In consultation with Cornell IT Security Office and Cornell financial administrators, two "standard" configurations of AWS accounts have been defined, one for general uses and one for research. Each configuration follows AWS, Cornell, and security best practices. Not all best practices can be implemented by policy and configuration. Individual AWS users also need to follow best practices see the Cloudification Services Tech Blog and AWS IAM best practices documentation.
TO DO : nat gateway, ip space, shibboleth, duo, fire walls, security groups, etc.
...
| Link/Description | General Configuration | Research Configuration | |||
|---|---|---|---|---|---|
| ConfigurationSecurity | |||||
| Security/Network - standard Virtual Private Network configured and connected to on-campus network | on-campus subnets are connected to AWS VPC subnets through a transparent VPN connection. | y | ? | ||
| Security/Business - integrated with CloudCheckr | CloudCheckr reports provide suggestions for improving security and reducing costs. http://support.cloudcheckr.com/reports/best-practice-report/ | ||||
| Security - AWS Config enabled | Config rules monitors infrastructure and will alarms if, e.g., CloudTrail becomes disabled for an account. | y | y | ||
| Security - CloudTrail enabled for all activity in all regions | CloudTrail logs all AWS API calls in all regions for auditing purposes | y | y | ||
| Security - root account protected with multifactor authentication | root account should not be used for regular administration and the MFA key should be locked in secure location | y | y | ||
| Security - no access keys associated with root account | y | y | |||
| Security/Business - integrated with CloudCheckr | y | y | |||
| Security - user access controlled by Cornell AD group membership and integrated with Cornell Shibboleth | y | ? | |||
| Security - access for users with administrative privileges utilize Cornell Duo for authentication | IAM users can be used for service/programmatic access. | y | ? | ||