Day 3 - AWS Workshops Startup Security Baseline

Posted on August 12, 2022 by David Rowe ‐ 7 min read

Day 3 - AWS Workshops Startup Security Baseline

Day 3 of workshops

For my third day on workshops, I’ll be working through Startup Security Baseline

Initial thoughts

I’ve gone through a security posturing process in the past with multiple workloads. This workshop begins by outlining the basics of the AWS Cloud security model followed by a rapid deployment of the Security pillar of the Well Architected Framework. This information will be presented to anyone who is being introduced to AWS or begins working in AWS.

Part 1 - Securing Your AWS Account - link

I’m a bit thrown off by one of the first sentences that says this section will take 3-4 hours to complete. The overview of the workshops said that the entire workshop would be 2 hours. I’m about to find out what I got myself into with this one in a moment.

Accurate Account Information - link

The idea of setting account level information to distribution lists (DL) is, believe it or not, often overlooked. If you have multiple people or a DL that gets emailed by AWS, there is more opportunity for you to recover or response to an event in your AWS account. I deal with large organizations that often skip this step in inputting proper information into their AWS account. This information is the first line of defense to receive notifications from AWS. If you use Control Tower or Organizations to manage AWS accounts, I suggest going through your accounts and confirming that they have proper contact information linked into them. You can add the information to the accounts with CLI.

  • My view of this Section: Neutral
  • My rated level: 100

Protect the Root User - link

If you havent done this before on your AWS account, now is the time to do this section. Search through the AWS Reddit subreddit and you’ll find people who dont have root mfa enabled, and comments on their posts saying “Enable MFA on your root account.” This is the top item you should take care of when creating an AWS account.

Enable SSO & Create IAM Users - link

Now not all account are part of an organization, so enabling SSO is a tiny bit trickier for those that do not already have an AWS Organization created. Luckily for me I already have one set up.

At re:inforce this year SSO was renamed to IAM Identity Center. This is just one tiny mismatch on the workshop and the GUI.

This page needs a full update with the GUI update. I’ll probably end up emailing the team supporting this workshop because the wording on the workshop and the wording on the GUI are very different.

After a bit of multi factor setup and some password configurations, I was able to get SSO set up on the payer account in the organization. The walk through was pretty thorough and I didnt have issues beside me fat fingering passwords.

When the workshop said to create IAM users, I simply read through that portion. This section is an excellent guide to any organization or person who has set up IAM users in their AWS accounts.

  • My view of this Section: Excellent
  • My rated level: 100

Create Groups - link

Short and quick and this is a perfect walk through on how to set up groups in both Identity Center and IAM.

  • My view of this Section: Excellent
  • My rated level: 100

Turn CloudTrail on link

Overall this is a necessary section for anyone with an Organization that isnt managed by Control Tower. CloudTrail logs by default only contain 90 days of logs for an account. Centralizing log management is a key part of creating a security baseline for multiple AWS accounts.

  • My view of this Section: Excellent
  • My rated level: 100

Turn Prevent Public Access on S3 Buckets on link

The simplest walkthrough of any page I’ve ever been on. Not much is going on in this section here.

Create Alarms link

This section has a CloudFormation template to set up billing alerts! That is quite the surprise and a bonus present.

It also has a CF template for notification on Root Account usage. These are two security control that people often skip. I’d highly suggest taking a look at these controls in any AWS environment.

  • My view of this Section: Excellent
  • My rated level: 100

Delete Unused networking stuff - link

Overall this section is great to identify and help remove networking configurations in an AWS account, especially the default items. This section should be applied to any account in an organization.

  • My view of this Section: Excellent
  • My rated level: 100

Trusted Advisor - link

By enabling trusted advisor in my small account I found a few items that I had overlooked. With the help of this automated tool, I cleaned up the items identified by the advisor. If in an enterprise environment, I think this tool should be enabled for all the accounts you own.

  • My view of this Section: Excellent
  • My rated level: 100

Guard Duty - link

I have another set of accounts managed centrally by Guard Duty. I wish I had these screenshots the first time I set those up. If you are thinking about Guard Duty for Organizations, this is the short cut page to get your environment set up.

  • My view of this Section: Excellent
  • My rated level: 100

This bundle of previous section materials

Overall this section was a serious mass of work. I am in shock the synopsis for the workshop said the entire workshop would take 1-2 hours. I havent read the other two sections of this workshop yet and I am up to maybe ~6 hours of work so far. Besides the time dedication needed to complete these steps in this workshop, I found these steps to be absolutely foundational for any person with an AWS account.

  • My view of this Section: Excellent
  • My rated level: 100

Part II - Securing your workload - link

I’m short on time so i’m going to skip the stuff that I’ve done before in the past on my account. I’ll jump right into Ephemeral Secrets.

Diving right into the main page we get a very awesome understanding of what the difference is between System Manager Parameter Store vs Secrets Manager:

Secrets that are individual key-value pairs, string-based, short in overall length, and accessed frequently can be stored in AWS Systems Manager Parameter Store.

Secrets that are stored as a document of multiple related key-value pairs, are larger than 4kb (such as digital certificates), or benefit from an automated rotation mechanism can be stored in AWS Secrets Manager.

This section needs a bit of updating. The wordings and the guides need a little help to keep with consistency. I had to figure out some steps as the pictures did not show the KMS key I made, referred to the incorrect KMS key and had some bits of the puzzle that needed to be filled out with my prior experience with AWS.

For example:

Retrive your secret using the console

Lol. Spelling. (I’ve misspelled plenty of things in my life though)

  • My view of this Section: Middle of the road
  • My rated level: 100


I’m giving up on this workshop. I’ve done most of the steps but this one is LONG. I’ve spent a total of 7ish hours and i’ve done maybe 50% of this workshop. If I were to recommend this lab to someone, I’d chop a little section off and only focus on a piece of it.

This workshop is a HUGE piece of work that teaches the student how to secure an AWS Account, IAM identities, infrastructure and data.

  • Overall view of workshop: 4 out of 5 stars
  • My rating of skill needed to complete: 100 level.

Thats all. Onto the next one.

For an overview of all the workshops I’m doing,

Please view 100 Days of AWS Workshops →