資安 ｜ Cloud Platform Security Checklist

 

隨著近幾年AWS 與Azure等Cloud platform 被大量的使用，Peggy 有機會接觸到比較多相關的IOS 認證與security practice。

這些Practice 還蠻重要且實際的，最近花點時間盤點整理如下，給有需要的朋友參考。

這些主要是從相關專案接觸過的部分收集與整理，可能還有其他不錯的Practice 沒有涵蓋在內，也歡迎討論。

以下為各個類別的practices...

Access control 

• Suggest to integrate with AD

• Suggest to enable MFA (Multi-Factor Authentication) 

• 不同環境不同account.  Ex. production 環境不要Dev 的一樣

• Production 環境裡admin 權限只給 manager 和leaders

• Do not save credentials in code or instance data

• Console access: only for necessary members.

• Review account list for leaving or transfer to the other team regularly

• In AWS, use VPC Network ACLs or EC2 security groups to control inbound access to instance.

• least privilege principle

• Can Not access instances’ OS layer as root user

• Instead of delegate through credentials, leverage roles is better

Encryption 

• Enable Cloud Service built-in encryption features. 
• For example, server side encryption for storage in AWS

• HTTPS is recommended for all data transmission which include internet and intranet

• Use Key Management Service provided by Cloud Service (AWS KMS) 

Log Management

• In AWS,  enable CloudTrail in all regions. 
• Based on previous experience, S3 access log is not enough. Some logs may be missed.

• Audit logs must be enabled and keep for at least 5 years

• Audit logs : who (account), where( ex. IP) , when , access what

Safe Configuration

• Should not include plain text secrets as part of the infrastructure as code.

• Review and remove unnecessary/not used features

• Do not put company's proprietary code to external public storage

Incident management

• All incidents must keep evidence and report to InfoSec immediately

Other practices... 

• 滲透測試 (penetration test)
• Vulnerability Assessment
• Code scan : ex. Fortify
• Service architecture design Review
• DeepSecurity agent in service server ( 敝公司產品）
• Only turn on Bastion when necessary
• Information security requirements and specifications should be considered for new features or product development.

若有您轉貼需求，請來信討論。 轉貼時禁止修改內容及標題且保持所有連結。禁止商業使用，請註明原文標題、連結以及作者。