Skip to content

Instantly share code, notes, and snippets.

@prasincs

prasincs/aws_checklist.md

Last active June 28, 2021 18:12
Show Gist options
  • Save prasincs/69b9e2b8e5aab4c3c43b990c7bfdd6a0 to your computer and use it in GitHub Desktop.
Save prasincs/69b9e2b8e5aab4c3c43b990c7bfdd6a0 to your computer and use it in GitHub Desktop.
Download ZIP
AWS Secure Account Initial Setup Checklist
Raw
aws_checklist.md

Creating Secure AWS Account Checklist

[ ] Add MFA for Root account

[ ] Create Password Policy Compliant with CIS Foundations

[ ] Create IAM Master and Manager Roles

[ ] Enable AWS Config

[ ] Enable CloudTrail in all regions

[ ] Ensure that CloudTrail -> CloudWatch is enabled

[ ] Enable Notifications when CloudTrail or Configs are disabled

https://aws.amazon.com/answers/security/aws-secure-account-setup/

IAM

Based on the roles/instructions here: https://www.cloudconformity.com/conformity-rules/IAM/master-and-manager-role.html

#!/usr/bin/env bash
echo "Make sure that you have an intial setup account that will be deleted after IAM roles have been created"
echo -n "Enter the AWS_PROFILE to use [ENTER]:"
read AWS_PROFILE
set -x
aws --profile $AWS_PROFILE iam create-role \
--role-name IAM-Master-Role \
--assume-role-policy-document file://iam-master-trust-policy.json

aws iam --profile $AWS_PROFILE put-role-policy \
--role-name IAM-Master-Role \
--policy-name IAM-Master-Role-Policy \
--policy-document file://iam-master-policy.json

aws iam --profile $AWS_PROFILE create-role \
--role-name IAM-Manager-Role \
--assume-role-policy-document file://iam-manager-trust-policy.json

aws iam --profile $AWS_PROFILE put-role-policy \
--role-name IAM-Manager-Role \
--policy-name IAM-Manager-Role-Policy \
--policy-document file://iam-manager-policy.json


echo "Creating Group for IAM Masters"

aws iam --profile $AWS_PROFILE create-group --group-name IAM-Masters


aws iam --profile $AWS_PROFILE put-group-policy \
 --group-name IAM-Masters \
 --policy-name IAM-Masters-Group-Trust-Policy \
 --policy-document file://iam-master-group-trust-policy.json

echo "Creating Group for IAM Managers"

aws iam --profile $AWS_PROFILE create-group --group-name IAM-Managers

aws iam --profile $AWS_PROFILE put-group-policy \
 --group-name IAM-Managers \
 --policy-name IAM-Managers-Group-Trust-Policy \
 --policy-document file://iam-managers-group-trust-policy.json

CIS

For running https://github.com/awslabs/aws-security-benchmark

For monitoring https://github.com/awslabs/aws-security-benchmark/tree/master/aws_cis_foundation_framework

Setting up initial users for terraform

https://gist.github.com/arsdehnel/70e292467ced2a39f472ddca44629c08

Logs

https://d1.awsstatic.com/whitepapers/aws-security-at-scale-logging-in-aws.pdf

Other Checklists

https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Checklist.pdf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment