Professional Documents
Culture Documents
Application Information
Name:
Scale/Sizing Details
# Users: __ ____________________
# Daily Sessions: ________________
# Page Views: __________________
Data Size: __ ___________________
Other:
Application Interfaces
Name Usage Private/Public
Network Access
Used by
Public?
Used by
Staff?
Used by
Management?
IAM Groups
Group Name Policies Assigned Follows
PoLP?
VPCs
Name Region Description Public
Internet
IPSec
Tunnel
Direct
Connect
Use Bastion
Hosts?
Security Zones
Name of Purpose Security VPCs Used
Zone
Periphery Systems
DNS Security
Public DNS Private DNS
Use Route 53? _______ Use Route 53? _______
Description: Description:
For each type of DNS, describe how you are building and securing your DNS system. Are you using Route 53? If not, what are
you using? What policies are you employing to keep it safe and secure.
Description:
List your centralized time servers that all other systems will take their time from. List the trusted external time sources you
will use to get actual system time. Describe your security plan and what policies you are employing to keep it safe and
secure.
Describe process and best practices used or DoS and DDoS prevention and the process you perform if one is detected and in-
progress.
Security Testing
Type of Testing Testing Process
External Vulnerability:
External Penetration:
AWS Process:
(how will we submit testing requests
to AWS?)
Describe the process for testing each of the different types of security for your application.
EC2 and OS Hardening
Hardening Requirement Process Used and Method of Validation
Disable root keys on EC2
instances
For each type of hardening, describe what process you use to implement the hardening and any validation you use to make
sure the process is complete. Add additional OS hardening requirements based on your needs.
Security Groups
SG Name VPC Usage Access Access Follows
Allowed Denied PoLP?
Custom AMIs
AMI Name EC2 Usage Private/Public Security Boostrap Security
Patches? Process Test
Data in Transit
Data SSL/TLS? Accidental Data Integrity Peer Identity
Type/Name Disclosure Security Security Security
Logging
Log Name Format Source Retention Transport/Storage/Analysis
Security
AWS Security Connection
Security Concern Plan/Policy/Process
How do you interact with AWS for security
purposes?