AWS Security

Introduction
AWS Security Scanners
AWS Security Reference Architecture AWS SRA
Application Security
Policy as Code with AWS CDK and Open Policy Agent
Payment Card Industry Data Security Standard compliance
AWS IAM
1. Terraform IAM Policy Validator
2. AWS IAM Anywhere
AWS Organizations
AWS Control Tower
AWS Firewalls
AWS WAF Web Application Firewall
AWS Secrets Manager
AWS Vault
Tweets

Introduction

AWS Security Blog
AWS Security
AWS Security docs
Tutorial: Configure Apache Web Server on Amazon Linux to use SSL/TLS
The Most Popular AWS Security Blog Posts in 2015
dzone: Private Subnets Are Broken on AWS
Amazon’s customer service backdoor
Announcing Industry Best Practices for Securing AWS Resources
The Most Viewed AWS Security Blog Posts so Far in 2016
Oracle Database Encryption Options on Amazon RDS
Learn AWS Security Fundamentals with Free and Online Training
How to Restrict Amazon S3 Bucket Access to a Specific IAM Role
Updated Whitepaper Available: AWS Best Practices for DDoS Resiliency
AWS Security Blog: In Case You Missed These: AWS Security Blog Posts from June, July, and August 2016
Amazon Inspector Announces General Availability for Windows
encrypt and decrypt data: Importing Key Material in AWS Key Management Service (AWS KMS) Use your own encryption keys with AWS Key Management Service.
Amazon s2n: AWS’s new Open Source implementation of the SSL/TLS network encryption protocols
dzone: 9 AWS Security Best Practices: Securing Your AWS Cloud Working with Amazon facilities, it is necessary to implement AWS security best practices to ensure the safety of the data and the cloud.
Encrypt global data client-side with AWS KMS multi-Region keys Today, AWS Key Management Service (AWS KMS) is introducing multi-Region keys, a new capability that lets you replicate keys from one Amazon Web Services (AWS) Region into another. Multi-Region keys are designed to simplify management of client-side encryption when your encrypted data has to be copied into other Regions for disaster recovery or is replicated in Amazon DynamoDB global tables.
dzone: Removing the Bastion Host and Improving the Security in AWS This article covers the security in AWS and overcoming the classic SSH/RDP jump with a better alternative for all OS.
acloudguru.com: How to audit and secure an AWS account
yobyot.com: AWS multi-region KMS keys and Data Lifecycle Manager: better together
try.jupiterone.com: The Absolute Minimum Every Developer Must Know about AWS Security
How to automate AWS account creation with SSO user assignment
Security practices in AWS multi-tenant SaaS environments Many good tips, from identity management to tenant isolation.
How to use AWS Security Hub and Amazon OpenSearch Service for SIEM
faun.pub: Handling Exposed AWS Access Key
github.com/aws-samples: How to set up continuous replication from your third-party secrets manager to AWS Secrets Manager
medium.com/@neonforge: Why You Shouldn’t Use AWS managed KMS Keys
linkedin.com: Complexities of AWS Security Groups in the Cloud World Do you feel AWS security groups are hard to implement? Are you tired of reconfiguring IP addresses in security groups whenever workloads get restarted or redeployed?
awslabs/cognito-at-edge Serverless authentication solution to protect your website or Amplify application
github.com/aws-samples: Service Control Policy examples Example AWS Service control policies to get started or mature your usage of AWS SCPs.
medium.parttimepolymath.net: No more AWS Access Keys?

AWS Security Scanners

github.com/awslabs/sustainability-scanner: Sustainability Scanner (SusScanner) Validate AWS CloudFormation templates against AWS Well-Architected Sustainability Pillar best practices.

AWS Security Reference Architecture AWS SRA

docs.aws.amazon.com: AWS Security Reference Architecture (AWS SRA) 🌟
aws.amazon.com: Update of AWS Security Reference Architecture is now available A set of guidelines for deploying the full complement of AWS security services in a multi-account environment.

Application Security

docs.aws.amazon.com: Application security Application security (AppSec) describes the overall process of how you design, build, and test the security properties of the workloads you develop. You should have appropriately trained people in your organization, understand the security properties of your build and release infrastructure, and use automation to identify security issues.

Policy as Code with AWS CDK and Open Policy Agent

Realize Policy-as-Code with AWS Cloud Development Kit through Open Policy Agent 🌟

Payment Card Industry Data Security Standard compliance

PCI DSS Standardized Architecture on the AWS Cloud: Quick Start Reference Deployment

AWS IAM

AWS Identity and Access Management - Getting Started
AWS Identity and Access Management (IAM) best practices in 2016
How to Record and Govern Your IAM Resource Configurations Using AWS Config
How to Use SAML to Automatically Direct Federated Users to a Specific AWS Management Console Page
New IAMCTL tool compares multiple IAM roles and policies
Bring your own CLI to Session Manager with configurable shell profiles
keepler.io: Gestionando el control de accesos en nuestro data lake en AWS
aws.amazon.com: IAM Access Analyzer now supports over 100 policy checks with actionable recommendations to help you author secure and functional policies
aws.amazon.com: IAM Access Analyzer Update – Policy Validation
netflixtechblog.com: ConsoleMe: A Central Control Plane for AWS Permissions and Access - github.com/Netflix/consoleme
cloudkatha.com: Difference between Root User and IAM User in AWS You Need to Know
ben11kehoe.medium.com: AWS Authentication: Principals (users and roles) in AWS IAM this article uses the boto3, the AWS Python SDK, as an example, but other SDKs have analogous features.
infoq.com: Incorrect IAM Policy Raised Questions About AWS Access to S3 Data
iann0036/iamlive Generate an IAM policy from AWS calls using client-side monitoring (CSM) or embedded proxy
awsiam.info: AWS IAM Search
daan.fyi: AWS IAM Demystified
willdady/cdk-iam-credentials-rotator: IAM Credentials Rotator AWS CDK construct for rotating IAM user credentials and sending to a third party.
Organizing Your AWS Environment Using Multiple Accounts (white paper for best practices) Reasons you should be using multiple accounts in AWS:
- You can constrain access to sensitive data
- You’ll promote innovation & agility
- You can more easily manage costs
aws.amazon.com: When and where to use IAM permissions boundaries A permissions boundary is an IAM feature that helps your centralized cloud IAM teams to safely empower your application developers to create new IAM roles and policies in Amazon Web Services (AWS).
Extend AWS IAM roles to workloads outside of AWS with IAM Roles Anywhere 🌟 A secure way for on-premises servers, containers, or apps to obtain temporary AWS credentials and remove the need for creating and managing long-term AWS credentials
binx.io: Working with AWS Permission Policies 🌟
Use IAM Access Analyzer policy generation to grant fine-grained permissions for your AWS CloudFormation service roles
ermetic.com: Diving Deeply into IAM Policy Evaluation – Highlights from AWS re:Inforce IAM433
globaldatanet.com: .AWS IAM Identity Center Permission Management at Scale Part 2
awstip.com: AWS Permissions Set deep dive
How to monitor and query IAM resources at scale – Part 1 Useful details on how AWS IAM works so that you can use it more effectively.
github.com/aws-samples: Visualize AWS IAM Access Analyzer Policy Validation Findings
thenewstack.io: A Deep Dive into the Security of IAM in AWS How do you tighten up identity access management when you’re using Amazon’s cloud? Here are some best practices and useful tools for keeping everything safe.

Terraform IAM Policy Validator

awslabs/terraform-iam-policy-validator A command line tool that validates AWS IAM Policies in a Terraform template against AWS IAM best practices.

AWS IAM Anywhere

jimmydqv.com: AWS IAM Anywhere 🌟
- Most of us that have worked with cloud long enough has encountered hybrid cloud solutions in one way or another. I often see clients with some parts, or applications, running on-premises that need to call AWS services. I’m working with an client with an application running on-premises. The application gather data from different sources, and then upload the data files to an Amazon S3 Bucket. The data is imported and analyzed in the cloud. Up till now I needed to create an IAM User and generate long lived credentials that the on-premises part could use. That is until the recent release of IAM Anywhere.
- IAM Anywhere rely on Public key Infrastructure (PKI) and exchange x.509 certificates for temporary AWS IAM credentials. You establish a trust between you AWS account and a Certificate Authority (CA), a trust anchor. Certificates issued by that CA can then be used to get credentials. Fields, like the Common Name (CN), in the certificate can be used as conditions in policies to limit what IAM Roles that can be assumed.

AWS Organizations

AWS Control Tower

AWS Control Tower The easiest way to set up and govern a secure multi-account AWS environment
aws.amazon.com: New – AWS Control Tower Account Factory for Terraform
hashicorp.com: HashiCorp Teams with AWS on New Control Tower Account Factory for Terraform AWS Control Tower Account Factory for HashiCorp Terraform (AFT), the evolution of Terraform Landing Zones, offers an easy way to set up and govern a secure, multi-account AWS environment.
aws.amazon.com: Automate AWS Control Tower landing zone operations using APIs

AWS Firewalls

AWS WAF Web Application Firewall

AWS Secrets Manager

AWS Vault

AWS Vault is a tool to securely store and access AWS credentials in a development environment.
AWS: Sourcing AWS CLI Credentials using a Custom AWS CLI Credential Provider and AWS Vault

Tweets

Click to expand!

Do you secure your @awscloud access?

11 secrets hackers don't want you to know 📈.

Number 7 will blow your mind 🤯

A thread 🔽🔽🔽#AWSCommunity
— Andrea Cavagna (@a_cava94) September 6, 2022