Cloud Conformity is on a mission to promote best practices in cloud development. Fortunately, we’ve made a few like-minded friends along the way.

The Center for Internet Security is an organisation that’s been around for almost as long as the internet itself. They maintain a series of security best practice recommendations. Their AWS CIS Foundations Benchmark can help your organisation set a clear security benchmark, monitor your compliance evolution with quantitative scoring, and introduce guidelines to help you better manage your cloud infrastructure.

Here are a few of the most important best practices to follow, according to CIS:

IAM — Lock your Root account and throw away the key

Using your root account on a regular basis is asking for trouble. If those credentials ever find themselves in the wrong hands without your knowledge, there’s really nothing you can do to prevent severe misuse of your account: covert cryptocurrency mining, data theft, wiping of your infrastructure, loss of IP, and many more bad things.

Not complying to this rule is completely contrary to the one of the primary tenants of security (cloud or otherwise), the principle of least privilege. You’d be using only one set of privileges, root access, which gives access to literally everything. Best practice recommends that your AWS users’ privileges be on a need to access basis; inexperienced users should not have full access admin rights to your production resources.

(CIS Foundations Benchmark v1.2.0, section 1.1)

Logs are love, logs are life. Without logs, you can’t find out where things went wrong, nor how to prevent an incident from happening again.

AWS CloudTrail is a service that can record API activity in your AWS account from across different regions in a centralized S3 bucket, for your future (or real-time) auditing convenience. This is crucial to be able to detect suspicious or unauthorized network activity, and further secure your account against potential breaches. You’ll also want to enable logs for global AWS services.

(CIS Foundations Benchmark v1.2.0, section 2.1)

If you’ve already enabled CloudTrail, and have locked away your root credentials in a vault, congratulations, you’ll most likely be able to figure out when, where, and why a security breach happened. For most cloud security professionals, this isn’t good enough. The real-time monitoring of your AWS account is critical to prevent its misuse.

The monitoring of on-premises computing infrastructure was critical to prevent failure, data loss, and ensure reliability of service. With cloud computing, where new resources can be spun up and removed at the click of a button, the consequences of not monitoring in real-time can be much more severe.

Fortunately, AWS has provided us with CloudWatch, a service which allows alarms be set up to notify you whenever an unauthorized AWS API request is made. Check out our knowledge base page for instructions on how to set this up.

(CIS Foundations Benchmark v1.2.0, section 3.1)