Cloud security checklist

Here is a partial list of security activities to perform to raise your project security level.

1. Basic container – use very simple base container with minimal number of packages as a base container for most of the projects.

2. MySQL security: do no use root user

3. MySQL security: separate database – separate database accounts (separate read only if possible, user account and app admin user).

4. Backup for database, file buckets

5. Use Kubernetes secrets instead of passwords in code. DO NOT place sensitive keys in environment variables.

6. Check web app for web access to config file. for example config.ini

7. Use web firewall for AWS / Google cloud.

8. Configure Security Groups (network access rules).

9. Ensure Kubernetes nodes are not directly accessable.

10. Script to do container process monitoring

11. Enable SSL certificates / https urls. Block HTTP traffic.

12. Enable encryption in motion.

13. Encryption in storage.

14. Cloud HSM if needed.

15. Hashicorp Vault service.

16. Service decoupling.

17. Enable 2 factor auth.

18. Check for open ports. Check for MongoDB port, Redis port, etc…

19. Dev boxes access.

20. DB structure : think about GDPR.

21. Review application logs for clear text passwords printed. PCI standard requires that no passwords are printed in clear text in logs.

22. Kubernetes cluster – disable public IP.

23. VM hardening

23. Check if you have user original IP address in logs. Make sure that X-Forwarded-For HTTP header is displayed in logs.

24. For container processes use dumb-init or “–init” flag if you can control docker command line.

24. In addition to logs, make sure you have audit for sensitive commands.

25. Review JWT implementation (if you have it). Do not use HS256 as it is susceptible to brute force attacks.

26. Remove Apache status or nginx status pages.

27. Make sure you have no “phpinfo()” function in code as it prints environment variables. The attackers can find a log of sensitive info in this variables.

About the author

Yuli Stremovsky
Yuli StremovskyKesem.IO CTO
Yuli is experienced software security architect, is a co-founder of Kesem.IO, working as a company CTO.
KESEM.IO is creating a trusted, fast, secure and easy to use solution to guarantee mobile payments on blockchain enabled digital assets.
Before Kesem.IO, Yuli was a founder of a database security company GreenSQL/Hexatier which was acquired by Huawei.

Some my code is available at:
https://github.com/stremovsky
https://github.com/kesem-io

Leave a Reply

Your email address will not be published. Required fields are marked *