In consultation with Cornell IT Security Office and Cornell financial administrators, two "standard" configurations of AWS accounts have been defined, one for general uses and one for research. Each configuration follows AWS, Cornell, and security best practices. Not all best practices can be implemented by policy and configuration. Individual AWS users also need to follow best practices see the Cloudification Services Tech Blog and AWS IAM best practices documentation.

For details of specific AWS resources created in Cornell AWS accounts, see Resources Created and Managed in Cornell AWS Accounts.

AreaConfigurationLink/DescriptionGeneral ConfigurationResearch Configuration

The Cornell Shared AWS VPC provides access to the private Cornell network without the need to manage VPC resources. For needs not met by the Shared VPC offerings, the Cornell Standard VPC is customizable VPC owned and managed by customers.

yas needed
Security/NetworkAWS VPC connected to on-campus network

Private on-campus subnets are connected to AWS VPC subnets using an AWS Direct Connect connection from campus to AWS.  See Cornell AWS Direct Connect.

yas needed
Security/NetworkAWS VPC subnets are assigned to managed, private IP spacesThis ensures that Cornell private subnets (on-campus and in AWS) do not overlap and that private subnets are transparently and securely routed to AWS VPC subnets.yas needed
Security/Networkprivate AWS VPC subnets are provisioned with a NAT Gateway

This provides a secure route to the public internet so that AWS EC2 instances can retrieve software updates and remain un-exposed to the public internet. See AWS NAT Gateway documentation.

yas needed
Security/NetworkAWS VPC are provisioned with AWS Internet GatewaysThis provides AWS EC2 instances running in public VPC subnets access to the internet and vice versa. (Not application to Shared AWS VPC options.)yas needed
Security/NetworkBaseline Network ACL configured for all subnetsThe baseline NACL allows full access between 10-space and Cornell public IPs, but limits access from the world to ports above 1024 and to 22, 80,443.yas needed

Security/BusinessAWS account integrated with CloudCheckr and

CloudCheckr reports provide suggestions for improving security, reducing costs. It also supports detailed reporting based on AWS labels to e.g., divide account charges to multiple Cornell financial accounts within a single Cornell unit. See CloudCheckr - Cost, Inventory, Security, Utilization reporting

(info) As of we are in the process of giving access to Cornell AWS accounts. CloudCheckr has been purchased by Spot.

BusinessAWS Cost Explorer access

Each Cornell AWS account has access to the AWS Cost Explorer service to view history and projected costs for that account. Cost Explorer is generally easier to use than CloudCheckr, but it has less flexibility that CloudCheckr and requires AWS account access (something that Cornell financial staff may not want).


SecurityAWS CloudTrail enabled for all activity in all regionsCloudTrail logs all AWS API calls in all regions for auditing purposes. See Cornell Standard AWS CloudTrail Configurationyy
SecurityAWS Config enabled with Organization-wide RulesAWS Config is a service that supports assessment, auditing, and evaluation of the configurations of AWS resources. The Cornell Config deployment utilizes Organization-wide Config Rules that check standard configurations and best practices.yy
SecurityAWS Flow Logs configuredAll VPCs are configured to capture flow logs.
Securityaccess to AWS account by ITSO in cases of security issues
SecurityAWS root account protected with multifactor authenticationroot account should not be used for regular administration and the MFA key should be locked in secure locationyy
Securityno access keys associated with root account
Securityuser access controlled by Cornell AD group membership and integrated with Cornell ShibbolethSee User Access Control for AWS Accountsyy
Securityaccess for users with administrative privileges utilize Cornell Duo for authentication

See User Access Control for AWS Accounts

IAM users can be used for service/programmatic access.

Securitybaseline IAM password policy configuredThe password policy will enforce complex passwords in the rare instances when an IAM user requires a password.yy
SecurityRead Only role for AWS resourcesThis role allows the Cloudification Team to view Cornell AWS accounts while troubleshooting and offering assistance, while ensuring that account owners maintain account integrity.yy
SecurityManagement Role for AWS ResourcesThis role allows scripted management of these standard account configurations by the AWS Organization master account.yy
SecurityIAM Access Analyzer enabled in all active regionsThe AWS Identity and Access Management Access Analyzer identifies AWS resources that can be accessed by external entities (e.g., other AWS accounts). See Cornell Standard Configuration for AWS IAM Access Analyzer for details.yy
SecurityKey Security Events Captured by EventBridge RulesEventBridge Event Rules are configured in all Cornell AWS accounts to capture activity that is or could be an indicator of an account breach or malicious activity. See Cornell Standard Configuration for AWS Security Events for details.yy
SecurityRegional Restriction featureCornell AWS accounts can optionally enable Regional Restriction to have account activity restricted to the four US-based AWS regions.yy
SecurityGithub Actions OIDC ProviderWith the Github OIDC provider, Cornell cloud practitioners can use IAM Roles instead of access keys linked to AWS IAM users when a Github Action workflow requires access to a Cornell AWS account. See Github OIDC Provider for Cornell AWS Accounts for details.yy
  • No labels