This page is part of my digital garden.

This page might be unfinished or have typos. These pages are meant as part of a public living notebook to be edited over time. For more, visit the page explaining the concept of a digital garden.

Cloud Security

Security in the Cloud requires both regular linux/network security, but also configuring and maintaining the configuration of your cloud accounts.

Some good things to consider:

  1. You’ll want to use Infrastructure as Code as soon as possible.
  2. Ensure when you create things either via IaC or via the web consoles that things are being secured. This usually requires more work upfront.
    • An important thing to check is for instance the default VPC, Subnets, and etc. in AWS which need to be secured
  3. Be mindful of making everything managed if your budget can’t handle it. But if your budget can handle it then use as much managed services as you can to reduce work and mistakes.

SOC2 Link to heading

There is a great guide by Latacora on SOC2 for AWS. It outlines 7 major areas which should generally be covered by good security practice in general. They note that SOC2 is primarily an accounting exercise; not a security one.

Primary take aways for me:

  1. You need to setup SSO and pay for SSO support
  2. You should use Terraform (or similar) to setup your resources
  3. You need multiple AWS accounts (as coinbase explains in their linked article) which accounts can use assume-role to gain access to.
    • Primarily to gain read-only access (only perform changes via Terraform after PR via CI/etc.).
  4. Setup centralized logging as soon as possible because doing it later is very difficult.
Last updated on