![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
S3
Enable Buckets encryption
建議用 KMS
HTTPS Only (transport policy)
Enforce encryption of data in transit
{
"Statement":[
{
"Sid": "AllowSSLRequestsOnly",
"Action": "s3:*",
"Effect": "Deny",
"Principal": "*",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
],
"Condition":{
"Bool": { "aws:SecureTransport": false }
}
}
]
}S3 ACLs are disabled (BucketOwnerEnforced)
Use IAM policies and bucket policies to manage access.
CloudTail
Enable log file validation
會為 log 檔建立一個 SHA-256 檔 (digital signing).
CloudFront
* Limit request IP
AWS-managed prefix lists
- com.amazonaws.region.s3
- com.amazonaws.region.dynamodb
- com.amazonaws.global.cloudfront.origin-facing
* AWS-managed prefix lists can be used with AWS resources such as security groups and route tables.
List
AWS CLI: describe-managed-prefix-lists