AWS offers a number of tools to help secure your account. Many of these measures are not active by default, and you must take direct action to implement them. Here are some recommended practices to consider to help secure your account and its resources:
AWS Identity and Access Management (IAM) [1]
========================================
The two main types of credentials used for accessing your account are passwords and access keys. Both types of credentials can be applied to the root account or to individual IAM users. You should safeguard passwords and access keys as you would any other confidential personal data, and never embed them in publicly accessible code (i.e. a public Git repository). For added security, frequently rotate or update all security credentials.
– If you have root account access keys, remove them and use IAM roles or user access keys instead.
– Ensure you have a documented process for adding and removing authorized users. Ultimately, it should fully integrate with an organization’s existing employee provisioning/de-provisioning process.
– Create IAM groups that reflect organizational roles, and use managed policies to grant specific technical permissions as required.
– If you have an existing identity federation provider, you can use the AWS Security Token Service to grant external identities secure access to your AWS resources without having to create IAM users.
Logging and Auditing
=====================
AWS provides several different tools to help customers monitor their account activities and trends. AWS recommends all customers enable the following features:
– Create a security email distribution list to receive security-related notifications. This will make it easier to configure and manage monitoring notifications associated with the monitoring services described below.
– Create an Amazon Simple Notification Service (Amazon SNS) topic for security notifications and subscribe the security email distribution list to the topic [2]. This will make it easier to create and manage security-related alerts.
– Enable CloudTrail in all AWS Regions [3], which by default will capture global service events. Enable CloudTrail log file integrity validation and send logs to a central S3 bucket that your security team owns.
– Configure CloudTrail integration with Amazon CloudWatch Logs and launch the provided AWS CloudFormation template to create CloudWatch alarms for security and network-related API activity.
– Enable AWS Config. Use the predefined rules CLOUD_TRAIL_ENABLED and RESTRICTED_INCOMING_TRAFFIC to notify the security SNS topic if CloudTrail is disabled for the account or if someone creates insecure security group rules.
– Create an S3 bucket for storing monitoring data and configure the bucket policy to allow the appropriate services (CloudTrail, AWS Config) to store AWS log and configuration data. For multiple accounts, use a single bucket to consolidate this data and restrict access appropriately. [4]
Billing and Cost Monitoring
============================
AWS forecasting and budgeting services help you accurately plan and monitor your usage and spending levels. Here are steps to establish a baseline for your account:
– Configure AWS usage and billing reports to get detailed information regarding trends in your account activity. [5]
– Designate an email distribution list that will receive billing notifications.
– Create an SNS topic for budget notifications and subscribe to the billing email distribution list to this topic.
– Create one or more budgets in your account and configure notifications if forecasted spending exceeds your budgeted usage.
Communication with AWS
==================
When a customer creates a new AWS account, AWS captures the primary contact information that it will use for all communication about the account, unless alternate contacts are also added. AWS accounts can include alternate contacts for Billing, Operations, and Security. These contacts will receive copies of relevant notifications and serve as secondary communication points if the primary contact is unavailable. When setting up communication channels with AWS, keep the following best practices in mind:
– Configure the AWS account contact information with a corporate email distribution list (e.g. aws-<org_name>@yourdomain.com) and company phone number rather than an individual user’s email address or personal cell phone. [6]
– Configure the account’s alternate contacts to point to a group rather than an individual. For example, create separate email distribution lists for billing, operations, and security and configure these as Billing, Security, and Operations contacts in each active AWS account. This ensures that multiple people will receive AWS notifications and be able to respond, even if someone is on vacation, changes roles, or leaves the company.
– Sign up for an AWS support plan that aligns with your organization’s support expectations. Business and Enterprise support plans provide additional contact mechanisms (web, chat, and phone) that are especially useful when a customer needs an immediate response from AWS.
For more details you can visit links [7], [8]
References:
=========
[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
[2] https://docs.aws.amazon.com/sns/latest/dg/GettingStarted.html
[3] https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html
[4] https://docs.aws.amazon.com/AmazonS3/latest/dev/Introduction.html
[5] https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-reports.html#turnonreports
[6] https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html#account-inf
[7] https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/
[8] https://aws.amazon.com/answers/security/aws-secure-account-setup/
——————————————————————————————————————————
I put a lot of thoughts into these blogs, so I could share the information in a clear and useful way. If you have any comments, thoughts, questions, or you need someone to consult with, feel free to contact me: