Cloud
Guardrails

Prevent presigned URLs for all of your resources, not just S3

Unless there are active measures taken in AWS SCP, Resource policies, or IAM policies

Base images can provide a wealth of security benefits, but are also point-in-time snapshots that become stale. Ensure that the base image used for any new image creation is sufficiently fresh.

Always

Deploy all resources to multiple availability zones to facilitative seamless failover.

Always

Utilize Cloudfront OAI with origin type of s3/ Allow ONLY action s3:GetObject to the specific OAI in the bucket policy.

Anyone using Cloudfront with S3 as an origin.

Set up baseline security services by default (logging, monitoring, IAM, etc.) and prevent them from being removed.

This best practice applies particularly when using AWS Organizations to centrally manage multiple AWS accounts as a single entity.

Use single-sign on for user access to simplify the login process and reduce the number of credentials that need to be managed.

Always

To securely serve static assets over the internet, use a private bucket with a Content Delivery Network (CDN) front-end, instead of making the bucket itself public. This provides several advantages over using a public bucket to serve static assets.

This only applies when you want to use an S3 bucket to serve static content.

Limit via an allowlist what AWS services you want your teams to use in that account.

Account setup

Use SystemsManager for SSH, as it is integrated into IAM for access.

For support

The use of public IP address by services running in the cloud should be restricted.

Always

Tightly couple any processes that involve Route53 to their Alias resources to avoid subdomain takeover.

When you point DNS records to cloud infrastructure

Examine configuration changes for all resources with production impact.

Always

Enforce volume encryption at the account level by default.

Compliance driven

Use application-specific roles wherever possible, enabling least-privilege to your roles versus shared roles with a superset of permissions.

Setting this up requires some investment, the practice is probably more relevant for larger companies that have the basics addressed.

Control planes prioritize consistency over availability when issues occur. Setup Route53 so failover is already setup using heath checks.

Application Availability

Block delete calls on persistent data resources by default on IAM roles to avoid accidentally deleting all your data.

Always

Lambdas suffer from the noisy neighbor problem if you don't set a reserve concurrency value

When using lambda

External-facing services should implement protections against DoS through a WAF, to ensure availability of your service(s)

Always

Creating IAM roles that have the necessary permissions, and then assigning those roles to the IAM users who require access to the resources allows you to centralize the management of permissions.

Always

Individual object permissions can create surprising ACL issues and should be avoided in favor of explicit policies on buckets.

Always