How to Secure Your AWS Account [Podcast]
In this post/podcast, we'll be talking about how to secure your AWS account and how ot utilize the Identity and Access Management (IAM) console.
Join the DZone community and get the full member experience.Join For Free
Hello there and welcome to another 'Hot Shot.' My name is Peter Pilgrim, Platform engineer and DevOps specialist, and Java Champion.
Today, we'll be talking about securing your AWS account and, in particular, the Identity and Access Management (IAM) console.
Here are some tips:
- You will want to change your personal Amazon account password immediately and make it very secure and very strong. Especially, if you are share the username for your residential Amazon deliveries with your AWS console. Treat your Amazon and AWS root user accounts like a precious gold bar. Because if you lose possession of it, then your goose is, indeed, cooked.
- If you run your own business, you may want to associate your AWS root user account with a business account. Make sure that only you the business owner has access to this account.
- Learn about AWS security, the Identity and Access Management interface otherwise known IAM. Get a deep-dive, I recommend this alot.
- Store the AWS root password in a cyber vault such as a very secure LastPass account that only you can access with a few trusted left tenants (lieutenants, USA).
- Create for yourself a read-only user that lets you look at things without accidentally destroying important things like EC clusters, groups, instances, networks and VPCs, security group, databases, and resources
- Consider adding Multi-Factor Authentication to protect your account. You're quids in, if you are already using the Google Authenticator mobile phone application like I do for Google Mail and Google account access.
- Create separate IAM Users and IAM Groups. For example, you may want to create EC2 instance user and groups, which allow trusted people to start and stop instances. You may want to create another set of users, who can only access database instances such as RDS, Aurora, and MySQL.
- Learn about the IAM Roles that give you an option to allow powered users to assume roles. For example, you might create a Administrator group and allow trusted Platform Engineers and DevOps technical-leads (vis-a-vis Anchors) to become an Administrator.
- Create IAM Roles with multiple management policies. Amazon has this concept of managed policies for each service that they have in the AWS platform. So for example, you provision an EC2 instance with roles so that it launches with enough permissions. You need the policies
AmazonEC2ReadOnlyAccess. If you want EC instances attached to the IAM Role to also access the S3 service, then you have to add additional policies for the other service(s). You can add the custom IAMRole policy
AmazonS3ReadOnlyAccess. This allows an EC instance with a web server to synchronize a static web site with the data on S3. Of course, you will not need a script to synchronise the data first at launch time. The benefit of IAM Roles is that they share no secrets, they only provide permissions. Roles can be granted temporarily for users and systems.
- If you are going to secure your AWS account, you definitely want to learn about monitoring AWS beforehand. So delve into the CloudFront and CloudWatch material.
- Re-evaluate the default AWS IAM password policy - follow the advanced user advice from AWS. Once you are really good at AWS, then follow the advice to remove your root access keys. Enable password expiration and set expiration periods. Maybe you want to expire passwords every 3 months, or maybe your prefer 6 months. It depends on your situation (and, of course, your institution).
- Finally, if you want to call yourself an AWS expert, then you will have already watched the YouTube video from AWS Reinvent 2015 by Anders Samuelsson about IAM Best Practices. If you haven't watched it, you should check it out.
That's all for this 'Hotshot,' I hope you liked it.
Addendum: I also recommend that you also watch AWS Reinvent 2017 How to become IAM Ninja, AWS re:Invent 2017: IAM Policy Ninja (SID314) , which has some updated information.
Published at DZone with permission of Peter Pilgrim, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.