Who would you say uses Amazon Web Services (AWS)? Startups? Government? Beginners or experts? Well, as you might have guessed, the short answer is everyone!
It is surprising, however, that only a small subsection actually know of and follow basic best practice and security steps in order to protect those accounts. Unfortunately, security is one of those commodities that only comes to attention when it is compromised. The good news is we’ve put together an easy and quick referral guide for those essentials to get you started on the right track!
Here is the list of steps that I’m going to explain in this post. Feel free to skip the ones you already know about:
- Use MFA Everywhere
- AWS CloudTrail
- AWS Multiple Account Security/Billing Strategy and AWS Organizations
- AWS CloudWatch Alarms
- IAM Access Keys Rotation
- AWS Account Security Challenge Questions
- AWS Account-Alternate Security Contacts
Use MFA Everywhere
MFA which stands for Multi-factor Authentication is a simple best practice that adds an extra layer of protection on top of your AWS credentials. There are two types of MFA:
- Security token-based hardware
- Virtual text message-based
MFA makes it more difficult for cyber attackers and malicious actors to breach your account. You can enable MFA for:
- Individual IAM users
- AWS root accounts
- AWS service APIs/CLIs
For increased security, it is advisable to configure multi-factor authentication (MFA) for all the above in order to help to protect your AWS resources. Here are some reasons why it’s so important:
- Reducing the risk of fraud by preventing unauthorised users from accessing corporate data and performing identity/data theft
- Making your account more hardy against password theft, which is constantly evolving as malicious actors employ new methods of phishing, keylogging, pharming, etc
- Protecting your AWS resources, which are (as you know) very important company assets, with the best available security mechanisms
It has been proven that relying only on password-based security is not very effective; so many credentials are compromised and made available to cyber attackers every year. Let’s make sure you’re not left vulnerable.
You can find more information on multi-factor authentication for AWS IAM here
AWS CloudTrail is a service that enables governance, compliance, operational and risk auditing of your AWS account. It records all API calls made on your account and delivers the log files to the Amazon S3 bucket of your choice. Here are a few reasons for enabling CloudTrail:
- Visibility into user activities and service events for the majority of AWS services
- Tracking changes to AWS resources
- Answering questions regarding user activity including who, when and what
- Demonstrating compliance
- Troubleshooting. i.e who changed a resource and when
- Performing security analysis
You can find more information about AWS CloudTrail this here
AWS Multiple Account Security/Billing Strategy and AWS Organizations
Most companies need to create more than one AWS account. The reason is multiple accounts provide the highest level of resource and security isolation. It is advisable to consider AWS Multiple accounts if you require any of the following:
- Environmental and administrative isolation between workloads (development, test, staging, production, etc)
- Strong fiscal and budgetary billing isolation between specific workloads, business units, or cost centres
- Workload operating within specific AWS service limits and not impacting the limits of another workload
- Different availability (HA) or disaster recovery (DR) capacity requirements for different workloads
Also, AWS Organizations provides policy-based management for multiple AWS accounts. It enables you to centrally manage policies across multiple accounts.
To set up successful management of multi-account environments. head here
AWS CloudWatch Alarms
AWS CloudWatch helps to monitor and notifying changes to the AWS infrastructure. By setting alarms, you can detect threats and suspicious activities. You can track every change made to your AWS account. Here are a few use cases of CloudWatch alarms:
- Alarm for Root Account Usage
- Alarm for AWS Config Changes
- Alarms for AWS CloudTrail Changes
- Alarm for AWS IAM Policy Changes
- Alarm for AWS VPC Changes
- Alarm for AWS Security Group Changes
Here are some key best practices for AWS CloudWatch Logs and Alarms
IAM Access Keys Rotation
It is always advisable to rotate IAM access keys on a regular basis as an additional security benefit to ensure that keys don’t fall into the wrong hands.
By periodically rotating access keys, you will significantly reduce the chances of reusing a set of now-compromised keys that provide access to critical components within your AWS account without your knowledge.
It is also worth noting that regular key rotations may also be required for compliance and regulatory standards. For more information on how to set up access key rotation, head here
AWS Account Security Challenge Questions
Enabling and configuring security challenge questions adds one more layer of security to your account. Amazon can use these questions to identify you should your account become compromised. Remember, however, that by default, there are no security challenge questions set for your AWS account, so here we show you how.
AWS Account-Alternate Security Contacts
Ensuring your AWS account is configured to use alternate contact details for security communications is necessary in case you are not available. The alternate security contact is used for security notifications (i.e. Abuse Report Notifications) and it is also highly advisable to use an internal email distribution list instead of providing just one personal/work email address in order to avoid a single point of failure. To set this up, we’ve set up this page here