SSB

  1. Home
  2. SSB

AWS Startup Security Baseline

The AWS Startup Security Baseline (SSB) is a set of controls that create a minimum foundation for businesses to build securely on AWS without decreasing their agility. These controls form the basis of your security posture and are focused on securing credentials, enabling logging and visibility, managing contact information, and implementing basic data boundaries.

The controls in this guide are designed with early startups in mind, mitigating the most common security risks without requiring significant effort. Many startups begin their journey in the AWS Cloud with a single AWS account. As organizations grow, they migrate to multi-account architectures. The guidance in this guide is designed for single-account architectures, but it helps you set up security controls that are easily migrated or modified as you transition to a multi-account architecture.

The controls in the AWS SSB are separated into two categories: account and workload. Account controls help keep your AWS account secure. It includes recommendations for setting up user access, policies, and permissions, and it includes recommendations for how to monitor your account for unauthorized or potentially malicious activity. Workload controls help secure your resources and code in the cloud, such as applications, backend processes, and data. It includes recommendations such as encryption and reducing the scope of access. You can find guides/information on this workshop: https://catalog.workshops.aws/startup-security-baseline/en-US to learn more about it
Read more

Summary: [Not available:15] | [Compliant:7] | [Need Attention:5]

Breakdown

Framework. AWS Startup Security Baseline

CategoryRule IDCompliance StatusDescriptionReference
AccountACCT.01Compliant
[hasAlternateContact]
AccountACCT.02Compliant
[noUsersFound]
[rootHasAccessKey]
AccountACCT.03Compliant
[noUsersFound]
[hasExternalIdentityProvider]
[hasSSORoles]
AccountACCT.04Need Attention
[InlinePolicyFullAccessOneServ] - Limit access in policy
  • [GLOBAL]Role::SpringClean-XUG3HH5R-SpringCleanStackSetExecutionR-D9DWX0EX1ZOA
[InlinePolicyFullAdminAccess]
[ManagedPolicyFullAccessOneServ] - Limit permissions.
  • [GLOBAL]Role::AthenaCURdailyStack-AWSCURCrawlerComponentFunction-XX4CHL7H96MD, Role::AthenaCURMonthlyStack-AWSCURCrawlerComponentFuncti-1AJFUSIA0NX5X, Role::AWSReservedSSO_AWSPowerUserAccess_00098b9536c9ffa7, Role::Cloud-Intelligence-Dashbo-ProcessPathLambdaExecutio-4v29TjzrvQTv, Role::Cloud-Intelligence-Dashboar-InitLambdaExecutionRole-ZassKR4B4CY8, Role::Cloud-Intelligence-Dashboards-CidCURCrawlerRole-6n5acUHm6w0r, Role::CURathenaStack-AWSCURCrawlerComponentFunction-Y25X9I4YKV02, Role::MarketplaceFullAccess, Role::OrthancRole
[FullAdminAccess] - Limit permissions.
  • [GLOBAL]Role::Admin, Role::AWSReservedSSO_AWSAdministratorAccess_ac7e558480de85c0, Role::ww_augnhtrole, Group::admin-group
AWS Docs
AWS Docs
AWS Docs
Organization GuardRail Blog
AccountACCT.05Need Attention
[rootMfaActive] - Enable MFA on root user
  • [GLOBAL]User::root_id
[mfaActive]
AWS MFA
IAM Best Practices
AccountACCT.06Need Attention
[passwordPolicy] - Set a custom password policy.
  • [GLOBAL]Account::Config
IAM Password Policy
AccountACCT.07Not available
AccountACCT.08Compliant
[PublicAccessBlock]
[S3AccountPublicAccessBlock]
AccountACCT.09Not available
AccountACCT.10Compliant
[enableCostBudget]
AccountACCT.11Compliant
[enableGuardDuty]
[guardDutyNotification]
AccountACCT.12Not available
WorkloadsWKLD.01Compliant
[EC2IamProfile]
[lambdaMissingRole]
WorkloadsWKLD.02Not available
WorkloadsWKLD.03Not available
WorkloadsWKLD.04Not available
WorkloadsWKLD.05Not available
WorkloadsWKLD.06Not available
WorkloadsWKLD.07Not available
WorkloadsWKLD.08Need Attention
[EBSEncrypted] - Enable EBS Encryption
  • [ap-southeast-5]EBS::vol-088df622bcebd7a03
  • [us-west-2]EBS::vol-058a9449d61cf9461
[StorageEncrypted]
Best practices for Amazon EC2
WorkloadsWKLD.09Not available
WorkloadsWKLD.10Not available
WorkloadsWKLD.11Need Attention
[SGSensitivePortOpenToAll] - Sensitive port open to all.
  • [ap-southeast-5]SG::sg-0d56232f5bc4a6a0d
[SGTCPAllOpen]
[SGAllOpen]
[SGAllOpenToAll]
[ELBListenerInsecure] - Insecure Listener
  • [ap-southeast-5]ELB::ecs-te-Publi-06Wsj9bSgyQF
[PubliclyAccessible]
Best practices for Amazon EC2
ALB Configuration Guide
WorkloadsWKLD.12Not available
WorkloadsWKLD.13Not available
WorkloadsWKLD.14Not available
WorkloadsWKLD.15Not available