Audit-checklist
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

Comment only
 
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAAB
1
#SectionNameSeverityDescriptionProcedure
2
1AWSMFA enabled9* Is MFA enabled on all accounts and forced to yes?
3
2
Restrice AWS API calls from whitelisted IPs
7
* The AWS API is your cloud control plane. Great care should be taken to protect it from the internet
* Calls to your AWS API accounts should only be granted from a set of whitelisted IPs your company owns
4
3Enable VPC Flowlogs6
* VPC Flowlogs are logs with metadata on IP traffic on your cloud network
* Having visibility or at least a way to retroactively inspect what is going on is invauable for planning and security reasons
5
4AWS Trusted Advisor7
* AWS provides tools to show you common mis-configured items in your AWS account
* Should use this to see what you might have possibly mis-configured.
* Caution - there are a lot of false positives in here but for the most part it is a good idea to clear this up since it is a tool to help you identify security weakness in your account.
6
5
Using AWS Root account
9
* If you are using your AWS Root account to launch resources you should reconsider
* This root account should not be used for anything but administrative purposes and to create the next IAM user where all work will be done from.
* The root account has additional priviledges than the AWS Admin role which should not be used for building infrastructure
7
6
8
7
9
8
10
9GCPUsing default VPC6
* Are your items deployed into the default VPC? If so, you might want to think about creating your own VPC to deploy your items in.
11
10
12
11
13
12
14
13TerraformTags on resources6
* It is a good idea to put a set of common tags on any resource that allows for tagging
* Eventually you will get to a point where you want to sort by resources or do cost accounting. All of these activities requires that you have properly tagged your resources
15
14
16
15
17
16
18
17
19
18
20
19EKS
Cluster endpoint set to private
8
* The EKS cluster endpoint is the Kubernetes API, which is the control plane for the cluster
* This endpoint should not be public and should be well protected
* One way to do this is to make the endpoint private only which puts more layers of security around this very important API endpoint
21
20Enable audit logs8
* This enables outputting Kubernetes audit logs which is useful for debugging and security purposes
22
21
Encrypt workers root disk
5
* Encryption is a good thing
* There is almost no downside to enabling this
23
22
Delarative cluster configurations
8
* Are you building EKS cluster via the GUI?
* Cluster definitions should be declarative and the configuration files should be in Git
* Can use a tool like eksctl to help you achieve this
* By doing this, this allows you to reproduce clusters from dev, qa, staging, to prod
24
23
25
24
26
25Kops
Delarative cluster configurations
8
27
26
28
27
29
28
30
29
31
30
32
31
33
32GKE
Delarative cluster configurations
8
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...