In consultation with Cornell IT Security Office and Cornell financial administrators, two "standard" configurations of AWS accounts have been defined, one for general uses and one for research. Each configuration follows AWS, Cornell, and security best practices. Not all best practices can be implemented by policy and configuration. Individual AWS users also need to follow best practices see the Cloudification Services Tech Blog and AWS IAM best practices documentation.
For details of specific AWS resources created in Cornell AWS accounts, see Resources Created and Managed in Cornell AWS Accounts.
Area | Configuration | Link/Description | General Configuration | Research Configuration |
---|
Security/Network | |
standard Virtual Private Network configuredSee specifics below?as needed |
Security/Network | AWS VPC connected to on-campus network | Private on-campus subnets are connected to AWS VPC subnets |
through a transparent secure connection (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html). AWS Virtual Private Gateways and Customer (Cornell) Gateways are provisioned and configured appropriately.Ultimately this connectivity will be routed through using an AWS Direct Connect connection from campus to AWS. |
http://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html Network traffic egress from AWS using the Direct Connect will be billed at a lower rate than egress over the public internet?as needed |
Security/Network | AWS VPC subnets are assigned to managed, private IP spaces | This ensures that Cornell private subnets (on-campus and in AWS) do not overlap and that private subnets are transparently and securely routed to AWS VPC subnets. |
https://confluence.cornell.edu/display/CLOUD/10+Space+Allocation?as needed |
Security/Network | private AWS VPC subnets are provisioned with a NAT Gateway | This provides a secure route to the public internet so that AWS EC2 instances can retrieve software updates and remain un-exposed to the public internet. |
(http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html)?as needed |
Security/Network | AWS VPC are provisioned with AWS Internet Gateways | This provides AWS EC2 instances running in public VPC subnets access to the internet and vice versa. |
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.htmly | ? | | | | |
|
Security/Network | Baseline Network ACL configured for all subnets | The baseline NACL allows full access between 10-space and Cornell public IPs, but limits access from the world to ports above 1024 and to 22, 80,443. | y |
? | Security/Business | AWS account integrated with CloudCheckr and Spot.io | CloudCheckr reports provide suggestions for improving security, reducing costs. It also supports detailed reporting based on AWS labels to e.g., divide account charges to multiple Cornell financial accounts within a single Cornell unit |
. http://support.cloudcheckr.com/reports/best-practice-report/ | | | | Business | AWS Cost Explorer access | Each Cornell AWS account has access to the AWS Cost Explorer service to view history and projected costs for that account. Cost Explorer is generally easier to use than CloudCheckr, but it has less flexibility that CloudCheckr and requires AWS account access (something that Cornell financial staff may not want). | y | y |
|
|
|
|
|
Security | AWS CloudTrail enabled for all activity in all regions | CloudTrail logs all AWS API calls in all regions for auditing purposes. |
(https://aws.amazon.com/documentation/cloudtrail/)Config rules monitor infrastructure and will alarm if, e.g., CloudTrail becomes disabled for an account. (AWS Config is a service that supports assessment, auditing, and evaluation of the configurations of AWS resources. The Cornell Config deployment utilizes Organization-wide Config Rules that check standard configurations and best practices. | y | y |
Security | AWS Flow Logs configured | All VPCs are configured to capture flow logs. http://docs. |
https://documentationconfig/) |
| y | y |
Security | AWS root account protected with multifactor authentication | root account should not be used for regular administration and the MFA key should be locked in secure location | y | y |
Security | no access keys associated with root account |
|
| y | y |
Security | user access controlled by Cornell AD group membership and integrated with Cornell Shibboleth |
http://www.it.cornell.edu/services/shibboleth/; Shibboleth at Cornell Page?y |
Security | access for users with administrative privileges utilize Cornell Duo for authentication | See User Access Control for AWS Accounts IAM users can be used for service/programmatic access. |
Cornell Duo (aka Two-Step Login): http://www.it.cornell.edu/cms/services/twostep/howto/twostep_login.cfm | y | y |
Security | baseline IAM password policy configured | The password policy will enforce complex passwords in the rare instances when an IAM user requires a password. |
to be implemented | to be implementedRO Read Only role for AWS resources | This role allows the Cloudification Team to view Cornell AWS accounts while troubleshooting and offering assistance, while ensuring that account owners maintain account integrity |
.under consideration | under consideration | | | | |