Security in the Cloud requires both regular linux/network security, but also configuring and maintaining the configuration of your cloud accounts.
Some good things to consider:
- You’ll want to use Infrastructure as Code as soon as possible.
Ensure when you create things either via IaC or via the web
consoles that things are being secured. This usually requires
more work upfront.
- An important thing to check is for instance the default VPC, Subnets, and etc. in AWS which need to be secured
- Be mindful of making everything managed if your budget can’t handle it. But if your budget can handle it then use as much managed services as you can to reduce work and mistakes.
There is a great guide by Latacora on SOC2 for AWS. It outlines 7 major areas which should generally be covered by good security practice in general. They note that SOC2 is primarily an accounting exercise; not a security one.
Primary take aways for me:
- You need to setup SSO and pay for SSO support
- You should use Terraform (or similar) to setup your resources
You need multiple AWS accounts (
as coinbase explains in their linked article) which accounts can use
assume-roleto gain access to.
- Primarily to gain read-only access (only perform changes via Terraform after PR via CI/etc.).
- Setup centralized logging as soon as possible because doing it later is very difficult.