Cloud
Guardrails

Adopting a well-defined and documented tagging strategy to assist with resource tracking, cost management, security, compliance, and incident management.

Always

Restrict the regions that you run in to only those you operate in, to avoid unnecessary attack surface/cost/complexity.

All copmanies using AWS organizations

Enable cloudtrail logs for more than 90 days to facilitate investigating changes to resources.

Always applies

Configure automatic daily snapshots of RDS databases for backup purposes.

Always

Enforce a bucket pattern with versioning to prevent malicious tampering and facilitate recovery

All important data

Require approval for adding new access to trusted/privileged resources.

As early as possible

Avoid using IAM users for popular services by creating a pattern to enable OIDC integrations.

Always

AWS allows for contact info for billing/operations/security to be separated from the root user. This should be used to limit the employees with access to the root user email.

Always

Ensure your backups work by testing them on an interval.

Always

Require replication to another account for disaster recovery

When effective DR is required

Any exposure of a resource to truly public (aka not restricted by Condition) users should require additional approval

Resources that are meant to be public, such as S3 buckets containing non-proprietary web assets or public datasets.

Protect AWS credentials from SSRD vectors by enforcing AWS IMDSv2

Always

Require lifecycle policy on S3 buckets for things like logs (1 yr deletion recommended)

Always

Require autoscaling groups for resilient deployments in case your EC2 instances fail.

For relaible EC2 in AWS

For incident response and archaeology, all instances should have some sort of breakglass mechanism for direct access. A protected role with SSM access and/or tagging requirements on the instance can facilitate this.

Requiring infrastructure code to pass security linting checks before merging pull requests (PRs) to convergence branches is a critical security measure that can help prevent security issues from being introduced into the production environment.

To all IaC

Enable multi-factor authentication on the root account with alerting.

All AWS accounts

Require S3 bucket replication to another account and region

When recovery is necessary

When handling sensitive data in the cloud, it is important to ensure that the cloud services being used meet certain security, compliance, and governance requirements.

Always

Create a Cold account for copying in data that can't be deleted.

Applies if you have data that has to persist for business operation, regulatory or legal reasons.