AWS

ALB

• Set minimum TLS allowed to 1.2 (ELBSecurityPolicy-TLS-1-2-2017-01)
• Enable access logging
• Tweak deregistration_delay to speed up deployments
• Validate host header (return a 403 if requests don't match the host header)
• Restrict SG only to Cloudflare IPs on public ALBs

API Gateway

• Set minimum TLS allowed to 1.2 on custom domains

CloudFront

• Use CloudFront Origin Access Identitites to access S3
• Set minimum TLS allowed to 1.2
• Enforce HTTPS on the viewer-policy (https-only)
• Return security headers using Lambda@Edge origin response functions (securityheaders.io and https://observatory.mozilla.org/ should give an A+)

CloudTrail

• Enable it
• Enable CloudTrail log file validation

CloudWatch Alarms

• The simplest way to monitor a web application on AWS
• To send alerts to Slack, use AWS Chatbot

CloudWatch Logs

• Encrypt logs using KMS keys
• Adjust logs retention

CodePipeline

• Leverage Docker cache
• Used a cached Docker base image provided by CodeBuild
• Reduce ALB health-check threshold and timeout
• Add container health-check to containers without ALB

EBS

• Enable default encryption
• Use launch templates instead of custom AMIs

GuardDuty

• Enable it

IAM

• MFA enabled for all users
• Enforce MFA

KMS

• Enable KMS key auto-rotation

Lambda

• Use Lambda layers when possible

RDS

• Read-replica for PROD
• Use Aurora when possible

Redis

• Enable encryption-at-rest

S3

• Enable versioning
• Enable default server-side-encryption
• Enable access logging
• Use ACL private
• Block all public access (at account level when possible)
• Set lifecycle policies to control objects TTL

WAF (ALB/API GW/CloudFront)

• Add WAF protection to public services