Scripts to quickly fix security and compliance issues
AWS has a ton of good security features, but none of them are actually enabled by default. Some (like EBS Default Encryption) are buried off in an obscure settings page off a dashboard. Others like S3 Default Encryption need to be enabled each and every time. Unless you religiously read the AWS Blogs and What's New links, you might not know they exist. And don't dare go on vacation or you'll miss something!
Why AWS Accounts aren't secure & compliant by default is beyond me. While Shared Responsibility says it's our job as AWS Customers to secure ourselves in the cloud, AWS could sure do a better job on security of the cloud by making these features opt-out rather than opt-in. They'd probably find themselves in fewer El Reg articles about cloud breaches if they did.
This repo has several scripts you can run against your account to enable all the security features (and in all the regions if the feature is regional). Running this in production could have consequences because you're opt-ing in to security rather than explicitly opting out. However that's the best AWS will give us these days. sigh
- Enable KMS Customer Key Rotation
- Disable Inactive IAM Users
- Enable S3 Default Bucket Encryption
- Enable Default EBS Encryption
- Enable GuardDuty
- Enable Amazon S3 Block Public Access
The scripts in this repo only currently only require boto3
& pytz
. Both pipenv and plain pip as well
pipenv install
pip install -r requirements.txt