Introduction
This document describes items that should be checked during a review of AWS accounts.
Scope
The scope of this review is Cloud Team AWS Accounts.
Review
Config
- Review Config Rule compliance and correct any non-compliant resource configurations. See AWS Config Rules.
- There are two options for this:
- cu-org-root is the aggregator for Organization Config data. Use the Aggregators→ Compliance Dashboard in cu-org-root to select team accounts and review each account from that console.
- In each account, review the local AWS Config Dashboard within each team account.
Generally, Cornell AWS Config Rules in us-east-1 take account of other regions, so focusing on us-east-1 for this review is sufficient. E.g., Rule 151-HIGH-config-all-regions resides only in us-east-1, but checks configuration in all regions.
Guard Duty
- Review findings in each region in cu-cloud-devops, which is our Guard Duty delegated administrator.
- Findings in cu-cloud-devops will include only team accounts.
IAM
Access Advisor
External Access
- Review IAM Access Advisor findings (if any) to check if there any unexpected paths to IAM roles or resources.
Unused Access
Github Actions Integration
- Ensure that Roles used by Github actions trust just a limited set of (our!) repos.
Inspector
- Review Inspector findings and act on, at least, Critical and High findings.
Trusted Advisor
- Review TA findings.
Abandoned Resources
Review accounts for resources that are no longer used or needed. Examples:
- S3 buckets
- EC2 instances
- Cloud9 instances
- API Gateway APIs
- Lambda functions
- Step functions
Check with team as to whether anybody needs these. If the owner is referenced in the resource name (e.g., "pea1-delete-me"), check with that use directly.
Active Tests
Monthly
- Generate sample GuardDuty finding to validate notification path way.
Annually
- Generate exposed access key in Github to exercise workflow and notifications.