AWS - Initial AWS Account Configuration

Note that this document refers to the default setup for legacy (pre-2022) DLT AWS accounts, which are not managed with AWS Control Tower.

AWS - Initial AWS Account Configuration

A number of changes are made to each AWS account to:
  • Increase compliance to the Center for Internet Security Amazon Web Services Foundations Benchmark
  • AWS GuardDuty is enabled to provide better security alerting
  • Allow the Public Cloud Team and our AWS reseller (DLT) to support the account
Those changes, while not enforced after account creation, are documented below.
Our AWS reseller DLT applies some configuration to accounts, as documented here.
Please Contact the Public Cloud Team if you have any concerns about the IAM objects, or any of the configuration items.

Costs associated with initial AWS account configuration

Even if an AWS account is not actively used by a customer, the default configuration will still incur ~$10.00 in charges each month. These base monthly charges are related to three AWS Config and Guard Duty  that are associated with each account.

Default region

Unless otherwise specified, the default region for all AWS services is Ohio (us-east-2).
This region is selected as the default because it is the region most likely to have all AWS services available. Therefore, Ohio (us-east-2) should be left as the default region unless there is a specific need to work in a different region (e.g. reduce latency).
See AWS documentation (https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/) for specifics of what services are available in which regions.

IAM groups

IAM: Groups:
  • public-cloud-billing
    • Group policies: AWSAccountActivityAccess, AWSAccountUsageReportAccess
  • public-cloud-cybersecurity
    • Group policies: AWSAccountActivityAccess, AWSAccountUsageReportAccess, SecurityAudit
  • public-cloud-readonly
    • Group policies: AWSAccountActivityAccess, AWSAccountUsageReportAccess, ReadOnlyAccess
  • DLT-support
    • Group policies: DLT-AWS-Support-Access

IAM roles

IAM: Roles:
  • config-role-<region>
  • NetIDFullAdmin
  • NetIDAdminAccess
  • NetIDReadOnlyAccess
  • NetIDSecurityAudit
AWS - Granting Users Access to the AWS Management Console using NetID Authentication 

Additional IAM user permissions

My Account:
‘IAM user access to billing information is activated’ is enabled.

IAM Policies

IAM: Policies:
  • Policy Name: public-cloud-restrict-ec2-and-s3-to-us-regions
  • Description: Restrict EC2 and S3 to US regions
The 'public-cloud-restrict-ec2-and-s3-to-us-regions' can be used to restrict EC2 and S3 to US regions.

Security Groups: Restrict incoming SSH and RDP to UW-Madison in default Security Group

EC2: Security Groups:
The default security group in Ohio (us-east-2) restricts incoming SSH and RDP traffic to the IPv4 ranges assigned to the UW-Madison Campus: https://kb.wisc.edu/page.php?id=3988.

Security Groups: Create a new security group that limits incoming traffic to UW-Madison

EC2: Security Groups:
A security group named 'inbound-from-uw-madison-campus' has been created in Ohio (us-east-2) that can be used to limit all incoming traffic to the IPv4 ranges assigned to the UW-Madison Campus: https://kb.wisc.edu/page.php?id=3988.

Password policy

IAM: Account Settings: Password Policy:
  • Minimum password length: 14 characters
  • Require at least one uppercase letter 
  • Require at least one lowercase letter 
  • Require at least one number
  • Require at least one non-alphanumeric character
  • Allow users to change their own password
  • Prevent password reuse
    • Number of passwords to remember: 24

CloudTrail

CloudTrail is a prerequisite for CloudWatch. UW-Madison's Office of Cybersecurity uses CloudWatch to send alerts when specific changes to an account are made, for example, when someone logs into the account. More details on the specific alerts can be found in the Monitoring section of Public-CIS_Amazon_Web_Services_Foundations_Benchmark_v1.0.0.docx available at https://kb.wisc.edu/public-cloud/page.php?id=65538
[Charges may be incurred as a result of these configuration changes]
CloudTrail: Get Started:
  • Trail name: Public-Cloud-CloudTrail
  • Apply to all regions: Yes
  • Create a new S3 bucket: Yes
  • S3 bucket: public-cloud-cloudtrail-logs
CloudTrail: Trails: Public-Cloud-CloudTrail: CloudWatch Logs: Configure:
  • Log group: CloudTrail/DefaultLogGroup
S3: public-cloud-cloudtrail-logs: Properties: Logging:
  • Enabled
  • Target Bucket: public-cloud-cloudtrail-logs
  • Target Prefix: logs/

CloudWatch

[Charges may be incurred as a result of these configuration changes]
CloudWatch: Alarms:
  • CloudTrailRootSignIn
    • RootSignInEventCount >= 1 for 5 minutes
  • CloudTrailIAMPolicyChanges
    • IAMPolicyEventCount >= 1 for 5 minutes
  • CloudTrailConfigChanges
    • ConfigEventCount >= 1 for 5 minutes
  • CloudTrailRouteTableChanges
    • RouteTableEventCount >= 1 for 5 minutes
  • CloudTrailS3Activity
    • S3BucketEventCount >= 1 for 5 minutes
  • CloudTrailAuthorizationFailures
    • AuthorizationFailureCount >= 1 for 5 minutes
  • CloudTrailNetworkAclChanges
    • NetworkAclEventCount >= 1 for 5 minutes
  • CloudTrailVpcChanges
    • VpcEventCount >= 1 for 5 minutes
  • CloudTrailEC2InstanceChanges
    • EC2InstanceEventCount >= 1 for 5 minutes
  • CloudTrailChanges
    • CloudTrailEventCount >= 1 for 5 minutes
  • CloudTrailConsoleSignInFailures
    • ConsoleSignInFailureCount >= 3 for 5 minutes
  • CloudTrailGatewayChanges
    • GatewayEventCount >= 1 for 5 minutes
  • CloudTrailSecurityGroupChanges
    • SecurityGroupEventCount >= 1 for 5 minutes
  • CloudTrailEC2LargeInstanceChanges
    • EC2LargeInstanceEventCount >= 1 for 5 minutes
All alarms notify UW-Madison Cybersecurity via email.

AWS Config

[Charges may be incurred as a result of these configuration changes]
AWS Config: (AWS Config is enabled in all regions that support AWS Config)
  • Resource types to record:
    • All resources:
      • Record all resources supported in this region: Enabled
      • Include global resources (e.g., AWS IAM resources): Enabled
  • Amazon S3 bucket:
    • Bucket name: config-bucket-<account number>
  • Amazon SNS topic:
    • Stream configuration changes and notifications to an Amazon SNS topic:
      • Topic: config-topic
  • AWS Config role:
    • Default: config-role-us-east-2
AWS Config rules: (AWS Config rules are enabled in the US regions)
  • cloudtrail-enabled
    • This rule costs $2/month and checks whether AWS CloudTrail is enabled in your AWS account. If it is not enabled, AWS Config alerts UW-Madison's Office of Cybersecurity for review.
  • restricted-ssh
    • This rule costs $2/month and checks whether security groups that are in use disallow unrestricted incoming SSH traffic. If security groups are found to allow unrestricted incoming SSH traffic, AWS Config alerts UW-Madison's Office of Cybersecurity for review.
  • restricted-common-ports
    • This rule costs $2/month and checks whether security groups that are in use disallow unrestricted incoming TCP traffic to FTP, Windows Remote Desktop, and MySQL. If security groups are found to allow unrestricted incoming traffic to any of these services, AWS Config alerts UW-Madison's Office of Cybersecurity for review.

CloudFormation stacks

[Charges may be incurred as a result of these configuration changes]
CloudFormation:
  • CloudWatchAlarmsForCloudTrailCISAdditions: AWS CloudTrail API Activity Alarm Template (CIS AWS Foundations 1.0 additions) for CloudWatch Logs
  • CloudWatchAlarmsForCloudTrail: AWS CloudTrail API Activity Alarm Template for CloudWatch Logs
Encryption At Rest
 
Accounts created after August 15th 2019 will have a default of encryption at rest for EBS volumes.

If you have any questions, feedback or ideas please Contact Us

Commonly Referenced Docs:

UW Madison Public Cloud Team Events Online Learning Classes for Cloud Vendors What Data Elements are allowed in the Public Cloud

See Also