First, the account number and access management
1.1 VPC multi-mode or multi-account
- Single group can use multiple VPC mode to create and manage your application environment;
- You can use multiple teams to manage multiple accounts mode and isolate your application environment.
1.2, multi-mode account, select the primary master account
Use a special master (root) account, which does not enable any AWS resources;
to this master account, enable the MFA.
You can use AWS Control Tower service.
Second, the system security architecture
2.1, subnet recommendations
- 2 Available from each sub-area at least begins;
- Use a subnet to restrict access to the Internet, such as private subnet;
- Consider using a larger subnet (/ 24 or larger).
2.2, each of the available area subnetting
- From each of the at least one usable region public subnets, subnet 1 Private has started;
- If a three-tier structure, it is recommended to use a three-layer sub-structure, namely public subnets, private subnets, subnet sensitive.
2.3, the proposed security group
- So the default security groups allow regular traffic;
- Modify the default security group this out of traffic rules will increase the complexity, and therefore not recommended unless there is compliance requirements;
- Most enterprises for each type of application configuration inbound rule in the security group;
- Give priority to the use of security group as the source;
- If you want to set an example within the security communication, set the source to himself.
2.4, NACL when enabled
- When required or prohibited from a particular source port traffic;
- When subnets without having to access the Internet.
2.5, VPC interconnect recommendations
- Most applications do not require the transfer link, or a data transmission bandwidth is less than 4Gbps, it recommended ×××;
- If the application requires more stable link, greater bandwidth, lower latency access, consider using Direct Connect.
2.6, IAM recommended
- The IAM policies to groups, to avoid the application of a single user;
- IAM role to avoid using hard-coded in the code user access keys;
- Important users to enable MFA;
- Be sure to configure password policy, regular rotation keys and passwords.
Third, data classification and protection
3.1, KMS recommended storage encryption
According to business needs or compliance requirements, data classification;
develop different encryption strategies according to different data levels.
3.2, the transmission of the data encryption TLS
- Use ××× data transmission is encrypted.
- Data transmission using HTTPS certificate encrypting recommended unloading certificate on ELB, ELB EC2 cleartext to the rear end;
- If you want to end encryption, it is recommended to uninstall selected by the ELB TLS certificate, and then establish an encrypted channel with EC2 backend.
Fourth, the safe operation and maintenance, monitoring and log management
4.1, CloudTrail audit log
- Enable CloudTrail forever in all areas;
- The CloudTrail log storage accounts to independent audit S3 bucket, and use S3 lifecycle management, long-term preservation.
4.2、VPC Flow Logs
- Enable Flow Logs in Trouble Shooting time;
- In application testing, testing, commissioning and on-line early to enable Flow Logs;
- Splunk with other commercial software.
4.3、AWS Config
It is recommended to enable AWS Config.
4.4, Config Rule enabled recommend
- Starting enable AWS hosted rules;
- According to their own baseline safety requirements, or compliance requirements, write their own rules, to achieve Compliance as Code.