Kudos for creating your account! However, your setup does not end there. Amazon Web Services runs on a shared responsibility model where you, the client, play a significant role in securing your account just as much as your cloud provider would. Without playing your role, you might end up leaving your environment open to determined snoopers. Fortunately, AWS provides a well-documented guide on security principles to abide by, and this article focuses on steps that are essential for beginners. Starting with securing the root account.
I. Implement a strong identity foundation.
Your root user account is what you are first logged into upon creating your AWS account. It comes with full access to all AWS services and resources. That's a lot of power - and risk, and with great power comes great responsibility. To ensure your account remains secure, you need to;
Avoid using the root account for daily tasks. Yeah I get it, might seem counterintuitive. What's the point of creating an account and NOT using it? You need to understand the amount of power your root account holds. A compromised root account can grant attackers full control of your AWS environment, leading to data breaches, loss of critical data, and more.
To avoid leaving your account vulnerable, create an IAM user with admin privileges for day-to-day management and use that instead.Secondly, enable multi-factor authentication (MFA) on the root user. This adds an extra layer of protection in addition to a strong password.A virtual MFA application is a great strat to enable MFA on your account. I use Microsoft's Authy, but would recommend Google Authenticator.
Rotate your access keys. AWS recommends your access keys every 3 months (90 days) to minimize the risk of compromised keys and unauthorized access to your resources.
P.S. This is all free to set up!
II. Maintain traceability.
"By failing to prepare, you prepare to fail". This is a quote you need to especially live by in the cloud.
Preparing for the worst-case scenario better prepares and protects you from failure and long downtimes.
In recovery, you'll need access to your account's activity history to help diagnose your incident. This is where CloudTrail comes in. CloudTrail records all API activity in your AWS account - think of it like a security camera for your cloud. It is free to access on your account and is enabled by default.
When creating trails, it is recommended to enable the trail in all regions (even those you don't actively use).
In addition, make sure you store these logs in a secure S3 bucket with limited access.
You can capture a wide range of events within your account with Cloudtrail.
Additionally set up Cloudwatch alarms to trigger notifications ona wide range of activities that may happen within your account. As a beginner, it is best to set up anomaly detection on your account.
You can go a further step by integrating your logs with Amazon CloudWatch for real-time monitoring and alerts. More on this later in upcoming articles.
III. Review your resources frequently.
I've seen a lot of learners fall into the trap of deploying very cool projects only to leave them catching dust without maintenance and reviews. These are the kind of loopholes attackers take advantage of to exploit your resources. If only there was a way to review the configurations within your account to monitor for changes to your resources. Well, as in most cases, AWS has a tool for that. Enter, AWS Config.
- AWS Config provides a detailed view of the resources associated with your AWS account, including how they are configured, how they are related to one another, and how the configurations and their relationships have changed over time.This is key in identifying posssible vulnerabilities and unauthorized changes.
In setting up Config, you have the option of a "1-click setup". With this option, AWS creates all necessary AWS resources for you, including AWS IAM service roles and S3 bucket for configuration records.It also configures AWS Config Recorder to continuously track the configuration for all resources – except for AWS IAM. However, you would still need to select rules. Rules are essentially compliance checks that are evaluated against by Config to manage your ideal configurations. The resulting compliance is displayed for you. AWS has a wide range of managed rules that check compliance for multitudes of resources.
Security isn't a one-time task - it's a continuous process. As you explore AWS, follow these practices to protect your account, your data, and your peace of mind. Strong security habits start now. The earlier you build them, the safer your cloud journey will be.
Top comments (2)
Pretty cool breakdown - I always end up forgetting about rotating keys, so this hits home for me.
Insightful right up Esther!!
I will do a hands-on on the cloud trail and the aws config and i think this writeup is an invaluable resource,detailed and apt!!!