2020年8月30日 星期日

資安 | Cloud Platform Security Checklist

 

隨著近幾年AWS 與Azure等Cloud platform 被大量的使用,Peggy 有機會接觸到比較多相關的IOS 認證與security practice。

這些Practice 還蠻重要且實際的,最近花點時間盤點整理如下,給有需要的朋友參考。

這些主要是從相關專案接觸過的部分收集與整理,可能還有其他不錯的Practice 沒有涵蓋在內,也歡迎討論。

以下為各個類別的practices...

Access control 

  • Suggest to integrate with AD
  • Suggest to enable MFA (Multi-Factor Authentication) 
  • 不同環境不同account.  Ex. production 環境不要Dev 的一樣
  • Production 環境裡admin 權限只給 manager 和leaders
  • Do not save credentials in code or instance data
  • Console access: only for necessary members.
  • Review account list for leaving or transfer to the other team regularly
  • In AWS, use VPC Network ACLs or EC2 security groups to control inbound access to instance.
  • least privilege principle
  • Can Not access instances’ OS layer as root user
  • Instead of delegate through credentials, leverage roles is better

Encryption 

  • Enable Cloud Service built-in encryption features. 
    • For example, server side encryption for storage in AWS
  • HTTPS is recommended for all data transmission which include internet and intranet
  • Use Key Management Service provided by Cloud Service (AWS KMS) 

Log Management

  • In AWS,  enable CloudTrail in all regions. 
    • Based on previous experience, S3 access log is not enough. Some logs may be missed.
  • Audit logs must be enabled and keep for at least 5 years
  • Audit logs : who (account), where( ex. IP) , when , access what


Safe Configuration

  • Should not include plain text secrets as part of the infrastructure as code.
  • Review and remove unnecessary/not used features
  • Do not put company's proprietary code to external public storage

Incident management

  • All incidents must keep evidence and report to InfoSec immediately

Other practices... 

  • 滲透測試 (penetration test)
  • Vulnerability Assessment
  • Code scan : ex. Fortify
  • Service architecture design Review
  • DeepSecurity agent in service server ( 敝公司產品)
  • Only turn on Bastion when necessary
  • Information security requirements and specifications should be considered for new features or product development.





若有您轉貼需求,請來信討論。 轉貼時禁止修改內容及標題且保持所有連結。禁止商業使用,請註明原文標題、連結以及作者。

2 則留言:

Peggy的實驗空間| 小書庫 Index card ( 讀書筆記總目錄/書單 )

  一直很喜歡閱讀,也常從閱讀好書中與讀書會得到許多的力量與啟發,不管是在人生的低潮抑或是順遂的時候。在閱讀之路上,這幾年也保持一個習慣。當閱讀到喜歡的書籍,且那陣子時間允許,就會提醒自己閱讀完後整理出心得筆記。一方面藉機鍛鍊寫作肌肉與思路,方便之後的複習和查閱。另一方面,也可以...