AWS Made Easy

Tip #1: AWS account security: how do I prevent unauthorized access?

Improve your AWS account security with these AWS tools and best practices

The owner of an AWS account is responsible for all actions taken using the account, including all provisioned resources. A misused account can lead to surprise AWS bills of millions of dollars or more per day. AWS operates on the principles of a Shared Responsibility Model where the owner of an AWS account is responsible for keeping access to his/her account secure.

Fortunately, AWS does provide several security measures aimed at securing against unauthorized AWS account use.

Step 1 – Keep your AWS account password secret and complex

All AWS accounts’ passwords should be kept confidential and as complex as possible. Use password generators embedded in your web browser, or password management services such as Dashlane which provides a complimentary complex password generator.

Change the account password every few months.

Step 2 – Enable Multi-factor Authentication on all accounts

Passwords, no matter how complex, are still vulnerable to brute force attacks and theft. 

While AWS has implemented steps to reduce the possibility of brute force attacks, such as using CAPTCHA, your password can still be compromised.

To ensure only you can access your account, enable the Multi-factor Authentication (MFA) on your account supported by cell phones’ applications, such as Google Authenticator or Microsoft Authenticator.

Follow the steps outlined at AWS documentation. In addition, you can use IAM policies to restrict which API operations a user can call without MFA-authentication – see this documentation.

Step 3 – Keep your AWS access keys secret and rotate them frequently

Your AWS username and password is one way of accessing the AWS account. The second option is the programmatic way with the access keys. 

Access keys are used for programmatic access of a particular AWS user’s permissions or individual AWS IAM users.

The best practices for AWS access keys are to rotate the access keys every few months. 

Step 4 – Limit use of the root user credentials to AWS resources

AWS root user has unlimited access to all resources on your AWS account. 

To improve security, it is best practice to: 

Step 5 – Set Up AWS CloudTrail logging and AWS CloudWatch Alarms for monitoring of unusual API calls

AWS CloudTrail is an AWS service that provides a governance, compliance, operational, and risk audit of your account. It records all actions taken by a user, a role, or an AWS service that uses the AWS console or any AWS API. In particular, it can be used to detect unauthorized AWS account use.

Enable CloudTrail logging and CloudWatch alerts for unusual API calls.

Step 6 – Enable AWS GuardDuty for monitoring your account

AWS GuardDuty is a service that analyzes data from AWS CloudTrail and other AWS services for indications of malicious activity and compromised accounts or resources.

Enable GuardDuty

Step 7 – Implement AWS Trusted Advisor’s recommendations on security

AWS Trusted Advisor continuously evaluates your AWS accounts and provides recommendations via its dashboard or email notifications on how to change your AWS architecture to follow AWS best practices in the areas of

  • Cost optimization
  • Performance
  • Security
  • Fault Tolerance
  • Service Quotas.

The key security checks it performs are

  • Service Limits
  • IAM Use
  • Unrestricted ports in Security Groups 
  • MFA on Root Account
  • EBS / RDS Public Snapshots
  • S3 Bucket Permissions

For AWS Business and Enterprise support customers it provides additional checks. 

Using AWS CloudWatch you can also automate remedial actions for AWS Trusted Advisor’s findings. 

What to do if you believe your AWS account has been compromised

Follow these instructions.

Email
Twitter
Facebook
LinkedIn

Leave a Reply

Your email address will not be published.

Related Tips & Tricks