Security Worksheet

Course: AWS Security Best Practices

By: Lee Atchison

Application Information
Name:
Scale/Sizing Details
# Users: __ ____________________
# Daily Sessions: ________________
# Page Views: __________________
Data Size: __ ___________________
Other:

Application Interfaces
Name Usage Private/Public
Network Access
Used by
Public?
Used by
Staff?
Used by
Management?

Application User Types

User type Description Public
Network
Private
Network
Assets
Asset Name Owner Category Dependencies Liability/Notes
AWS Information
Accounts
Account Name Alias AWS Acct # Production? Owner

Programmatic IAM Users

Name Component that Groups Assigned Policies Assigned Follows
Uses PoLP?

PoLP – Policy of Least Privilege

Human IAM Users

Only describe category of users here…
User Category Roll that Uses Groups Assigned Policies Assigned Follows PoLP?

PoLP – Policy of Least Privilege

IAM Groups
Group Name Policies Assigned Follows
PoLP?

PoLP – Policy of Least Privilege

Custom IAM Policies

Policy Name Policy Summary Follows
PoLP?

PoLP – Policy of Least Privilege

IAM Roles
Only describe category of users here…
Role Name Assigned Entity/Resource Groups Assigned Policies Assigned Follows PoLP?

PoLP – Policy of Least Privilege

VPCs
Name Region Description Public
Internet
IPSec
Tunnel
Direct
Connect
Use Bastion
Hosts?

Security Zones
Name of Purpose Security VPCs Used
Zone
Periphery Systems

DNS Security
Public DNS Private DNS
Use Route 53? _______ Use Route 53? _______
Description: Description:

For each type of DNS, describe how you are building and securing your DNS system. Are you using Route 53? If not, what are
you using? What policies are you employing to keep it safe and secure.

Time Synchronization Security

Master Production Time Servers External Time Sources

Description:

List your centralized time servers that all other systems will take their time from. List the trusted external time sources you
will use to get actual system time. Describe your security plan and what policies you are employing to keep it safe and
secure.

Other Periphery Systems

Periphery System Security Description
List all other periphery systems that must be secure. What process are you using to maintain security? What policies are you
employing?

DoS and DDoS Prevention

Description:

Describe process and best practices used or DoS and DDoS prevention and the process you perform if one is detected and in-
progress.
Security Testing
Type of Testing Testing Process
External Vulnerability:

External Penetration:

Internal Gray/White Box:

AWS Process:
(how will we submit testing requests
to AWS?)

Describe the process for testing each of the different types of security for your application.
EC2 and OS Hardening
Hardening Requirement Process Used and Method of Validation
Disable root keys on EC2
instances

Key rotation for all

access keys

Protect .pem files

Delete unused keys

For each type of hardening, describe what process you use to implement the hardening and any validation you use to make
sure the process is complete. Add additional OS hardening requirements based on your needs.
Security Groups
SG Name VPC Usage Access Access Follows
Allowed Denied PoLP?

PoLP – Policy of Least Privilege

Custom AMIs
AMI Name EC2 Usage Private/Public Security Boostrap Security
Patches? Process Test

Custom Software Used

Software Name Version Patch Level Antivirus? Antispam? Notes
Data
Data at Rest
Data Where Read Write/Delete Replication Server-side Client-side
Type/Name Stored Access Access Encrypted Encrypted

Data in Transit
Data SSL/TLS? Accidental Data Integrity Peer Identity
Type/Name Disclosure Security Security Security

Logging
Log Name Format Source Retention Transport/Storage/Analysis
Security
AWS Security Connection
Security Concern Plan/Policy/Process
How do you interact with AWS for security
purposes?

What are your established group security

contact tools and processes?

What is the established process to respond

to abuse warnings from AWS?