TickYouOff
Sign in
Back
🔒

Amazon Linux 2023 Security Checklist (Ver 1, Rel 2)

Hard 16 items · 2 hours
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist captures practical, actionable steps to harden Amazon Linux 2023 systems using the DISA STIG guidance as a baseline. It’s intended for system administrators and security engineers who need a concise set of tasks to improve OS security in managed AWS environments.

Source: https://ncp.nist.gov/checklist/1313

Progress
0 / 16
  1. Update all system packages — Run dnf update (or package manager) and reboot if kernel updated.
  2. Enable automatic security updates — Install/configure dnf-automatic or equivalent to apply security patches automatically.
  3. Apply the Amazon Linux 2023 STIG baseline — Import the DISA XCCDF/SCAP profile and apply the recommended configuration settings.
  4. Harden SSH: disable root login — Set PermitRootLogin no in /etc/ssh/sshd_config and restart sshd.
  5. Harden SSH: disable password authentication — Set PasswordAuthentication no to require key-based authentication only.
  6. Restrict SSH access and change default port if appropriate — Use AllowUsers/AllowGroups and consider a non-default port; document changes for automation.
  7. Enable and configure host-based firewall — Use firewalld or nftables to restrict inbound access to required services.
  8. Open required SSH/service ports in the firewall — Allow only the specific ports needed (e.g., SSH or application ports).
  9. Block all other unused inbound ports — Set default deny for incoming traffic and test application connectivity.
  10. Disable or remove unnecessary services and packages — List enabled services, stop and disable anything not required for the server role.
  11. Install and enable auditd and configure STIG-compliant rules — Ensure auditd is running and that key events are being recorded per guidance.
  12. Synchronize system time with an authorized NTP source — Enable and start chronyd (or ntpd) and ensure time sync persists on boot.
  13. Enforce strong password and account policies — Configure PAM (pam_pwquality), password aging, and account lockout policies.
  14. Audit and correct file and directory permissions — Find world-writable files and set correct ownership and permissions.
  15. Require sudo logging and restrict sudo use — Configure /etc/sudoers to require authentication and to log all commands.
  16. Deploy monitoring or intrusion-detection agents — Install approved endpoint monitoring or IDS agents and verify reporting.
Sign in to save
📝 My Notes