Friday, September 3, 2021

Cloud security test cases - part 1

 

Overview of Security

This report presents suggested best practices and techniques that an organization should acknowledge when building a full-fledged cloud strategy. This article covers the leading cloud providers Security Checklist.

AWS Security Checklist

  • Permit CloudTrail logging across all Amazon Web Services.
  • Set on CloudTrail log file validation.
  • Permit CloudTrail multi-region logging.
  • Combine CloudTrail with CloudWatch.
  • Permit access logging for CloudTrail S3 buckets.
  • Permit access logging for Elastic Load Balancer (ELB).
  • Permit Redshift audit logging.
  • Permit Virtual Private Cloud (VPC) flow logging.
  • Multifactor authentication (MFA) is required to delete CloudTrail buckets.
  • Set on multifactor authentication for the “root” account.
  • Set on multifactor authentication for IAM users.
  • Permit IAM users for multi-mode access.
  • Link IAM policies to groups or roles.
  • Regularly rotate IAM access keys, and standardize on the selected number of days.
  • strict password policy must be set up
  • Set the password termination session to 90 days
  • Expired SSL/TLS certificates should not be used
  • User HTTPS for CloudFront distributions.
  • Limit access to CloudTrail bucket.
  • Encrypt the CloudTrail log files at rest.
  • Elastic Block Store (EBS) database must be encrypted
  • Provision access to resources using IAM roles.
  • Using root user accounts should be avoided
  • SSL secure ciphers must be applied while connecting between the client and ELB.
  • SSL secure versions must be used while connecting between ELB and Client.
  • Use a standard naming (tagging) convention for EC2.
  • Encrypt Amazon’s Relational Database Service (RDS).
  • Access keys should not be used with root accounts.
  • Use secure CloudFront SSL versions.
  • Permit the require_ssl parameter in all Redshift clusters.
  • Periodically rotate SSH keys
  • Number of discrete security groups should be minimized
  • Reduce the number of IAM groups.
  • Terminate available access keys.
  • Disable access for unused or inactive IAM users.
  • Remove unused IAM access keys.
  • Delete unused SSH Public Keys.
  • Limit access to Amazon Machine Images (AMIs).
  • Limit access to EC2 security groups.
  • Limit access to RDS instances.
  • Limit access to Redshift clusters.
  • Limit access to outbound access.
  • Disallow unrestricted ingress access on different ports.
  • Limit access to well-known ports such as CIFS, FTP, ICMP, SMTP, SSH, Remote desktop.
  • Involve IT security throughout the development process.
  • Limited privileges should be granted as possible for application users.
  • Encrypt highly sensitive data such as personally identifiable information (PII) or protected health information (PHI)

Azure Security Checklist

  • Ensure that multi factor authentication is enabled for all users
  • Ensure that there are no guest users.
  • Use Role-Based Access Control to manage access to resources.
  • Ensure that ‘enable users to memorize multi factor authentication on devices they trust’ is disabled.
  • Ensure that ‘number of processes required to reset’ is set to 2.
  • Assure that ‘number of days before users are asked to re-confirm their authentication report’ is not set to 0.
  • Assure that ‘caution users on password resets’ is set to yes.
  • Ensure that ‘notify all admins when other admins reset their password?’ is set to yes
  • Ensure that ‘users can comply with apps obtaining company data on their account’ is set to none.
  • Guarantee that ‘users can add gallery apps to their Entrance Panel’ is set to no.
  • Ensure that ‘users can disclose applications’ is fixed to no.
  • Guarantee that ‘guest users agreements are limited’ is set to yes.
  • Ensure that ‘members can request’ is set to no.
  • Guarantee that ‘guests can invite’ is set to no.
  • Ensure that entrance to the Azure AD administration portal should be limited
  • Ensure that ‘users can create security associations’ is set to none.
  • Ensure that ‘self-service group administration enabled’ is established to no.
  • Ensure that ‘users who can handle security groups’ is set to none.
  • Ensure that ‘users can create Office 365 groups’ is set to no.
  • Ensure that ‘users who can manage Office 365 groups’ is set to none.
  • Ensure that ‘require multifactor auth to join devices’ is set to yes
  • Ensure that ‘secure transfer required’ is arranged to enable.
  • Ensure that ‘storage service encryption’ is set to enabled
  • On SQL servers, ensure that ‘auditing’ is set to on.
  • On SQL servers, ensure that ‘auditing type’ is set to blob
  • On SQL servers, ensure that ‘threat detection’ is set to on.
  • On SQL servers, ensure that ‘threat detection types’ is set to all.
  • On SQL servers, ensure that ‘send alerts to’ is set.
  • On SQL servers, ensure that ‘email service and co-administrators’ is enabled.
  • On SQL servers, ensure that firewall rules are set as appropriate.
  • Disable RDP access on network security groups from the internet
  • Disable SSH access on network security groups from the internet.

Google Security Checklist

  • Require 2-Step Verification for admin accounts
  • Enforce 2-Step Verification for users
  • Don’t use a super admin account for daily activities
  • Don’t remain signed in to an idle super admin account
  • Set up admin email alerts
  • Review the admin audit log
  • Add recovery options to admin accounts
  • Enroll a spare security key
  • Save the backup codes
  • Use unique passwords
  • Prevent password reuse with password alert
  • Regularly review activity reports and alerts
  • Know and approve which third-party can access G Suite core services
  • Create a Whitelist of trusted apps
  • Limit external calendar sharing
  • Set up underlying Chrome OS and Chrome Browser policy
  • Warn the users when chatting outside their domain
  • Don’t automatically share the contact information
  • Validate email with SPF, DKIM, and DMARC
  • Disable the “Do not require sender authentication” setting for spam policies.
  • Prevent automatic forwarding the incoming mail
  • Enable comprehensive mail storage
  • Enable additional attachment protection
  • Enable enhanced pre-delivery message scanning
  • Enable additional attachment protection
  • Limit group creation to admins
  • Set up the private access to groups
  • Enforce mobile password requirements (reduce risk if the device is lost)
  • Encrypt data on mobile devices
  • Enable mobile inactivity reports
  • Disable location history
  • Disable access to offline docs
  • Do not permit users to establish add-ons for Docs from the add-on store
at No comments:
Subscribe to: Comments (Atom)

Cache Design and patterns

 In this article  we will look at application design and how cache design will be helping to get data from back end quickly.  scope of this ...