AWS security audit guidelines - AWS 一般参考
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

如果我们为英文版本指南提供翻译,那么如果存在任何冲突,将以英文版本指南为准。在提供翻译时使用机器翻译。

AWS security audit guidelines

您应该定期审查安全配置,以确保它满足您当前的业务需求。审核可以为您提供删除不需要的 IAM 用户、角色、组和策略的机会,以确保用户和软件仅拥有必需的权限。

以下是有关系统地查看和监控 AWS 资源的准则,以便获得安全最佳实践。

When you should perform a security audit

在以下情况下,您应该审核您的安全配置:

  • On a periodic basis. You should perform the steps described in this document at regular intervals as a best practice for security.

  • If there are changes in your organization, such as people leaving.

  • If you have stopped using one or more individual AWS services. This is important for removing permissions that users in your account no longer need.

  • If you've added or removed software in your accounts, such as applications on Amazon EC2 instances, AWS OpsWorks stacks, AWS CloudFormation templates, etc.

  • If you ever suspect that an unauthorized person might have accessed your account.

Guidelines for auditing

查看您账户的安全配置时,请遵循这些准则:

  • Be thorough. Look at all aspects of your security configuration, including those you might not use regularly.

  • Don't assume. If you are unfamiliar with some aspect of your security configuration (for example, the reasoning behind a particular policy or the existence of a role), investigate the business need until you are satisfied.

  • Keep things simple. To make auditing (and management) easier, use IAM groups, consistent naming schemes, and straightforward policies.

Review your AWS account credentials

当审核您的 AWS 账户证书时,执行以下步骤:

  1. 如果您不使用帐户的root访问密钥,可以删除它们。我们强烈建议您创建 IAM 用户,而不是使用根访问密钥来完成 AWS 日常工作。

  2. 如果您的确需要保留账户的访问密钥,请定期轮换它们

Review your IAM users

当您审核您的现有 IAM 用户时,请执行以下步骤:

  1. 列出您的用户,然后删除用户(处于非活动状态)。

  2. 从组中删除不必属于该组的用户

  3. 查看附加到用户所在的组的策略。请参阅Tips for reviewing IAM policies

  4. 删除用户不需要或者可能已经公开的安全证书。例如,用于应用程序的 IAM 用户无需密码(只有登录 AWS 网站才需要密码)。同样,如果用户不使用访问密钥,则不必拥有访问密钥。有关详细信息,请参阅 管理密码 IAM 用户管理访问密钥 IAM 用户IAM 用户指南.

    您可以生成和下载列出您账户中所有 IAM 用户及其各个凭证状态(包括密码、访问密钥和 MFA 设备)的凭证报告。对于密码和访问密钥,凭证报告将显示多久前使用了密码或访问密钥。最近未使用的凭证可能适合做删除处理。有关详细信息,请参阅 获取您的 AWS 账户IAM 用户指南.

  5. 定期轮换(更改)用户安全凭证,如果您已与未授权人员共享它们,请立即执行此操作。有关详细信息,请参阅 管理密码 IAM 用户管理访问密钥 IAM 用户IAM 用户指南.

Review your IAM groups

当您审核您的 IAM 组时,请执行以下步骤:

  1. 列出您的组,然后删除组(处于未使用状态)。

  2. 查看用户(位于每个组中)并删除用户(不属于这些组)。

  3. 查看附加到组的策略。请参阅Tips for reviewing IAM policies

Review your IAM roles

当您审核您的 IAM 角色时,请执行以下步骤:

  1. 列出您的角色,然后删除角色(处于未使用状态)。

  2. 查看角色的信任策略。确保您知道委托人是谁,并且了解为什么账户或用户需要能够担任该角色。

  3. 查看角色的访问策略,以确保其向担任该角色的人授予了合适的权限 — 请参阅Tips for reviewing IAM policies

Review your IAM providers for SAML and OpenID Connect (OIDC)

如果您已经创建了 IAM 身份来与 SAML 或 OIDC 身份提供商建立信任关系,请执行以下步骤:

  1. 删除未使用的提供商。

  2. 下载并查看每个 SAML 提供商的 AWS 元数据文档,并确保这些文档反映了您当前的业务需求。或者,从您想与之建立信任关系的 SAML IdP 那里获取最新元数据文档,并在 IAM 中更新提供商

Review Your mobile apps

如果您已经创建了向 AWS 提出请求的移动应用程序,请执行以下步骤:

  1. 确保移动应用程序不包含嵌入式访问密钥(即使它们位于加密存储中)。

  2. 通过使用为该目的设计的 API 来获取应用程序的临时证书。我们建议您使用 Amazon Cognito 来管理应用程序中的用户身份。此服务可让您使用 Login with Amazon、Facebook、Google 或任何兼容 OpenID Connect (OIDC) 的身份提供商对用户进行身份验证。然后,您可以使用 Amazon Cognito 证书提供程序来管理应用程序用于向 AWS 发出请求的证书。

    如果您的移动应用程序不支持使用 Login with Amazon、Facebook、Google 或任何其他兼容 OIDC 的身份提供商进行身份验证,则可以创建代理服务器来将临时凭证分配给您的应用程序。

Review your Amazon EC2 security configuration

每个 AWS 区域执行以下步骤:

  1. 删除未使用的或可能已经为组织之外的人员所知的 Amazon EC2 密钥对。

  2. 查看 Amazon EC2 安全组

    • Remove security groups that no longer meet your needs.

    • Remove rules from security groups that no longer meet your needs. Make sure you know why the ports, protocols, and IP address ranges they permit have been allowed.

  3. 终止不满足业务需求,或者可能已经由组织外的人员出于未批准的目的而启动的实例。请记住,如果已通过某一角色启动实例,则在该实例上运行的应用程序可以使用该角色授予的权限来访问 AWS 资源。

  4. 取消不满足业务需求或者可能由组织外的人员提出的 Spot 实例请求

  5. 查看 Auto Scaling 组和配置。关闭任何不再满足您的需求或者可能由组织外的某个人配置的设置。

Review AWS policies in other services

查看使用基于资源的策略或支持其他安全机制的服务的权限。在每种情况下,确保只有具有当前业务需求的用户和角色可以访问服务资源,并且针对资源授予的权限是满足业务需求的最低要求。

Monitor activity in your AWS account

请遵循以下监控 AWS 活动的指导原则:

  • Turn on AWS CloudTrail in each account and use it in each supported Region.

  • Periodically examine CloudTrail log files. (CloudTrail has a number of partners who provide tools for reading and analyzing log files.)

  • Enable Amazon S3 bucket logging to monitor requests made to each bucket.

  • If you believe there has been unauthorized use of your account, pay particular attention to temporary credentials that have been issued. If temporary credentials have been issued that you don't recognize, disable their permissions.

  • Enable billing alerts in each account and set a cost threshold that lets you know if your charges exceed your normal usage.

Tips for reviewing IAM policies

策略功能强大且非常细微,因此,学习并了解每个策略授予的权限很重要。查看策略时请使用以下准则:

  • As a best practice, attach policies to groups instead of to individual users. If an individual user has a policy, make sure you understand why that user needs the policy.

  • Make sure that IAM users, groups, and roles have only the permissions that they need.

  • Use the IAM Policy Simulator to test policies that are attached to users or groups.

  • Remember that a user's permissions are the result of all applicable policies—user policies, group policies, and resource-based policies (on Amazon S3 buckets, Amazon SQS queues, Amazon SNS topics, and AWS KMS keys). It's important to examine all the policies that apply to a user and to understand the complete set of permissions granted to an individual user.

  • Be aware that allowing a user to create an IAM user, group, role, or policy and attach a policy to the principal entity is effectively granting that user all permissions to all resources in your account. That is, users who are allowed to create policies and attach them to a user, group, or role can grant themselves any permissions. In general, do not grant IAM permissions to users or roles whom you do not trust with full access to the resources in your account. The following list contains IAM permissions that you should review closely:

    • iam:PutGroupPolicy

    • iam:PutRolePolicy

    • iam:PutUserPolicy

    • iam:CreatePolicy

    • iam:CreatePolicyVersion

    • iam:AttachGroupPolicy

    • iam:AttachRolePolicy

    • iam:AttachUserPolicy

  • Make sure policies don't grant permissions for services that you don't use. For example, if you use AWS managed policies, make sure the AWS managed policies that are in use in your account are for services that you actually use. To find out which AWS managed policies are in use in your account, use the IAM GetAccountAuthorizationDetails API (AWS CLI command: aws iam get-account-authorization-details).

  • If the policy grants a user permission to launch an Amazon EC2 instance, it might also allow the iam:PassRole action, but if so it should explicitly list the roles that the user is allowed to pass to the Amazon EC2 instance.

  • Closely examine any values for the Action or Resource element that include *. It's a best practice to grant Allow access to only the individual actions and resources that users need. However, the following are reasons that it might be suitable to use * in a policy:

    • The policy is designed to grant administrative-level privileges.

    • The wildcard character is used for a set of similar actions (for example, Describe*) as a convenience, and you are comfortable with the complete list of actions that are referenced in this way.

    • The wildcard character is used to indicate a class of resources or a resource path (e.g., arn:aws:iam::account-id:users/division_abc/*), and you are comfortable granting access to all of the resources in that class or path.

    • A service action does not support resource-level permissions, and the only choice for a resource is *.

  • Examine policy names to make sure they reflect the policy's function. For example, although a policy might have a name that includes "read only," the policy might actually grant write or change permissions.

Learn more

有关管理 IAM 资源的信息,请参阅以下内容:

有关 Amazon EC2 安全性的更多信息,请参阅以下内容:

有关监控 AWS 账户的更多信息,请参阅 re:Invent 2013 视频演示云中的入侵检测