloudTrail multi-region logging.
  • Combine CloudTrail with CloudWatch.
  • Permit access logging for CloudTrail S3 buckets.
  • Permit access logging for Elastic Load Balancer (ELB).
  • Permit Redshift audit logging.
  • Permit Virtual Private Cloud (VPC) flow logging.
  • Multifactor authentication (MFA) is required to delete CloudTrail buckets.
  • Set on multifactor authentication for the “root” account.
  • Set on multifactor authentication for IAM users.
  • Permit IAM users for multi-mode access.
  • Link IAM policies to groups or roles.
  • Regularly rotate IAM access keys, and standardize on the selected number of days.
  • strict password policy must be set up
  • Set the password termination session to 90 days
  • Expired SSL/TLS certificates should not be used
  • User HTTPS for CloudFront distributions.
  • Limit access to CloudTrail bucket.
  • Encrypt the CloudTrail log files at rest.
  • Elastic Block Store (EBS) database must be encrypted
  • Provision access to resources using IAM roles.
  • Using root user accounts should be avoided
  • SSL secure ciphers must be applied while connecting between the client and ELB.
  • SSL secure versions must be used while connecting between ELB and Client.
  • Use a standard naming (tagging) convention for EC2.
  • Encrypt Amazon’s Relational Database Service (RDS).
  • Access keys should not be used with root accounts.
  • Use secure CloudFront SSL versions.
  • Permit the require_ssl parameter in all Redshift clusters.
  • Periodically rotate SSH keys
  • Number of discrete security groups should be minimized
  • Reduce the number of IAM groups.
  • Terminate available access keys.
  • Disable access for unused or inactive IAM users.
  • Remove unused IAM access keys.
  • Delete unused SSH Public Keys.
  • Limit access to Amazon Machine Images (AMIs).
  • Limit access to EC2 security groups.
  • Limit access to RDS instances.
  • Limit access to Redshift clusters.
  • Limit access to outbound access.
  • Disallow unrestricted ingress access on different ports.
  • Limit access to well-known ports such as CIFS, FTP, ICMP, SMTP, SSH, Remote desktop.
  • Involve IT security throughout the development process.
  • Limited privileges should be granted as possible for application users.
  • Encrypt highly sensitive data such as personally identifiable information (PII) or protected health information (PHI)

Azure Security Checklist

  • Ensure that multi factor authentication is enabled for all users
  • Ensure that there are no guest users.
  • Use Role-Based Access Control to manage access to resources.
  • Ensure that ‘enable users to memorize multi factor authentication on devices they trust’ is disabled.
  • Ensure that ‘number of processes required to reset’ is set to 2.
  • Assure that ‘number of days before users are asked to re-confirm their authentication report’ is not set to 0.
  • Assure that ‘caution users on password resets’ is set to yes.
  • Ensure that ‘notify all admins when other admins reset their password?’ is set to yes
  • Ensure that ‘users can comply with apps obtaining company data on their account’ is set to none.
  • Guarantee that ‘users can add gallery apps to their Entrance Panel’ is set to no.
  • Ensure that ‘users can disclose applications’ is fixed to no.
  • Guarantee that ‘guest users agreements are limited’ is set to yes.
  • Ensure that ‘members can request’ is set to no.
  • Guarantee that ‘guests can invite’ is set to no.
  • Ensure that entrance to the Azure AD administration portal should be limited
  • Ensure that ‘users can create security associations’ is set to none.
  • Ensure that ‘self-service group administration enabled’ is established to no.
  • Ensure that ‘users who can handle security groups’ is set to none.
  • Ensure that ‘users can create Office 365 groups’ is set to no.
  • Ensure that ‘users who can manage Office 365 groups’ is set to none.
  • Ensure that ‘require multifactor auth to join devices’ is set to yes
  • Ensure that ‘secure transfer required’ is arranged to enable.
  • Ensure that ‘storage service encryption’ is set to enabled
  • On SQL servers, ensure that ‘auditing’ is set to on.
  • On SQL servers, ensure that ‘auditing type’ is set to blob
  • On SQL servers, ensure that ‘threat detection’ is set to on.
  • On SQL servers, ensure that ‘threat detection types’ is set to all.
  • On SQL servers, ensure that ‘send alerts to’ is set.
  • On SQL servers, ensure that ‘email service and co-administrators’ is enabled.
  • On SQL servers, ensure that firewall rules are set as appropriate.
  • Disable RDP access on network security groups from the internet
  • Disable SSH access on network security groups from the internet.

Google Security Checklist

  • Require 2-Step Verification for admin accounts
  • Enforce 2-Step Verification for users
  • Don’t use a super admin account for daily activities
  • Don’t remain signed in to an idle super admin account
  • Set up admin email alerts
  • Review the admin audit log
  • Add recovery options to admin accounts
  • Enroll a spare security key
  • Save the backup codes
  • Use unique passwords
  • Prevent password reuse with password alert
  • Regularly review activity reports and alerts
  • Know and approve which third-party can access G Suite core services
  • Create a Whitelist of trusted apps
  • Limit external calendar sharing
  • Set up underlying Chrome OS and Chrome Browser policy
  • Warn the users when chatting outside their domain
  • Don’t automatically share the contact information
  • Validate email with SPF, DKIM, and DMARC
  • Disable the “Do not require sender authentication” setting for spam policies.
  • Prevent automatic forwarding the incoming mail
  • Enable comprehensive mail storage
  • Enable additional attachment protection
  • Enable enhanced pre-delivery message scanning
  • Enable additional attachment protection
  • Limit group creation to admins
  • Set up the private access to groups
  • Enforce mobile password requirements (reduce risk if the device is lost)
  • Encrypt data on mobile devices
  • Enable mobile inactivity reports
  • Disable location history
  • Disable access to offline docs
  • Do not permit users to establish add-ons for Docs from the add-on store
at No comments:
Subscribe to: Posts (Atom)