Under the Shared Responsibility Model for managing cloud resources, the account holder is expected to lead the effort to secure the account itself and all the technologies deployed inside the account. Stanford makes available professional services in a fee-for-service arrangement that can assume some or all these responsibilities. Additionally, UIT will apply some initial and mandatory configuration options to help assure a more successful (and secure) experience.
Amazon Web Services (AWS) provides an account management service for organizations to consolidate multiple accounts in an offering called AWS Organizations. This service provides billing benefits and deployment of security tools to all accounts in the organization that have been given access privileges.
When an account is created through UIT, an AWS role is established. If a standalone account was created outside of this process and invited into the organization, the account owner needs to run a CloudFormation template (for details see Appendix A), which will be provided by UIT’s cloud management team.
Features
The following AWS features and security tools are deployed to each account after the necessary access role is created and/or the account has joined the AWS Organization.
- CloudTrail: Track user activity and API usage which helps with governance, compliance, operational auditing, and risk auditing of your AWS account.
- AWS Config: Assess, audit, and evaluate the configurations of your AWS resources.
- Checks whether the S3 bucket policy denies put-object requests that are not encrypted using AES-256 or AWS KMS.
- Checks whether any security groups allow inbound traffic, other than HTTP or HTTPS traffic, with no source address restrictions.
- Checks whether the S3 bucket Block Public Access settings deny public writes.
- Checks whether root user has access keys.
- Checks whether VPC Flow Logs are enabled.
- Checks whether EBS volumes that are in an attached state are encrypted.
- Checks whether RDS instances are encrypted.
- Checks whether EFS file systems are encrypted.
- Checks whether IAM users have MFA enabled for console access.
Accounts are checked for compliance against the above set of Config rules and reports are send out periodically. See the FAQ page for more information.
- VPC Flow Logs: VPC Flow Logs are enabled for each VPC and logs are stored in a central bucket in S3.
- AWS GuardDuty: A service offered by AWS for threat detection and detecting malicious activities. Logs are collected and monitored centrally.
- AWS Security Hub: Another AWS tool to aggregate, categorize and review security and configuration issues
- Qualys CloudView Access: An additional tool we use for monitoring security posture.
- Service Control Policies (SCPs): We employ SCPs to protect the deployments of the tools mentioned above and the roles associated with them. These SCPs prevent member accounts from making changes to the security tools deployed to the member accounts. SCPs are set up to guarantee that the resources are running properly in the member accounts. The default SCP, AWSFullAccess, ensures this. Explicit deny rules are added to protect organizational access roles and security tools deployments. Details on SCPs which are in use currently are listed below.
- Default Full Access (FullAWSAccess): The default SCP which provides all access. See Appendix B for the json policy statement.
- Protect org roles and services (org_management): This is a set of policies combined into one SCP. The purpose of each policy is described below. See Appendix B for the json policy statements.
- Protect organizational roles, centrally defined roles and service roles (used by centrally deployed services).
- Protect Stanford’s SAML provider for SSO logins to work.
- Protect VPC Flow Logs set up by the organization.
- Protect centrally defined password policy.
- Protect AWS GuardDuty deployment.
- Prevent leaving the AWS Organization.
- Protect AWS Config deployments.
- Region restriction: Allow deployment of resources only in the specified AWS regions. Global resources such as S3 or CloudFront are not affected by this policy. We will enable this in the future.
