Security in Production
Making security a part of your development process is key to a holistic security strategy. But what happens when your application is ready for production and, subsequently, running in production?
Going into production can be the most daunting time when it comes to asking yourself the question: is my application secure? To help ease the process, we’ve created a final security checklist to run through before releasing your application to your users that also prepares you to continuously monitor your application for vulnerabilities. Remember, security is a process and something to continually iterate on, just like every other aspect of your software.
Go-Live Security Checklist for Serverless Applications
Here’s a practical list of things to check before launching a serverless application. It can also form part of a security automation pipeline and your team’s security guardrails:
- Commission penetration testing and security audits early in your application’s development.
- Enable Block Public Access on all S3 buckets.
- Enable server-side encryption (SSE) on all S3 buckets containing valuable data.
- Enable cross-account backups or object replication on S3 buckets containing business-critical data.
- Enable encryption at rest on all SQS queues.
- Enable WAF on API Gateway REST APIs with baseline managed rules.
- Use TLS version 1.2 or above on API Gateway APIs.
- Enable access and execution logs on API Gateway APIs.
- Remove sensitive data from Lambda function environment variables.
- Store secrets in AWS Secrets Manager.
- Encrypt Lambda function environment variables.
- Enable Lambda function code signing.
- Enable backups on all DynamoDB tables containing business-critical data.
- Scan dependencies for vulnerabilities: resolve all critical and high security warnings, and minimize medium and low warnings.
- Set up budget alarms in CloudWatch to guard against denial of wallet attacks.
- Remove any IAM users where possible.
- Remove wildcards from IAM policies wherever possible to preserve least privilege.
- Generate an IAM credential report to identify unused roles and users that can be removed.
- Enable Security Hub reports.
- Create a CloudTrail trail to send logs to S3.
- Conduct a Well-Architected Framework review with a focus on the Security pillar and the Serverless Lens’s security recommendations.