1. Always lock away your AWS Account Root User Access Key:
The access key for your AWS account gives full access to all your resources for all AWS services, including your billing information. Therefore, always protect your AWS account access key just like you would protect your credit card numbers or any other sensitive secret.
2. Create individual IAM Users:
As much as possible you must stay away from using your AWS account root user credentials to access AWS and never give your credentials to anyone else. Instead, always create individual users for anyone who needs access to your AWS account.
3. Configure a strong password policy for your users:
If you allow users to change their passwords, require that they create strong passwords and that they rotate their passwords periodically. You can use the password policy to define password requirements such as minimum length, whether requires non-alphabetic characters, how frequently it must be rotated, and so on.
4. Rotate credentials regularly:
Change your passwords and access keys regularly and make sure that all IAM users in your account do that as well. That way if a password or access key is compromised without your knowledge, you can limit how long the credentials can be used to access your resources.
5. Remove unnecessary credentials:
Remove IAM user credentials which are password and access keys, that are not needed. Similarly, if a user does not and will never use the access key, there is no reason for the user to have them. Passwords and access keys that have not been used recently might be good candidates for removal. You can find the unused
passwords or access keys using the console, using the API, or by downloading the credentials report.
6. Enable MFA for privileged users:
For extra security enable multi-factor authentication, that is MFA for the privileged IAM users are users who are allowed access to sensitive or API operations. With MFA, users have a device that generates a unique authentication code, a one-time password, or an OTP. Users must provide both their normal credentials and the OTP. The MFA device can either be a special piece of hardware or it can be a virtual device. For example, it can run on an app or a smartphone.
7. Users groups to assign permissions to IAM groups:
Instead of defining permissions for individual IAM users, it is usually more convenient to create groups that relate to job functions such as administrator or developers or accounting, etc. Next, define the relevant permissions for each group. Finally, assign IAM users to those groups. All the users in an IAM group inherit the permissions assigned to that group that way, you can make changes for everyone in a group in just one place.
8. Use AWS-defined policies to assign permissions whenever possible:
AWS recommends that you use the managed policies that are created and maintained by AWS to grant permissions whenever possible. A key advantage of using these policies is that they are maintained and updated by AWS as new services, or new API operations are introduced. But also keep in mind that custom-managed policies are more flexible. Hence, you need to ensure that those policies are defined well and in a secure manner.
9. Use policy conditions for extra security:
To the extent that it is practical, define the conditions under which your IAM policies allow access to a resource. For example, you can write conditions to specify a range of allowable IP addresses that a request must come from. You can also specify that a request is allowed only with a specified date range or time range.
10. Grant least privilege:
When you create IAM policies, follow the standard security advice of granting the least privileges which are granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks. Always start with a minimum set of permissions and grant additional permissions as necessary, doing so is more secure than starting with permissions that are too lenient and then trying to tighten them later.
11. Use access levels to review IAM permissions:
When you review a policy, you can view the policy summary which includes a summary of the access level for each service action within that policy. AWS categorizes each service action into one of four access levels based on what each action does; that is it uses these access levels to determine which actions to include in your policies.
12. Use roles to delegate permissions:
Never share security credentials between accounts to allow users from another AWS account to access resources in your AWS account. Instead, always use IAM roles. You can define a role that specifies what permissions the IAM users in the other account are allowed. For example, applications that run on an EC2 instance need credentials to access other AWS services. To provide credentials to the application in a secure way, always use IAM roles.
13. Monitor Activity in your AWS Account:
You can use logging features in AWS to determine the actions users have taken in your account and the resources that were used. The log files show the time and date of the actions, the source IP for an action, which actions failed due to inadequate permissions, and more logging features available in Amazon CloudFront, CloudTrail, CloudWatch, Config, and S3.
Top comments (0)