Scribd
Upload
34 views1 page

AWS Cloud Security Cheat Sheet: Passwords Policy - IAM Logging

Uploaded by

test123

Set IAM password policies to expire within 90 days and prevent password reuse at least 24 times. Enable CloudTrail in all regions and CloudWatch Logs integration to log API calls and configuration changes. Enable MFA delete on S3 buckets, rotate customer-created CMKs, enable EBS encryption by default, and configure S3 buckets with block public access. Ensure CloudTrail logs all S3 object-level API calls for reads and writes.

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt

AWS Cloud Security Cheat Sheet: Passwords Policy - IAM Logging

Uploaded by

test123
34 views1 page
Set IAM password policies to expire within 90 days and prevent password reuse at least 24 times. Enable CloudTrail in all regions and CloudWatch Logs integration to log API calls and configuration changes. Enable MFA delete on S3 buckets, rotate customer-created CMKs, enable EBS encryption by default, and configure S3 buckets with block public access. Ensure CloudTrail logs all S3 object-level API calls for reads and writes.

Original Title

1700142189861

Copyright

© © All Rights Reserved

Available Formats

PDF, TXT or read online from Scribd

Did you find this document useful?

Is this content inappropriate?

Set IAM password policies to expire within 90 days and prevent password reuse at least 24 times. Enable CloudTrail in all regions and CloudWatch Logs integration to log API calls and configuration changes. Enable MFA delete on S3 buckets, rotate customer-created CMKs, enable EBS encryption by default, and configure S3 buckets with block public access. Ensure CloudTrail logs all S3 object-level API calls for reads and writes.

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt
34 views1 page

AWS Cloud Security Cheat Sheet: Passwords Policy - IAM Logging

Uploaded by

test123
Set IAM password policies to expire within 90 days and prevent password reuse at least 24 times. Enable CloudTrail in all regions and CloudWatch Logs integration to log API calls and configuration changes. Enable MFA delete on S3 buckets, rotate customer-created CMKs, enable EBS encryption by default, and configure S3 buckets with block public access. Ensure CloudTrail logs all S3 object-level API calls for reads and writes.

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt
You are on page 1/ 1

AWS Cloud Security

Cheat Sheet
Enhance your cloud security using these essential commands to safeguard your storage resources, implement logging
and set IAM policies! Using this cheatsheet, you can secure your AWS environment in no time.

Passwords policy – IAM L ogging


Set IAM password policy expiry date within 90 Enable CloudTrail in all regions 

days or less 
aws cloudtrail create-trail --name <trailName> --s3-
aws iam update-account-password-policy --max-password- bucket-name <bucketForCloudtrail> --is-multi-region-
age 90 

trail 

Ensure IAM password policy prevents password Enable CloudTrail log file validation 

reuse (24 times) 


aws cloudtrail update-trail --name <trailName> --enable-
aws iam update-account-password-policy --password- log-file-validation 

reuse-prevention 24
Ensure CloudTrail trails are integrated with
CloudWatch Logs

0101
0101 Storage aws cloudtrail update-trail --name <trailName> --cloud-
watch-logs-log-group-arn <cloudtrailLogGroupArn> --cloud-
Enable MFA Delete on S3 buckets 
watch-logs-role-arn <cloudtrailCloudwatchLogsRoleArn> 

aws s3api put-bucket-versioning --profile <profile> --


bucket <bucketName> --versioning-configuration Enable IAM Access analyzer for all regions 

Status=Enabled,MFADelete=Enabled --mfa
aws accessanalyzer create-analyzer --analyzer-name
"arn:aws:iam::<accountNumber>:mfa/root-account-mfa-
<analyzerName> --type <value> 

device <MFACode>" 

Ensure that Object-level logging for read events is


Enable rotation for customer created CMKs 
enabled for S3 bucket 

aws kms enable-key-rotation --key-id <kmsKeyID> 

aws cloudtrail put-event-selectors --region <regionName> --


trail-name <trailName> --event-selectors '[{
Enable EBS encryption by default 
"ReadWriteType": "ReadOnly", "IncludeManagementEvents":true,
aws --region <region> ec2 enable-ebs-encryption-by- "DataResources": [{ "Type": "AWS::S3::Object", "Values":
default

["arn:aws:s3:::<bucketName>/"] }] }]' 

Ensure that S3 Buckets are configured with 'Block Ensure that Object-level logging for write events is
public access' 
enabled for S3 bucket 

aws s3api put-public-access-block --bucket <bucketName> aws cloudtrail put-event-selectors --region <region-name> --
--public-access-block-configuration trail-name <trailName> --event-selectors '[{ "ReadWriteType":
"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublic "WriteOnly", "IncludeManagementEvents":true, "DataResources":
Policy=true,RestrictPublicBuckets=true" [{ "Type": "AWS::S3::Object", "Values":
["arn:aws:s3:::<bucketName>/"] }] }]'

You can find these commands, and more, in Cyscale. Th e Cyscale Platform is a powerful cloud security solution that
automates cloud misconfiguration checks, strengthens cloud security, and simplifies compliance tasks. By leveraging advanced
contextual analysis and providing actionable insights, the platform empowers organizations to confidently embrace the cloud
while ensuring a robust security posture. Streamline your cloud security management and gain peace of mind with Cyscale.

cyscale.com

You might also like