Skip to content

Cloud Security Cheat Sheet

 

Here is a quick reference to cloud security.  Although this is based on Amazon Web Services (AWS), it is applicable to any cloud environment.  This is by no means a comprehensive or complete list, however, it’s enough to get you started in the right direction.

 

First of all, I want to list the top 10 Cloud Security Vulnerabilities that you need to be aware of:

1. Data breaches
2. Insufficient identity, credential, and access management
3. Insecure interfaces and application programming interfaces (APIs)
4. System vulnerabilities
5. Account hijacking
6. Malicious insiders
7. Advanced persistent threats (APTs)
8. Data loss
9. Insufficient due diligence
10. Abuse and nefarious use of cloud services

 

For more detailed information on the above items, go here

Below is a quick list of items to help address these issues:

Category Mitigation
App Adhere to OWASP
Do not display system errors to application users
Peer review code
do not sore passwords or other private data in source code.
Use only system roles for system to system access
Data Data Encryption
Frequent encrypted and securely stored backups with retention policy, on/off site
Implement file versioning
Implement MFA file deletion policies
System Deep logging and monitoring
Monitor, measure, review, internal / external audits
Do not store sensitive data in logs
Enforced user Terms and Conditions
Do not use the root aws account
Intrusion Penetration and Detection
Lock down all ports not used
Patching process where needed (when cloud provider does not take care of this)
Use a bastion host for all system administration
Use proper firewall settings
Use SSH forwarding from bastion server
Use virus and malware detection where possible
Use from public, Direct Connect, VPN connection to bastion host over ipsec tunnel vpn
Properly planned public/private subnets
Use VPN Endpoints to keep calls internal
Vulnerability Assessments
System, App Proper Key Management
Segment and Isolate layers of the system
Use anomaly detection & exponential back off
Use Https/TLS and Certificates or short-lived Keys
Use Security Groups (stateful >> bidirectional) to limit port and ip access, NACLS (stateless)
System, User Access Deny all access and only allow what’s necessary
Network monitoring
System, User Access, App Penetration and Intrusion detection
User Access Assign policies to groups
Assign users to groups
Delete or deactivate any unused accounts
Password strength & expiration policies
Proper internal account retirement procedures
Strong and expiring passwords
User Access, App Limit Access
User Acess, Data MFA

 

Written for ServerlessArchitecture.com
Written by Jeff Mangan

Leave a Reply