AWS - Initial AWS Account Configuration

AWS - Initial AWS Account Configuration

A number of changes are made to each AWS account to:
  • Increase compliance to the Center for Internet Security Amazon Web Services Foundations Benchmark
  • Allow the Public Cloud Team and our AWS reseller (DLT) to support the account
Those changes, while not enforced after account creation, are documented below.

Our AWS reseller DLT applies some configuration to accounts, as documented here.

Please contact the UW Cloud Team if you have any concerns about the IAM objects, or any of the configuration items.

Costs associated with initial AWS account configuration

Even if an AWS account is not actively used by a customer, the default configuration will still incur ~$7.00 in charges each month. These base monthly charges are related to three AWS Config rules that are associated with each account, and which cost $2/month each.

Default region

Unless otherwise specified, the default region for all AWS services is Oregon (us-west-2).

This region is selected as the default because it is the region most likely to have all AWS services available. Therefore, Oregon (us-west-2) should be left as the default region unless there is a specific need to work in a different region (e.g. reduce latency).

See AWS documentation (https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/) for specifics of what services are available in which regions.

IAM groups

IAM: Groups:
  • public-cloud-billing
    • Group policies: AWSAccountActivityAccess, AWSAccountUsageReportAccess
  • public-cloud-cybersecurity
    • Group policies: AWSAccountActivityAccess, AWSAccountUsageReportAccess, SecurityAudit
  • public-cloud-readonly
    • Group policies: AWSAccountActivityAccess, AWSAccountUsageReportAccess, ReadOnlyAccess
  • DLT-support
    • Group policies: DLT-AWS-Support-Access

IAM users

IAM: Users:
  • public-cloud-billing
    • Groups: public-cloud-billing
    • Used by Public Cloud billing to assist in billing questions
  • public-cloud-cybersecurity
    • Groups: public-cloud-cybersecurity
    • Used by UW-Madison Cybersecurity to audit for security compliance
  • DLT-support
    • Groups: DLT-AWS-Support-Access
    • Used by DLT support

IAM roles

IAM: Roles:

  • config-role-<region>
  • NetIDAdministratorAccess
  • NetIDBillingAccess
  • NetIDReadOnlyAccess
  • NetIDSecurityAudit
  • CloudCheckr - This IAM role is used at the UW Madison Org account level to provide access to the DLT billing tool.

Additional IAM user permissions

My Account:

‘IAM user access to billing information is activated’ is enabled.

IAM Policies

IAM: Policies:
  • Policy Name: public-cloud-restrict-ec2-and-s3-to-us-regions
  • Description: Restrict EC2 and S3 to US regions
The 'public-cloud-restrict-ec2-and-s3-to-us-regions' can be used to restrict EC2 and S3 to US regions.

Security Groups: Restrict incoming SSH and RDP to UW-Madison in default Security Group

EC2: Security Groups:

The default security group in Oregon (us-west-2) restricts incoming SSH and RDP traffic to the IPv4 ranges assigned to the UW-Madison Campus: https://kb.wisc.edu/page.php?id=3988.

Security Groups: Create a new security group that limits incoming traffic to UW-Madison

EC2: Security Groups:

A security group named 'inbound-from-uw-madison-campus' has been created in Oregon (us-west-2) that can be used to limit all incoming traffic to the IPv4 ranges assigned to the UW-Madison Campus: https://kb.wisc.edu/page.php?id=3988.

Password policy

IAM: Account Settings: Password Policy:
  • Minimum password length: 14 characters
  • Require at least one uppercase letter 
  • Require at least one lowercase letter 
  • Require at least one number
  • Require at least one non-alphanumeric character
  • Allow users to change their own password
  • Prevent password reuse
    • Number of passwords to remember: 24

CloudTrail

CloudTrail is a prerequisite for CloudWatch. UW-Madison's Office of Cybersecurity uses CloudWatch to send alerts when specific changes to an account are made, for example, when someone logs into the account. More details on the specific alerts can be found in the Monitoring section of Public-CIS_Amazon_Web_Services_Foundations_Benchmark_v1.0.0.docx available at https://kb.wisc.edu/public-cloud/page.php?id=65538

[Charges may be incurred as a result of these configuration changes]
CloudTrail: Get Started:
  • Trail name: Public-Cloud-CloudTrail
  • Apply to all regions: Yes
  • Create a new S3 bucket: Yes
  • S3 bucket: public-cloud-cloudtrail-logs

CloudTrail: Trails: Public-Cloud-CloudTrail: CloudWatch Logs: Configure:
  • Log group: CloudTrail/DefaultLogGroup
S3: public-cloud-cloudtrail-logs: Properties: Logging:
  • Enabled
  • Target Bucket: public-cloud-cloudtrail-logs
  • Target Prefix: logs/

CloudWatch

[Charges may be incurred as a result of these configuration changes]
CloudWatch: Alarms:
  • CloudTrailRootSignIn
    • RootSignInEventCount >= 1 for 5 minutes
  • CloudTrailIAMPolicyChanges
    • IAMPolicyEventCount >= 1 for 5 minutes
  • CloudTrailConfigChanges
    • ConfigEventCount >= 1 for 5 minutes
  • CloudTrailRouteTableChanges
    • RouteTableEventCount >= 1 for 5 minutes
  • CloudTrailS3Activity
    • S3BucketEventCount >= 1 for 5 minutes
  • CloudTrailAuthorizationFailures
    • AuthorizationFailureCount >= 1 for 5 minutes
  • CloudTrailNetworkAclChanges
    • NetworkAclEventCount >= 1 for 5 minutes
  • CloudTrailVpcChanges
    • VpcEventCount >= 1 for 5 minutes
  • CloudTrailEC2InstanceChanges
    • EC2InstanceEventCount >= 1 for 5 minutes
  • CloudTrailChanges
    • CloudTrailEventCount >= 1 for 5 minutes
  • CloudTrailConsoleSignInFailures
    • ConsoleSignInFailureCount >= 3 for 5 minutes
  • CloudTrailGatewayChanges
    • GatewayEventCount >= 1 for 5 minutes
  • CloudTrailSecurityGroupChanges
    • SecurityGroupEventCount >= 1 for 5 minutes
  • CloudTrailEC2LargeInstanceChanges
    • EC2LargeInstanceEventCount >= 1 for 5 minutes
All alarms notify UW-Madison Cybersecurity via email.

AWS Config

[Charges may be incurred as a result of these configuration changes]
AWS Config: (AWS Config is enabled in all regions that support AWS Config)
  • Resource types to record:
    • All resources:
      • Record all resources supported in this region: Enabled
      • Include global resources (e.g., AWS IAM resources): Enabled
  • Amazon S3 bucket:
    • Bucket name: config-bucket-<account number>
  • Amazon SNS topic:
    • Stream configuration changes and notifications to an Amazon SNS topic:
      • Topic: config-topic
  • AWS Config role:
    • Default: config-role-us-west-2
AWS Config rules: (AWS Config rules are only enabled in the default region)
  • cloudtrail-enabled
    • This rule costs $2/month and checks whether AWS CloudTrail is enabled in your AWS account. If it is not enabled, AWS Config alerts UW-Madison's Office of Cybersecurity for review.
  • restricted-ssh
    • This rule costs $2/month and checks whether security groups that are in use disallow unrestricted incoming SSH traffic. If security groups are found to allow unrestricted incoming SSH traffic, AWS Config alerts UW-Madison's Office of Cybersecurity for review.
  • restricted-common-ports
    • This rule costs $2/month and checks whether security groups that are in use disallow unrestricted incoming TCP traffic to FTP, Windows Remote Desktop, and MySQL. If security groups are found to allow unrestricted incoming traffic to any of these services, AWS Config alerts UW-Madison's Office of Cybersecurity for review.

CloudFormation stacks

[Charges may be incurred as a result of these configuration changes]
CloudFormation:
  • CloudWatchAlarmsForCloudTrailCISAdditions: AWS CloudTrail API Activity Alarm Template (CIS AWS Foundations 1.0 additions) for CloudWatch Logs
  • CloudWatchAlarmsForCloudTrail: AWS CloudTrail API Activity Alarm Template for CloudWatch Logs

Encryption At Rest

Accounts created after August 15th 2019 will have a default of encryption at rest for EBS volumes.

See Also:

Commonly Referenced Docs:

UW Madison Public Cloud Team Events
Online Learning Classes for Cloud Vendors
What Data Elements are allowed in the Public Cloud




Keywords:aws root account setup initial config configuration   Doc ID:65537
Owner:Steve T.Group:Public Cloud
Created:2016-07-27 16:59 CDTUpdated:2020-06-25 08:24 CDT
Sites:Public Cloud
Feedback:  0   0