Overview of Security
This report presents suggested best practices and techniques that an organization should acknowledge when building a full-fledged cloud strategy. This article covers the leading cloud providers Security Checklist.
AWS Security Checklist
- Permit CloudTrail logging across all Amazon Web Services.
- Set on CloudTrail log file validation.
- Permit CloudTrail multi-region logging.
- Combine CloudTrail with CloudWatch.
- Permit access logging for CloudTrail S3 buckets.
- Permit access logging for Elastic Load Balancer (ELB).
- Permit Redshift audit logging.
- Permit Virtual Private Cloud (VPC) flow logging.
- Multifactor authentication (MFA) is required to delete CloudTrail buckets.
- Set on multifactor authentication for the “root” account.
- Set on multifactor authentication for IAM users.
- Permit IAM users for multi-mode access.
- Link IAM policies to groups or roles.
- Regularly rotate IAM access keys, and standardize on the selected number of days.
- strict password policy must be set up
- Set the password termination session to 90 days
- Expired SSL/TLS certificates should not be used
- User HTTPS for CloudFront distributions.
- Limit access to CloudTrail bucket.
- Encrypt the CloudTrail log files at rest.
- Elastic Block Store (EBS) database must be encrypted
- Provision access to resources using IAM roles.
- Using root user accounts should be avoided
- SSL secure ciphers must be applied while connecting between the client and ELB.
- SSL secure versions must be used while connecting between ELB and Client.
- Use a standard naming (tagging) convention for EC2.
- Encrypt Amazon’s Relational Database Service (RDS).
- Access keys should not be used with root accounts.
- Use secure CloudFront SSL versions.
- Permit the require_ssl parameter in all Redshift clusters.
- Periodically rotate SSH keys
- Number of discrete security groups should be minimized
- Reduce the number of IAM groups.
- Terminate available access keys.
- Disable access for unused or inactive IAM users.
- Remove unused IAM access keys.
- Delete unused SSH Public Keys.
- Limit access to Amazon Machine Images (AMIs).
- Limit access to EC2 security groups.
- Limit access to RDS instances.
- Limit access to Redshift clusters.
- Limit access to outbound access.
- Disallow unrestricted ingress access on different ports.
- Limit access to well-known ports such as CIFS, FTP, ICMP, SMTP, SSH, Remote desktop.
- Involve IT security throughout the development process.
- Limited privileges should be granted as possible for application users.
- Encrypt highly sensitive data such as personally identifiable information (PII) or protected health information (PHI)
Azure Security Checklist
- Ensure that multi factor authentication is enabled for all users
- Ensure that there are no guest users.
- Use Role-Based Access Control to manage access to resources.
- Ensure that ‘enable users to memorize multi factor authentication on devices they trust’ is disabled.
- Ensure that ‘number of processes required to reset’ is set to 2.
- Assure that ‘number of days before users are asked to re-confirm their authentication report’ is not set to 0.
- Assure that ‘caution users on password resets’ is set to yes.
- Ensure that ‘notify all admins when other admins reset their password?’ is set to yes
- Ensure that ‘users can comply with apps obtaining company data on their account’ is set to none.
- Guarantee that ‘users can add gallery apps to their Entrance Panel’ is set to no.
- Ensure that ‘users can disclose applications’ is fixed to no.
- Guarantee that ‘guest users agreements are limited’ is set to yes.
- Ensure that ‘members can request’ is set to no.
- Guarantee that ‘guests can invite’ is set to no.
- Ensure that entrance to the Azure AD administration portal should be limited
- Ensure that ‘users can create security associations’ is set to none.
- Ensure that ‘self-service group administration enabled’ is established to no.
- Ensure that ‘users who can handle security groups’ is set to none.
- Ensure that ‘users can create Office 365 groups’ is set to no.
- Ensure that ‘users who can manage Office 365 groups’ is set to none.
- Ensure that ‘require multifactor auth to join devices’ is set to yes
- Ensure that ‘secure transfer required’ is arranged to enable.
- Ensure that ‘storage service encryption’ is set to enabled
- On SQL servers, ensure that ‘auditing’ is set to on.
- On SQL servers, ensure that ‘auditing type’ is set to blob
- On SQL servers, ensure that ‘threat detection’ is set to on.
- On SQL servers, ensure that ‘threat detection types’ is set to all.
- On SQL servers, ensure that ‘send alerts to’ is set.
- On SQL servers, ensure that ‘email service and co-administrators’ is enabled.
- On SQL servers, ensure that firewall rules are set as appropriate.
- Disable RDP access on network security groups from the internet
- Disable SSH access on network security groups from the internet.
Google Security Checklist
- Require 2-Step Verification for admin accounts
- Enforce 2-Step Verification for users
- Don’t use a super admin account for daily activities
- Don’t remain signed in to an idle super admin account
- Set up admin email alerts
- Review the admin audit log
- Add recovery options to admin accounts
- Enroll a spare security key
- Save the backup codes
- Use unique passwords
- Prevent password reuse with password alert
- Regularly review activity reports and alerts
- Know and approve which third-party can access G Suite core services
- Create a Whitelist of trusted apps
- Limit external calendar sharing
- Set up underlying Chrome OS and Chrome Browser policy
- Warn the users when chatting outside their domain
- Don’t automatically share the contact information
- Validate email with SPF, DKIM, and DMARC
- Disable the “Do not require sender authentication” setting for spam policies.
- Prevent automatic forwarding the incoming mail
- Enable comprehensive mail storage
- Enable additional attachment protection
- Enable enhanced pre-delivery message scanning
- Enable additional attachment protection
- Limit group creation to admins
- Set up the private access to groups
- Enforce mobile password requirements (reduce risk if the device is lost)
- Encrypt data on mobile devices
- Enable mobile inactivity reports
- Disable location history
- Disable access to offline docs
- Do not permit users to establish add-ons for Docs from the add-on store