AWS Startups Blog

Day One Recommendations to Secure Your Account and Workload with AWS Startup Security Baseline

Security is always the top priority for AWS, but let’s face it – it’s not always the top priority for a founder just trying to get your idea for a new company off the ground. Your goal is to get a prototype of Your product or service in front of customers and investors as quickly as possible to test for market fit before the money runs out! It can also be hard for founders and engineers to know just what security controls you should put in place during these formative moments, let alone how to implement them on AWS. As a result, a lot of really critical controls can easily be skipped or overlooked, which can spell bad news for the startup if it leads to a security incident.

That’s why we’re pleased to announce the launch of the AWS Startup Security Baseline (AWS SSB), a new guide that describes the set of controls we recommend all startups implement as a foundation during their initial stages of development and operation. It focuses on two main areas – securing your AWS account, and securing your workload – and provides all the step-by-step instructions needed for each control with links to the relevant documentation. These controls also align to the best practices of the Security pillar of the Well-Architected Framework, establishing a strong foundation from which you can evolve your security posture as your company grows.

Secure your account

The section on securing your account focuses on good IAM practices, preventing accidental misconfigurations, and setting up monitoring for threats and other risks. It includes well-known controls such as enabling MFA on Root, setting up IAM password policies, and enabling CloudTrail delivery to S3, as well as additional controls such as setting up AWS Budget alerts, enabling Amazon GuardDuty, and monitoring AWS Trusted Advisor.

Secure your workload

The section on securing your workload emphasizes managing application secrets and scope of access, minimizing access routes to private resources, and using encryption to protect data in transit and at rest. It includes controls such as using resource-based policies, encrypting Amazon RDS and Amazon EBS volumes, using Amazon VPC endpoints to privatize traffic flows, and using AWS Systems Manager for remote sessions.

AWS SSB in action

Startups are already sharing stories about the positive impact they’ve seen from implementing the controls of the AWS SSB.

“Following the AWS Startup Security Baseline, we enabled Amazon GuardDuty in our account, and it detected outside IPs trying to access our servers via Secure Shell (SSH). We removed port 22 (SSH) from all of our security groups and switched to using AWS Systems Manager to access our Amazon EC2 instances now. With these changes, we no longer see attempts being made by these external actors. This is just the first big benefit we received from following the recommendations in the guide!”
– Bob Lee III, CTO of ConnectCareHero

All of the controls in the AWS SSB are able to be implemented quickly and easily and do not require any security expertise.  Businesses operating at later stages and higher scale can still derive a lot of value comparing their current controls to the ones provided in the baseline to identify any gaps.

Next Steps

For founders just getting started, take a few moments to work through the guide and ensure your AWS account is secured.  Review your current workload security and see which controls need to be applied as well. Use AWS Trusted Advisor to assess your current security posture and resolve any high-risk items using the recommendations of the AWS SSB.

For anyone that has security-related questions or would like to speak to someone about their security needs, you can find out more on our AWS Cloud Security page. Have fun and stay secure while building quickly!