Illustration by Freepik Storyset

AWS Security Quickstart

$9,995
  • AWS Multi-Account and Organizations Setup
  • AWS Security Operations
  • AWS IAM Remediation
  • AWS Data At Rest Protection
  • Documentation and Training
  • AWS Security Assessment included

AWS Security Quickstart

AWS Security Quickstart is a service designed to remediate high and critical flaws in AWS accounts, reducing the attack surface and risk exposure. Remediation is sometimes a prerequisite before the integration of DevSecOps work is performed. 

 

All changes are made according to the AWS Well Architected Framework and Current AWS Security Best Practices.

 

Note: Any intrusive security that requires the re-creation of an instance or direct modification of production systems is not in scope by default. Cloud Security Labs will make every effort to communicate detailed instructions for work that requires Cardless engineering support.

Jumpstart Your Security Within 90-Days

We will help you set up your AWS account based on CIS Amazon Web Services Foundations and AWS Foundational Security Best Practices. 

One of the most important aspects of any work performed is documentation. Cloud Security Labs will document all work completed so that your engineers and management will have a transparent understanding of the new infrastructure. We will also do live training sessions to bring Engineers and Managers up to speed.

Cloud Security Labs will:

  • Document all configurations in your company's wiki (Confluence, Notion, Google Docs, etc.)
  • Provide training to your administrators on the implemented configuration (4 x 1 hr sessions

We will configure and enable AWS native security services as necessary as a prerequisite to alerting and investigating issues in AWS. All services are enabled at the Organization level where supported to assure consistent configuration across all existing and new AWS accounts. SIEM setup, configuration, and operation are not included.

Cloud Security Labs will recommend and/or enable the following where applicable:

  • Enable Organization Trail (CloudTrail)
  • Send logs to S3 bucket in Logging account
  • Enable AWS Guardduty
  • Enable Security Hub
  • AWS Inspector (Agentless)

Identity is the new perimeter. This service will identify excessive IAM permissions in your account and work with you to create and transition to a role-based access (RBAC) model of authentication for your users.

Cloud Security Labs will recommend and/or enable the following where applicable:

  • Secure AWS Root Accounts
  • Enable MFA for IAM Users
  • Configure password policy
  • Audit AWS IAM Access and create roles based on recent usage and least privilege
  • Audit, review, and deactivate Unused IAM keys in AWS Accounts

*Note: Any IAM changes and modifications require close engagement, coordination, and planning with Senior Cardless Engineers.

We will review your AWS data assets and provide recommendations on data protection measures to improve resiliency and data protection from accidental or malicious deletion/modification or unauthorized data access. Cloud Security Labs will implement controls where little to no impact to production systems is expected, such as enabling S3 Versioning, MFA Delete, or block public access. Services that can only be created upon creation and not after an instance is created would require Client intervention to enable and are not in scope. Disaster Recovery and Business Continuity are also not included.

Cloud Security Labs will recommend and/or enable the following where applicable:

  • Versioning on critical assets
  • Block Public Access on non-public S3 buckets
  • MFA Delete on critical assets
  • S3 object Lifecycle controls
  • S3 encryption at rest
  • S3 Replication into backup account where applicable
  • Point-in-time recovery (PITR) for DynamoDB

One of the most important aspects of any work performed is documentation. Cloud Security Labs will document all work completed so that your engineers and management will have a transparent understanding of the new infrastructure. We will also do live training sessions to bring Engineers and Managers up to speed.

Cloud Security Labs will:

  • Document all configurations in your company's wiki (Confluence, Notion, Google Docs, etc.)
  • Provide training to your administrators on the implemented configuration (4 x 1 hr sessions)

Included with all Cloud Security Labs engagements is a security assessment of up to 5 AWS Accounts. Our assessment uses manual and automated tooling to review and inventory your AWS accounts.

The following is a sample of items reviewed during an assessment:

  • Excessive (0.0.0.0/0) security groups or ports accessible
  • MFA on Root Account
  • Active Root Account Access Keys
  • Weak password policy
  • Public RDS snapshots
  • Unencrypted RDS network access
  • EC2 encrypted snapshots
  • CloudTrail enabled
  • Unused security groups
  • Cloudfront TLS configuration
  • Encryption at rest of databases
  • Web Application Firewall (WAF)
  • Redundancy and disaster recovery

Customer Requirements

Delivery of projects is dependent on resources dedicated to the delivery of projects. Cloud Security Labs will coordinate with your company on scheduling and prioritization and integrate into the existing Sprint Workflow.

FAQ

Sample roles include administrator, DevOps, power user, and read-only or security roles.

We will enable MFA (password vault setup required), disable root keys, rotate passwords, and change emails (as needed).

AWS security is an expedited implementation and is expected to be completed in 2-3 weeks, but may extend longer.

We will be able to provide this service for one of your AWS accounts.

Copyright ©2020-2021 Cloud Security Labs. All rights reserved.