In consultation with Cornell IT Security Office and Cornell financial administrators, two "standard" configurations of AWS accounts have been defined, one for general uses and one for research. Each configuration follows AWS, Cornell, and security best practices.
TO DO : nat gateway, ip space, shibboleth, duo, fire walls, security groups, etc.
| Link/Description | General Configuration | Research Configuration | |
|---|---|---|---|
| Security - AWS Config enabled | y | y | |
| Security - CloudTrail enabled for all activity in all regions | y | y | |
| Security - root account protected with multifactor authentication | root account should not be used for regular administration and MFA key should be locked in secure location | y | y |
| Security - no access keys associated with root account | y | y | |
| Security/Business - integrated with CloudCheckr | y | y | |
| Security - user access controlled by Cornell AD group membership and integrated with Cornell Shibboleth | y | ? | |
| Security - access for users with administrative privileges utilize Cornell Duo for authentication | y | ? | |