The Northwestern Cloud Community of Practice recommends these practices for secure operation of AWS accounts and resources.
To discuss these recommendations or for advice and guidance on implementation please visit the Resources section of this site. Azure recommendations are also available.
Account Creation
All use of AWS for storing Northwestern data or hosting Northwestern services should occur in accounts provisioned under or migrated to the Northwestern contract with AWS.
The Northwestern AWS contract includes a discount on AWS services, direct billing to a chart string, and access to the CloudCheckr cost and security management tool.
Additionally, Northwestern has a Business Associate Agreement in place with Amazon, which is a requirement for running regulated workloads or storing regulated data with AWS (e.g. HIPAA). The Business Associate Agreement can only be utilized through an AWS account under the Northwestern contract.
To request a new AWS account under the Northwestern contract, visit the Public Cloud Services section of the IT Service Catalog. To transfer an existing AWS subscription, please contact the Cloud Operations Group directly.
Credentials and Access Control
AWS IAM should be used to limit user and service accounts to the least privileges necessary to perform their work.
Network Firewalls
Use Amazon VPC configured in a default deny mode and permit only the minimum necessary services for each application.
Additionally, enable host-based firewalls on any virtual servers running in AWS.
Security and Monitoring
Use AWS Cloudtrail to log all account activity to a dedicated S3 bucket. (This is configured by default on all AWS accounts provisioned under the Northwestern contract.)
Use Amazon CloudWatch Logs if your local IT organization lacks an existing centralized logging solution for your EC2 instances.
Use AWS GuardDuty for continuous security monitoring and AWS Inspector to assess and identify security vulnerabilities.
Data Protection
Data stored in AWS VMs should be backed up via AWS Backup>.
AWS S3 buckets are already architected for high durability and there is no managed service for backing them up. However, versioning and object lock can prevent unintended user actions.
All data volumes and storage accounts must be tagged with approved data sensitivity classification (e.g. “Sensitive”, “Non-sensitive”, “HIPAA”).
This will aid in auditing to ensure appropriate data access and backup controls are in place.
Software Updates and Patching
Apply critical security patches within seven days of publishing and all other security patches within 90 days.
The AWS EC2 Systems Manager allows you to group and view operational data from multiple AWS services. Additionally, you can maintain security/compliance by scanning and reporting on your managed instances.
VM Operating Systems
Use of either official AWS AMIs or a community AMI provided by the OS vendor.
Cost Optimization
Account owners should review account charges regularly to mitigate the risk of unauthorized or unintended use of cloud resources.
The AWS Billing and Cost Management Dashboard in Cloudcheckr provides access to billing reports for Northwestern AWS subscriptions.
Additionally, account owners should review the AWS Trusted Advisor service, available within the AWS portal, for cost optimization recommendations. It provides 7 checks included in your account, with additional checks and recommendations for an additional cost.