to take away the hassle of vendor assessments from their clients. It is tailored to meet specific needs and quickly identify, track, and measure all integral vendors to ensure the services they provide to your organization are secure.

ComplyScore manages third party assessment

This checklist helps you in assessing the best practices implemented by the vendor and evaluate their internal AWS implementations.

Security of Root AccountDisable Root API access

Delete root Access key (access key ID and secret access key) if one is created

Do not use root access to manage the AWS environment

Setup an alert when root access is used

Setup MFA for root account

Access ManagementRotate access keys once every 90 days

Enable MFA for all accounts that have console access or have access to system administration functions

Assign unique IAM user names for each user

Attach IAM policies only to groups or roles

Assign permissions to IAM Users strictly using groups

Run applications EC2 Instances using Roles

https://complyscore.com/ | 609-256-4579 | admin@complyscore.com

AWS InfoSec Implementation : Best Practices Checklist

NetworkNo security groups should allow ingress from 0.0.0.0/0 to port 22

No security groups should allow ingress from 0.0.0.0/0 to port 3389

Use security group to control inbound & outbound traffic

Monitoring, Encryption & Other controlsMonitor Activity in Your AWS Account

Enable logging for all resources

Integrate CloudTrail with CloudWatch Logs

Enable AWS Config in all regions

Encrypt CloudTrail logs at rest using KMS CMKs

Rotate customer created CMKs

Enable S3 Bucket access logging

Enable VPC Flow Logging

Deny public-access to S3 buckets [Many breaches were reported in this category]

Enable Server-side encryption (SSE) to encrypt sensitive data

Encrypt Inbound and outbound S3 traffic

Conduct a risk assessment of AWS environment

Maintain a structured asset library for AWS using AWS Config.[We regularly find that vendors do not have formal asset library for AWS]

Maintain a Cross reference between policies and user counts. This will highlight areas where a sensitive policy has been overused

https://complyscore.com/ | 609-256-4579 | admin@complyscore.com

AWS InfoSec Implementation : Best Practices Checklist

AWS offers multiple tools to manage security. An assessment of which tools are used gives a good indication of the vendors security posture.

Enabling alarms on sensitive events are critical to securing the environment.Alarms should be enabled for following eventsAlarms :

Unauthorized API calls

Management Console sign-in without MFA

Usage of 'root' account

IAM policy changes

Configuration changes

Disabling or scheduled deletion of customer created keys

Storage policy changes

Configuration changes

Security group changes

Changes to Network Access Control Lists

Changes to network gateways

Route table changes

https://complyscore.com/ | 609-256-4579 | admin@complyscore.com

AWS ConfigAWS Trusted Advisor

Cloud TrailCloudWatch

VPC Flow logs Amazon InspectorGuardDuty

Resource Configuration User Activities Network Traffic Host Vulnerabilities/Activities

AWS InfoSec Implementation : Best Practices Checklist