Shulou(Shulou.com)06/02 Report--

Account and access management 1.1.Multi-VPC or multi-account mode A single group can use multi-VPC mode to manage and create your application environment; multiple teams can use multi-account mode to manage and isolate your application environment. 1.2. multi-account mode, select the main master account

Use a dedicated root account on which no AWS resources are enabled

Enable MFA for this primary account.

You can use AWS Control Tower services.

Second, system architecture security 2.1, subnets are recommended to start with at least 2 subnets in each availability zone; use subnets to restrict Internet access, such as private subnets; consider using larger subnets (/ 24 or larger). 2.2. Subnetting for each availability zone starts with at least 1 public subnet and 1 private subnet for each availability zone. If layer 3 architecture is adopted, it is recommended to use layer 3 subnet structure, that is, public subnet, private subnet and sensitive subnet. 2.3. It is recommended that all outbound traffic rules are allowed by default in the security group. Modifying this default outbound rule on the security group will increase complexity, so it is not recommended unless there is a compliance requirement. Most enterprises configure inbound rules in the security group for each type of application; priority is given to using the security group as the source; if you want to communicate with the instance in the security group, set the source as your own. 2.4.When NACL is enabled when traffic from a particular source or port needs to be disabled; when the subnet does not need to access the Internet. 2.5. VPC interconnection recommends that most applications do not need to transfer links, or that the data transmission bandwidth is less than 4Gbps, so it is recommended to use × ×. If applications need more stable links, larger bandwidth, and lower access latency, consider using Direct Connect. IAM recommends that you apply the IAM policy to the group to avoid applying it to a single user; use the IAM role to avoid hard-coding the user's access to the key in the code; and for important users to enable MFA;, be sure to configure the password policy and rotate the key and password regularly. III. Data classification and protection 3.1.recommendation of KMS storage encryption

Classify data according to enterprise needs or compliance requirements

Different encryption strategies are made according to different data levels.

3.2. data encryption in transmission TLS encrypts the data in transmission using × ×. Use the HTTPS certificate to encrypt the data in transmission. It is recommended to uninstall the certificate on ELB and transfer the certificate to the backend EC2 plaintext. If you want end-to-end encryption, it is recommended that ELB uninstall the TLS certificate first, and then establish an encrypted tunnel with the backend EC2. Fourth, security operation and maintenance, monitoring and log management 4.1.The CloudTrail audit log is always enabled in all areas to store the CloudTrail log in a separate audit account S3 bucket, and use S3 life cycle management to keep it for a long time. VPC Flow Logs enables Flow Logs; in Trouble Shooting to enable Flow Logs; in application testing, debugging, commissioning and early launch to cooperate with Splunk and other commercial software. 4.3 、 AWS Config

It is recommended that you enable AWS Config.

It is recommended to start with enabling AWS hosting rules; according to the enterprise's own security baseline requirements or compliance requirements, write your own rules to implement Compliance as Code. Fifth, practice correspondence and automation welcome everyone to scan the code to follow and get more information

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.