隨著近幾年AWS 與Azure等Cloud platform 被大量的使用,Peggy 有機會接觸到比較多相關的IOS 認證與security practice。
這些Practice 還蠻重要且實際的,最近花點時間盤點整理如下,給有需要的朋友參考。
這些主要是從相關專案接觸過的部分收集與整理,可能還有其他不錯的Practice 沒有涵蓋在內,也歡迎討論。
以下為各個類別的practices...
Access control
- Suggest to integrate with AD
- Suggest to enable MFA (Multi-Factor Authentication)
- 不同環境不同account. Ex. production 環境不要Dev 的一樣
- Production 環境裡admin 權限只給 manager 和leaders
- Do not save credentials in code or instance data
- Console access: only for necessary members.
- Review account list for leaving or transfer to the other team regularly
- In AWS, use VPC Network ACLs or EC2 security groups to control inbound access to instance.
- least privilege principle
- Can Not access instances’ OS layer as root user
- Instead of delegate through credentials, leverage roles is better
Encryption
- Enable Cloud Service built-in encryption features.
- For example, server side encryption for storage in AWS
- HTTPS is recommended for all data transmission which include internet and intranet
- Use Key Management Service provided by Cloud Service (AWS KMS)
Log Management
- In AWS, enable CloudTrail in all regions.
- Based on previous experience, S3 access log is not enough. Some logs may be missed.
- Audit logs must be enabled and keep for at least 5 years
- Audit logs : who (account), where( ex. IP) , when , access what
Safe Configuration
- Should not include plain text secrets as part of the infrastructure as code.
- Review and remove unnecessary/not used features
- Do not put company's proprietary code to external public storage
Incident management
- All incidents must keep evidence and report to InfoSec immediately
Other practices...
- 滲透測試 (penetration test)
- Vulnerability Assessment
- Code scan : ex. Fortify
- Service architecture design Review
- DeepSecurity agent in service server ( 敝公司產品)
- Only turn on Bastion when necessary
- Information security requirements and specifications should be considered for new features or product development.
若有您轉貼需求,請來信討論。 轉貼時禁止修改內容及標題且保持所有連結。禁止商業使用,請註明原文標題、連結以及作者。
非常實用, 感謝分享
回覆刪除謝謝你,很高興這篇文章有點幫助。
回覆刪除