The owner of an AWS account is responsible for all actions taken using the account, including all provisioned resources. A misused account can lead to surprise AWS bills of millions of dollars or more per day. AWS operates on the principles of a Shared Responsibility Model where the owner of an AWS account is responsible for keeping access to his/her account secure.
Fortunately, AWS does provide several security measures aimed at securing against unauthorized AWS account use.
Step 1 – Keep your AWS account password secret and complex
All AWS accounts’ passwords should be kept confidential and as complex as possible. Use password generators embedded in your web browser, or password management services such as Dashlane which provides a complimentary complex password generator.
Change the account password every few months.
Step 2 – Enable Multi-factor Authentication on all accounts
Passwords, no matter how complex, are still vulnerable to brute force attacks and theft.
While AWS has implemented steps to reduce the possibility of brute force attacks, such as using CAPTCHA, your password can still be compromised.
To ensure only you can access your account, enable the Multi-factor Authentication (MFA) on your account supported by cell phones’ applications, such as Google Authenticator or Microsoft Authenticator.
Follow the steps outlined at AWS documentation. In addition, you can use IAM policies to restrict which API operations a user can call without MFA-authentication – see this documentation.
Step 3 – Keep your AWS access keys secret and rotate them frequently
Your AWS username and password is one way of accessing the AWS account. The second option is the programmatic way with the access keys.
Access keys are used for programmatic access of a particular AWS user’s permissions or individual AWS IAM users.
The best practices for AWS access keys are to rotate the access keys every few months.
Step 4 – Limit use of the root user credentials to AWS resources
AWS root user has unlimited access to all resources on your AWS account.
To improve security, it is best practice to:
- Delete the root user access keys
- For each particular task, create IAM users with restricted permissions
Step 5 – Set Up AWS CloudTrail logging and AWS CloudWatch Alarms for monitoring of unusual API calls
AWS CloudTrail is an AWS service that provides a governance, compliance, operational, and risk audit of your account. It records all actions taken by a user, a role, or an AWS service that uses the AWS console or any AWS API. In particular, it can be used to detect unauthorized AWS account use.
Enable CloudTrail logging and CloudWatch alerts for unusual API calls.
Step 6 – Enable AWS GuardDuty for monitoring your account
AWS GuardDuty is a service that analyzes data from AWS CloudTrail and other AWS services for indications of malicious activity and compromised accounts or resources.
Enable GuardDuty.
Step 7 – Implement AWS Trusted Advisor’s recommendations on security
AWS Trusted Advisor continuously evaluates your AWS accounts and provides recommendations via its dashboard or email notifications on how to change your AWS architecture to follow AWS best practices in the areas of
- Cost optimization
- Performance
- Security
- Fault Tolerance
- Service Quotas.
The key security checks it performs are
- Service Limits
- IAM Use
- Unrestricted ports in Security Groups
- MFA on Root Account
- EBS / RDS Public Snapshots
- S3 Bucket Permissions
For AWS Business and Enterprise support customers it provides additional checks.
Using AWS CloudWatch you can also automate remedial actions for AWS Trusted Advisor’s findings.
What to do if you believe your AWS account has been compromised
Follow these instructions.