Login
    Contents x
    AWS Security Settings
      • Dark
        Light
      Contents

      AWS Security Settings

        • Dark
          Light
        Article summary

        AWS Security Settings are described below:

        • Server-side encryption is enabled for Kinesis using custom KMS key.

        • SQL data stored at rest in the underlying storage is encrypted, as are its automated backups, and snapshots. Amazon RDS databases are encrypted using keys in AWS Key Management Service (KMS). RDS encryption uses the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS instance. Amazon RDS also supports Transparent Data Encryption (TDE) for SQL Server (SQL Server Enterprise Edition). With TDE, the database server automatically encrypts data before it is written to storage and automatically decrypts the data when it is read from storage.

        • Amazon S3 Data Protection Server-Side Encryption with Amazon S3 Managed Encryption Keys. Server-side encryption protects data at rest. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it rotates regularly. Amazon S3 server-side encryption uses one of the strongest block ciphers available to encrypt your data, 256-bit Advanced Encryption Standard (AES-256). You also have an option to enable the Customer Master Key stored in AWS Key Management Service (SSE-KMS). SSE-KMS also provides you with an audit trail that shows who used your CMK and when.

        • Encryption during transmission is enabled for Amazon S3 using HTTPS protocol. This encrypts data in transit to and from Amazon S3, that is, “aws:SecureTransport”:”true

        • Only relevant action is enabled for Lambda execution role policy. For example, CreateNetworkInterface, and so on, instead of all action: EC2=*

        • Secured transmission HTTPS is configured between ALB & EC2.

        • KMS keys should have policies, being explicit on who can access them – restricted to the user: removed root user.

        • Security policies of listeners ELBSecurityPolicy-TLS-1-2-2017-01 or ELBSecurityPolicy- TLS-1-1-2017-01.

        • All traffic removed and whitelisted only allowed IPs.

        Certifications

        • ISO 27001 Certified—completed.

        • System and Organization Control—completed.

        • PCI DSS—certification in progress.

        Was this article helpful?
        What's Next
        Change password!
        Changing your password will log you out immediately. Use the new password to log back in.
        Change profile
        Success!
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.
        Logout
        ESC

        Eddy AI, facilitating knowledge discovery through conversational intelligence