AWS Security Checklist
DynamoDB
Security Checklist
Enable VPC Endpoints Enable VPC endpoints to ensure that all trafc
to and from your DynamoDB tables is
restricted within your VPC and does not
traverse the public internet.
Use IAM roles Use IAM roles to control access to your
DynamoDB tables and limit access to only the
necessary permissions.
Enable encryption Enable server-side encryption for your
DynamoDB tables to protect against
unauthorized access to your data.
Monitor access patterns Monitor access patterns to your DynamoDB
tables to detect anomalous behavior and
potential security threats.
Enable audit logging Enable audit logging for your DynamoDB
tables to track access and changes to your
data.
Enable automatic backups Enable automatic backups for your DynamoDB
tables to ensure that you can restore your data
in the event of a disaster or data loss.
Use fne-grained access control Use fne-grained access control to limit access
to specifc items or attributes within your
DynamoDB tables.
Monitor network trafc Monitor network trafc to and from your
DynamoDB tables to detect and prevent
unauthorized access or data exfltration.
| AWS Security Checklist DynamoDB Security Checklist Enable VPC Endpoints Enable VPC endpoints to ensure that all trafc to and from your DynamoDB tables is restricted within your VPC and does not traverse the public internet. Use IAM roles Use IAM roles to control access to your DynamoDB tables and limit access to only the necessary permissions. Enable encryption Enable server-side encryption for your DynamoDB tables to protect against unauthorized access to your data. Monitor access patterns Monitor access patterns to your DynamoDB tables to detect anomalous behavior and potential security threats. Enable audit logging Enable audit logging for your DynamoDB tables to track access and changes to your data. Enable automatic backups Enable automatic backups for your DynamoDB tables to ensure that you can restore your data in the event of a disaster or data loss. Use fne-grained access control Use fne-grained access control to limit access to specifc items or attributes within your DynamoDB tables. Monitor network trafc Monitor network trafc to and from your DynamoDB tables to detect and prevent unauthorized access or data exfltration. | |
| PrivateLink Security Checklist Enable VPC endpoints for services Use VPC endpoints to allow access to AWS services within your VPCs without traversing the internet. Use security groups to control trafc Use security groups to control the inbound and outbound trafc to your PrivateLink- enabled services. Enable fow logs for VPC endpoints Enable VPC fow logs to record information about the trafc to and from your VPC endpoints for security and monitoring purposes. Use IAM policies to control access Use IAM policies to control access to your PrivateLink-enabled services and resources. Monitor VPC endpoint usage Monitor the usage of your VPC endpoints to detect any abnormal activity or unauthorized access attempts. Enable endpoint policies Use endpoint policies to control access to your PrivateLink-enabled services and resources at a granular level. | |
| ECS Security Checklist Enable IAM roles for tasks Use IAM roles for tasks to provide AWS credentials to containers running in Amazon ECS. Use task placement strategies Use task placement strategies to distribute tasks across instance availability zones and improve application availability. Enable service auto scaling Enable service auto scaling to adjust the number of tasks in a service based on the demand. Use VPC endpoint for ECS Use VPC endpoint for ECS to keep all trafc between your Amazon ECS tasks and your other AWS resources within your VPC. Use ECR for container registry Use Amazon Elastic Container Registry (ECR) for container registry to store and manage Docker images for your containers. Use AWS Fargate Use AWS Fargate to run containers without having to manage the underlying EC2 instances. Use AWS CloudTrail Use AWS CloudTrail to log all Amazon ECS API calls, monitor the activity, and troubleshoot potential security issues. Secure secrets Secure secrets used by your containers by using AWS Secrets Manager or AWS Systems Manager Parameter Store. Enable container insights Enable container insights to collect, aggregate, and summarize metrics and logs from your Amazon ECS tasks and containers. Enable encryption in transit and at rest Enable encryption in transit and at rest to protect data transmitted between containers and stored on disk. | |
| EKS Security Checklist Use HTTPS Use HTTPS instead of HTTP for all API requests to encrypt data in transit and prevent man-in-the-middle attacks. Enable API Gateway Logging Enable logging to Amazon CloudWatch Logs to help with security analysis, change tracking, and compliance auditing. Restrict Access with API Gateway Resource Policies Defne resource policies to restrict access to your APIs, based on IP address, Amazon VPC endpoint, or other attributes. Use AWS WAF with API Gateway Use AWS Web Application Firewall (WAF) with API Gateway to protect against common web exploits such as SQL injection and cross-site scripting (XSS). Implement Authorization with API Gateway Implement authorization with API Gateway to control who can access your APIs and what actions they can perform. Protect Against Denial-of-Service (DoS) Attacks Confgure rate limiting, throttling, and caching to protect against DoS attacks and to ensure high availability and performance. Use API Gateway Access Logging Use access logging to track and monitor requests to your APIs, and to help with troubleshooting and compliance auditing. Secure API Gateway Credentials Use AWS Secrets Manager or AWS Key Management Service (KMS) to securely manage API Gateway credentials such as API keys and client certifcate | |
| SNS Security Checklist Enable access logging Enable access logs for SNS to monitor access and provide audit trails. Enable server-side encryption Enable server-side encryption for SNS to protect against unauthorized access to your data. Use IAM policies to control access Use IAM policies to control access to your SNS topics and prevent unauthorized access. Enable VPC Endpoints Use VPC Endpoints for SNS to allow your applications to send messages to SNS over a private network. Enable SNS message fltering Use SNS message fltering to ensure that subscribers receive only the messages they are interested in. Rotate access keys regularly Rotate SNS access keys regularly to reduce the risk of unauthorized access. Enable CloudTrail logging Enable CloudTrail logging for SNS to monitor and audit API calls and detect suspicious activity. |
| Fargate Security Checklist Use task roles Assign a task role to your Fargate tasks to ensure that they have only the necessary permissions to perform their specifc functions. Use VPC Deploy Fargate tasks in a VPC to control network access and to restrict public access to your resources. Use security groups Defne security groups to control inbound and outbound trafc for your Fargate tasks and to restrict access to only necessary ports. Use IAM roles for service accounts (IRSA) Use IAM roles for service accounts (IRSA) to enable your pods to communicate securely with other AWS services using IAM credentials. Encrypt data at rest Use encryption to protect sensitive data stored in volumes attached to Fargate tasks. Encrypt data in transit Use encryption to protect data in transit between Fargate tasks and other AWS services or external endpoints. Monitor container images Regularly scan and monitor container images for vulnerabilities and keep them up to date to reduce the risk of exploits. Enable logging Enable logging for your Fargate tasks to monitor and audit activity within your containers. Use AWS Secrets Manager Use AWS Secrets Manager to securely store and manage sensitive data such as passwords, API keys, and other credentials used by your Fargate task | |
| AWS Security Checklist EC2 Security Checklist Use security groups Create and confgure security groups to control inbound and outbound trafc for your EC2 instances. Enable monitoring Enable CloudWatch monitoring to track the performance and status of your EC2 instances. Create IAM roles Create IAM roles to manage access to your EC2 instances and assign permissions for AWS resources and services. Enable VPC Flow Logs Enable VPC Flow Logs to monitor and capture information about IP trafc going to and from your EC2 instances in your VPC. Implement Network ACLs Use Network Access Control Lists (NACLs) to add an additional layer of security by controlling trafc at the subnet level. Enable AWS Confg Enable AWS Confg to continuously monitor and record your EC2 instances’ confgurations and evaluate them against best practices. Encrypt EBS volumes Enable encryption for your Elastic Block Store (EBS) volumes to protect your data at rest. Enable instance metadata protection Enable Instance Metadata Service Version 2 (IMDSv2) to protect against unauthorized access to the instance metadata. Use dedicated tenancy Use dedicated tenancy to launch EC2 instances on dedicated hardware for increased security and compliance. Enable AWS Systems Manager Use AWS Systems Manager to manage and automate tasks on your EC2 instances, such as patching and confguration management. Regularly patch and update Regularly apply security patches and updates to your EC2 instances and applications to reduce vulnerabilities. Implement AWS Backup Use AWS Backup to create, manage, and restore backups of your EC2 instances and ensure data durability and availability. Implement Amazon Inspector Use Amazon Inspector to assess the security and compliance of your EC2 instances by identifying potential security issues. Use Amazon GuardDuty Enable Amazon GuardDuty to continuously monitor and detect threats to your EC2 instances and AWS accounts. Enable Amazon Macie Use Amazon Macie to discover, classify, and protect sensitive data stored in your EC2 instances. Implement AWS WAF Use AWS Web Application Firewall (WAF) to protect your web applications hosted on EC2 instances from common web exploits. Enable AWS Shield Enable AWS Shield to protect your EC2 instances from Distributed Denial of Service (DDoS) attacks. | |
| SQS Security Checklist Enable access logging Enable access logs for SNS to monitor access and provide audit trails. Enable server-side encryption Enable server-side encryption for SNS to protect against unauthorized access to your data. Use IAM policies to control access Use IAM policies to control access to your SNS topics and prevent unauthorized access. Enable VPC Endpoints Use VPC Endpoints for SNS to allow your applications to send messages to SNS over a private network. Enable SNS message fltering Use SNS message fltering to ensure that subscribers receive only the messages they are interested in. Rotate access keys regularly Rotate SNS access keys regularly to reduce the risk of unauthorized access. Enable CloudTrail logging Enable CloudTrail logging for SNS to monitor and audit API calls and detect suspicious activity. | |
| CloudWatch Security Checklist Enable VPC endpoints for services Use VPC endpoints to allow access to AWS services within your VPCs without traversing the internet. Use security groups to control trafc Use security groups to control the inbound and outbound trafc to your PrivateLink- enabled services. Enable fow logs for VPC endpoints Enable VPC fow logs to record information about the trafc to and from your VPC endpoints for security and monitoring purposes. Use IAM policies to control access Use IAM policies to control access to your PrivateLink-enabled services and resources. Monitor VPC endpoint usage Monitor the usage of your VPC endpoints to detect any abnormal activity or unauthorized access attempts. Enable endpoint policies Use endpoint policies to control access to your PrivateLink-enabled services and resources at a granular level. | |
| Monitor the usage of your VPC endpoints to detect any abnormal activity or unauthorized access attempt | |
| CloudWatch Security Checklist Enable VPC endpoints for services Use VPC endpoints to allow access to AWS services within your VPCs without traversing the internet. Use security groups to control trafc Use security groups to control the inbound and outbound trafc to your PrivateLink- enabled services. Enable fow logs for VPC endpoints Enable VPC fow logs to record information about the trafc to and from your VPC endpoints for security and monitoring purposes. Use IAM policies to control access Use IAM policies to control access to your PrivateLink-enabled services and resources. Monitor VPC endpoint usage Monitor the usage of your VPC endpoints to detect any abnormal activity or unauthorized access attempts. Enable endpoint policies Use endpoint policies to control access to your PrivateLink-enabled services and resources at a granular level. |
| CloudTrail Security Checklist Enable CloudTrail logging Enable AWS CloudTrail logging to track changes made to your AWS account and resources. Encrypt CloudTrail logs Use server-side encryption (SSE) or client-side encryption to encrypt CloudTrail logs at rest. Restrict access to CloudTrail logs Limit access to CloudTrail logs to only authorized personnel, using IAM policies or bucket policies. Monitor CloudTrail logs Monitor CloudTrail logs for unusual activity, using services like Amazon CloudWatch or Amazon Athena. Enable multi-factor authentication (MFA) for CloudTrail logging Enable MFA for CloudTrail logging to prevent unauthorized changes to CloudTrail confguration. Regularly review CloudTrail logs Regularly review CloudTrail logs to identify and investigate any security or compliance issues. Protect CloudTrail credentials Protect CloudTrail credentials, including access keys and secret access keys, using best practices like rotation and secure storage | |
| AWS Security Checklist Athena Security Checklist Limit access to Athena Ensure that access to Athena is limited to only the necessary users and roles. Use IAM policies to control access Use IAM policies to control access to Athena resources. Use encryption Use encryption to protect sensitive data at rest and in transit. Enable CloudTrail logging Enable CloudTrail logging for Athena to track usage and changes to the service. Enable VPC access Enable VPC access for Athena to limit access to resources within your VPC. Enable query result encryption Enable query result encryption to protect sensitive data in query results. Use parameterized queries Use parameterized queries to protect against SQL injection attacks. Use AWS Glue to manage Athena data catalog Use AWS Glue to manage the Athena data catalog and ensure that it is up-to-date and accurate. Enable Amazon S3 server-side encryption Enable Amazon S3 server-side encryption to protect data stored in S3 that is accessed by Athena. | |
| CloudFront Security Checklist Use HTTPS Enforce HTTPS for connections between clients and CloudFront, as well as between CloudFront and your origin servers to protect data in transit. Enable Field-Level Encryption Use feld-level encryption to protect sensitive data within HTTP(S) POST requests by encrypting specifc form felds at the edge. Use Origin Access Identity (OAI) Restrict access to your S3 origin by creating an Origin Access Identity (OAI) and using it in your CloudFront distribution, allowing only CloudFront to access the S3 content. Enable AWS WAF Integrate your CloudFront distribution with AWS Web Application Firewall (WAF) to protect your content from common web exploits and attacks. Enable AWS Shield Enable AWS Shield to protect your CloudFront distribution from Distributed Denial of Service (DDoS) attacks. Use CloudFront signed URLs or signed cookies Secure your CloudFront content by using signed URLs or signed cookies to restrict access to your content. Enable real-time logs Enable real-time logs in CloudFront to monitor and analyze access patterns and identify potential security risks. Enable access logs Enable access logs for your CloudFront distribution to capture detailed information about viewer requests. Use Geo Restriction Confgure geo restriction to control which countries can access your CloudFront content. Implement Lambda@Edge Use Lambda@Edge to customize and secure your CloudFront content by running Lambda functions at the edge locations. Enable CloudTrail integration Integrate your CloudFront distribution with AWS CloudTrail to capture and store data events for auditing and compliance purposes. Enable AWS Confg Enable AWS Confg to continuously monitor and record your CloudFront distribution confgurations and evaluate them against best practices. Use Amazon GuardDuty Enable Amazon GuardDuty to continuously monitor and detect threats to your CloudFront distributions and AWS accounts. Enable cache policies Create and use cache policies to customize and control the cache behavior of your CloudFront distribution, improving performance and security. Use custom error pages Confgure custom error pages for your CloudFront distribution to provide a better user experience and prevent information leakage. Use security headers Add security headers like Content-Security- Policy, X-Content-Type-Options, and X-Frame- Options to your CloudFront response using Lambda@Edge for added security. | |
| ECR Security Checklist Enable encryption Enable encryption at rest for your ECR repositories to protect against unauthorized access to your data. Use private repositories Use private repositories to protect your container images from being accessed by unauthorized users. Scan images for vulnerabilities Use Amazon ECR image scanning to detect and remediate vulnerabilities in your container images. Implement access control Use IAM policies and resource-based permissions to control access to your ECR repositories and images. Use VPC endpoints Use VPC endpoints to securely access your ECR repositories without exposing them to the public internet. Enable lifecycle policies Use lifecycle policies to automatically clean up untagged or unused images, and to expire old images to reduce storage costs. Audit trail Enable AWS CloudTrail to log all API calls made to your ECR repositories for auditing and compliance purposes. | |
| AWS Security Checklist Lambda Security Checklist Use AWS Secrets Manager or AWS Systems Manager Parameter Store to store sensitive information To prevent accidental exposure of sensitive information, use AWS Secrets Manager or AWS Systems Manager Parameter Store to store sensitive information such as passwords, API keys, and database connection strings. Implement function-level access control Use AWS Identity and Access Management (IAM) policies to control access to your Lambda functions. Restrict access to only the actions and resources that are necessary for the function to perform its intended actions. Enable VPC access for your Lambda functions Use Amazon Virtual Private Cloud (VPC) to isolate your Lambda functions from the public internet and to access resources in your own VPC. Enable AWS X-Ray tracing Enable AWS X-Ray tracing to monitor and troubleshoot your serverless application. X- Ray provides end-to-end tracing of requests and helps you identify performance bottlenecks and errors. Use AWS Key Management Service to encrypt data in transit and at rest Use AWS Key Management Service (KMS) to create and manage encryption keys that protect your data. Encrypt data in transit and at rest using KMS-managed keys. Monitor and log function invocations Use Amazon CloudWatch to monitor and log function invocations. Use CloudWatch Logs to store and analyze logs generated by your Lambda functions. Use AWS Confg to monitor resource confgurations and compliance Use AWS Confg to monitor the confgurations of your Lambda functions and their associated resources. Use Confg rules to defne compliance rules for your resources and to get notifcations when they change. Implement least privilege permissions for your Lambda functions Use the principle of least privilege to assign permissions to your Lambda functions. Assign only the necessary permissions to access the required resources and actions. Use environment variables to confgure your Lambda functions Use environment variables to pass confguration information to your Lambda functions. Store sensitive confguration information in AWS Secrets Manager or AWS Systems Manager Parameter Store. Implement automated deployments for your Use AWS CodeDeploy to automate the |
| S3 Security Checklist Enable versioning Enable versioning for your S3 buckets to protect against accidental deletion or overwrite. Enable encryption in S3 Enable encryption for your S3 buckets to protect against unauthorized access to your data at rest. Create IAM policies Use IAM policies to control access to your S3 buckets and objects. Enable object lock Enable object lock to prevent objects from being deleted or overwritten for a defned retention period. Enable bucket logging Enable access logging on your S3 buckets to monitor and analyze access patterns and identify potential security risks. Enable CloudTrail integration Integrate your S3 buckets with AWS CloudTrail to capture and store data events for auditing and compliance purposes. Enable AWS Confg Enable AWS Confg to continuously monitor and record your S3 bucket confgurations and evaluate them against best practices. Set up S3 event notifcations Confgure S3 event notifcations to send messages when specifc events occur in your S3 buckets, such as object creation or deletion. Implement bucket policies Use S3 bucket policies to manage permissions at the bucket level, controlling access to all objects within a bucket. Set up CORS confgurations Confgure Cross-Origin Resource Sharing (CORS) to control which origins can access your S3 buckets and objects. Enable MFA Delete Enable Multi-Factor Authentication (MFA) Delete to require additional authentication when deleting objects or changing bucket versioning settings. Enable transfer acceleration Enable S3 Transfer Acceleration to improve data transfer speed and reduce latency for your S3 buckets. Implement bucket tagging Use bucket tagging to organize and manage your S3 buckets and enable cost allocation tracking. Confgure lifecycle policies Set up lifecycle policies to automate the management of objects in your S3 buckets, | |
| Security Checklist such as transitioning objects to different storage classes or deleting objects. Implement public access blocking Use S3 Block Public Access settings to prevent public access to your S3 buckets and objects. Use VPC endpoints Create VPC endpoints for Amazon S3 to securely access your buckets over a private network connection. | |
| VPC Security Checklist Create a VPC with multiple subnets Design your VPC with multiple subnets spread across multiple Availability Zones to ensure high availability and fault tolerance. Use Security Groups and Network ACLs Use Security Groups and Network ACLs to defne inbound and outbound trafc rules for your VPC resources, ensuring that only necessary trafc is allowed. Implement Private and Public Subnets Segregate resources within your VPC into private and public subnets based on their exposure to the internet. Keep critical resources in private subnets with no direct internet access. Use NAT Gateways for outbound trafc Use NAT Gateways to allow instances in private subnets to access the internet while still preventing inbound trafc from the internet. Use VPC Flow Logs Enable VPC Flow Logs to capture information about the IP trafc going to and from network interfaces in your VPC for monitoring and auditing purposes. Use VPC endpoints for AWS services Use VPC endpoints to privately connect your VPC to supported AWS services, ensuring that trafc between your VPC and these services does not traverse the public internet. Implement proper routing Confgure routing tables for each subnet in your VPC, ensuring that trafc is routed only to intended destinations. Use VPN or Direct Connect for hybrid environments If connecting your VPC to on-premises environments, use AWS VPN or Direct Connect for secure and reliable connectivity. Periodically review Security Groups and Network ACLs Regularly review and update your Security Groups and Network ACLs to ensure that they continue to meet your security requirements and follow the principle of least privilege. Encrypt sensitive data Encrypt sensitive data in transit and at rest when transmitted between your VPC and other networks, or stored within your VPC. Implement proper IAM policies Use IAM policies to control access to VPC resources and actions, ensuring that users and applications have only the necessary permissions. | |
| AWS Security Checklist EventBridge Security Checklist Enable encryption Enable server-side encryption for your EventBridge to protect against unauthorized access to your data. Enable EventBridge access logging Enable access logging for your EventBridge to monitor and audit all API calls made to the service. Create IAM policies Use IAM policies to control access to your EventBridge resources and actions. Enable EventBridge Resource-level Permissions Use EventBridge Resource-level Permissions to control access to specifc EventBridge resources. Limit permissions using AWS Organizations Use AWS Organizations to limit permissions for your EventBridge resources across your entire organization. Enable VPC Endpoints for EventBridge Use VPC Endpoints to securely connect to EventBridge resources without going over the public internet. Enable EventBridge API throttling Enable API throttling to limit the number of requests to EventBridge and prevent abuse or denial of service attacks. | |
| Redshift Security Checklist Enable audit logging Enable audit logging to capture database activity and investigate security incidents. Enable encryption Enable encryption for your Redshift clusters and snapshots to protect against unauthorized access to your data. Restrict access Restrict access to your Redshift clusters to only authorized users and applications. Rotate credentials Rotate your database credentials regularly to prevent unauthorized access. Apply security patches Apply security patches to your Redshift clusters regularly to address known vulnerabilities. Use IAM policies Use IAM policies to control access to your Redshift clusters and objects. Use VPC Use Amazon VPC to isolate your Redshift clusters from the public internet and restrict access to your resources. Monitor for suspicious activity Implement monitoring and alerting to detect and respond to suspicious activity in your Redshift clusters. |
| APIGateway Security Checklist Use HTTPS Use HTTPS instead of HTTP for all API requests to encrypt data in transit and prevent man-in-the-middle attacks. Enable API Gateway Logging Enable logging to Amazon CloudWatch Logs to help with security analysis, change tracking, and compliance auditing. Restrict Access with API Gateway Resource Policies Defne resource policies to restrict access to your APIs, based on IP address, Amazon VPC endpoint, or other attributes. Use AWS WAF with API Gateway Use AWS Web Application Firewall (WAF) with API Gateway to protect against common web exploits such as SQL injection and cross-site scripting (XSS). Implement Authorization with API Gateway Implement authorization with API Gateway to control who can access your APIs and what actions they can perform. Protect Against Denial-of-Service (DoS) Attacks Confgure rate limiting, throttling, and caching to protect against DoS attacks and to ensure high availability and performance. Use API Gateway Access Logging Use access logging to track and monitor requests to your APIs, and to help with troubleshooting and compliance auditing. Secure API Gateway Credentials Use AWS Secrets Manager or AWS Key Management Service (KMS) to securely manage API Gateway credentials | |
| route53 Security Checklist Enable VPC associations Ensure that your Route 53 hosted zones are associated with VPCs to restrict access to your DNS resources. Enable DNSSEC Enable DNSSEC to protect against DNS spoofng attacks and ensure the integrity of your DNS responses. Limit access to Route 53 APIs Use AWS Identity and Access Management (IAM) to control access to the Route 53 APIs and resources. Use a separate AWS account for Route 53 Use a separate AWS account for your Route 53 resources to minimize the potential impact of a security breach. Enable query logging Enable query logging for your Route 53 hosted zones to monitor DNS queries and detect potential security issues. Monitor Route 53 metrics Monitor Route 53 metrics, such as latency and error rates, to detect potential security issues or performance problems. Enable DNS query whitelisting Enable DNS query whitelisting to limit access to your Route 53 hosted zones to authorized IP addresses only. | |
| route53 Security Checklist Enable VPC associations Ensure that your Route 53 hosted zones are associated with VPCs to restrict access to your DNS resources. Enable DNSSEC Enable DNSSEC to protect against DNS spoofng attacks and ensure the integrity of your DNS responses. Limit access to Route 53 APIs Use AWS Identity and Access Management (IAM) to control access to the Route 53 APIs and resources. Use a separate AWS account for Route 53 Use a separate AWS account for your Route 53 resources to minimize the potential impact of a security breach. Enable query logging Enable query logging for your Route 53 hosted zones to monitor DNS queries and detect potential security issues. Monitor Route 53 metrics Monitor Route 53 metrics, such as latency and error rates, to detect potential security issues or performance problems. Enable DNS query whitelisting Enable DNS query whitelisting to limit access to your Route 53 hosted zones to authorized IP addresses only. |
Leave a Reply