AWS Security Standard
This standard defines baseline security configurations for all AWS resources.
Scope
Applies to all AWS accounts in the organization, including production, staging, and development environments.
Requirements
Account Security
- Enable MFA on root account, store credentials in vault
- Use AWS Organizations with Service Control Policies (SCPs)
- Enable CloudTrail in all regions, logs to centralized S3 bucket
- Enable AWS Config for compliance monitoring
- Use IAM Identity Center (AWS SSO) for human access, no long-lived IAM user credentials
Network Security
- Default deny all inbound traffic on security groups
- No publicly accessible RDS instances
- Use VPC endpoints for AWS services where possible
- Enable VPC Flow Logs for all VPCs
Data Protection
- Encrypt all S3 buckets at rest (SSE-S3 or SSE-KMS)
- Enable S3 Block Public Access at account level
- Encrypt all EBS volumes
- Encrypt all RDS instances with KMS
- Enable encryption in transit (TLS 1.2+ only)
IAM and Access Control
- Use role-based access with least privilege
- No wildcard (*) permissions in production
- Require MFA for privileged actions
- IAM roles must have maximum session duration ≤ 12 hours
- Tag all resources with Owner, Environment, DataClassification
Logging and Monitoring
- Enable CloudTrail API logging for all regions
- Forward logs to centralized security account
- Enable GuardDuty for threat detection
- Alert on critical security events (root login, IAM policy changes, security group changes)
Compliance and Auditing
- Use AWS Config rules to enforce standards
- Quarterly access reviews of IAM roles and policies
- Automated compliance scanning with open-source tools (Prowler, ScoutSuite)
Control Mapping