AWS Cloud Security Assessment
Improving your workloads’ security and protecting your data in the AWS cloud, starts with assessing the current posture of your AWS environment. Once a comprehensive report is laid in front of you, now you can start prioritizing, planning and addressing the different risks and gaps.
What is it
The security assessment is a point in time snapshot of your AWS cloud infrastructure posture, which provides you insight to your environment security. The assessment is conducted by querying your environment’s infrastructure using AWS management read-only APIs. In addition to assessing infrastructure configurations and some access perspectives, CCOE architects inspect the processes you are implementing to manage your infrastructure and security.
The main focus areas are:
-
Misconfiguration of AWS resources/services which may increase your environment attack surface. The resources configuration is checked against industry standards (CIS v1.4.0, NIST SP 800-53 Rev. 5, AWS FSBP).
(!) This will be done on a single specific account of the customer selection. -
Over permissive entitlements which should be reviewed and reconsidered. For example:
-
External access for third parties to S3 bucket, or a cross account role to a sensitive account, etc.
-
Service roles of EC2 instances, EKS clusters(OIDC), and Lambda functions.
-
(!) This will be done on a single specific account of the customer selection.
-
-
Development and deployment procedures:
-
Security of the deployment pipeline and security in the pipeline.
-
Architecture security review process.
-
-
Tools and Processes:
-
Cloud Security Posture Management.
-
Cloud Infrastructure Entitlement Management.
-
Incident Management (detection and response).
-
Incident response readiness.
-
-
Best for
As understanding your environment security posture is a crucial step towards mitigating risks and harming your environment security, it is a mandate that the assessment should be desired by any organization who consumes the AWS cloud for either production or lower level environments.
​
Key Activities
-
Establish the engagement with an introduction between the team and an overview of the assessment process.
-
Initial discovery - CCOE architects will work with you to understand which areas to focus the assessment is on, and validate the best approach to run the assessment tools.
-
Set up required access and/or deployment of assessment tools (according to customer environment and business requirements).
-
Run the assessment:
-
Running automation tools and scripts.
-
Interviewing platform engineering, security operations, and enterprise architecture teams.
-
-
Delivering and presenting the final report.
Cost
The assessment is delivered by CCOE for free, however, the automation procedures and services within the AWS cloud might incur some cost, by AWS services, depending on the chosen delivery method.
Timeframe
Depending on the availability of the customer, the size of the environment and optional restrictions/limitations in the environment, running the assessment might last between a week to few weeks. Once data is collected allow a week for the delivery of the final report.
Outcomes
By the end of this engagement you will get a thorough report of your AWS cloud environment infrastructure security posture, including tailored recommendations for improving your environment security.