The Ministry of Justice (MoJ) has set up a security baseline for its use of Amazon Web Services (AWS).
It marks a step in building up the security arrangements in the use of cloud platforms, and is described as “minimum security posture’ for the ministry’s AWS accounts, which currently number around 120.
The initiative has been outlined in a blogpost, which says the baseline provides a gold standard but still gives digital teams latitude for doing things differently when needed.
“We wanted to set the baseline at a good level, while catering for diverse architectures and applications, without creating unreasonable high-effort tasks for teams but ensuring we avoid common bad practice missteps like leaky S3 buckets (leaving S3 servers accessible without authentication or unencrypted),” it says.
Mandatory configurations
The base principle is that MoJ accounts on AWS must utilise agreed configurations, such as enabling the company’s GuardDuty and CloudTrail applications, along with tagging of all AWS objects and enforcing the Identity and Access Management facility.
The blog says the team has gone for a blend of generally accepted good practices, things that are a mixture of security and operational for good account and resource management, and the ability to use AWS platforms.
It is now helping teams in the MoJ to implement the baseline and looking at whether it can make it easier to implement, or if it is possible to set the bar higher.
It also aiming to develop similar security baselines for other public cloud solutions such as Microsoft Azure and Heroku.
Image from iStock, ewg3D