AWS Fast Fixes
Scripts to quickly fix security and compliance issues
What’s the point?
AWS has a ton of good security features, but none of them are actually enabled by default. Some (like EBS Default Encryption) are buried off in an obscure settings page of a dashboard. Others like S3 Default Encryption need to be enabled each and every time. Unless you religiously read the AWS Blogs and What’s New links, you might not know they exist. And don’t dare go on vacation or you’ll miss something!
Why AWS Accounts aren’t secure & compliant by default is beyond me. While Shared Responsibility says it’s our job as AWS Customers to secure ourselves in the cloud, AWS could sure do a better job on the security of the cloud by making these features opt-out rather than opt-in. They’d probably find themselves in fewer El Reg articles about cloud breaches if they did.
This repo has several scripts you can run against your account to enable all the security features (and in all the regions if the feature is regional). Running this in production could have consequences because you’re opting into security rather than explicitly opting out. However, that’s the best AWS will give us these days. sigh
Scripts in this repo
- Enable KMS Customer Key Rotation
- Disable Inactive IAM Users
- Enable S3 Default Bucket Encryption
- Enable Default EBS Encryption
- Enable GuardDuty
- Enable Amazon S3 Block Public Access
The scripts in this repo only currently only require
pytz. Both pipenv and plain pip as well
pip install -r requirements.txt