Over a million developers have joined DZone.

Your AWS Account Is a Mess? Learn How to Fix It!

I'm sorry, your AWS Account is a mess! A security problem is likely!

· Cloud Zone

Download the Essential Cloud Buyer’s Guide to learn important factors to consider before selecting a provider as well as buying criteria to help you make the best decision for your infrastructure needs, brought to you in partnership with Internap.

Have you no wildcard ec2:* in your IAM policies? Your Security Group rules are as strict as possible? Your S3 Bucket Access Policies only contain rules you know? You know about every single resource that runs in your account?

If so, stop reading and please tell me how you achieve that!

Otherwise: I'm sorry, your AWS Account is a mess! A security problem is likely!

As an independent AWS consultant, I see many accounts and most of them are messy. I observed that the level of mess is related to:

  • Awareness and visibility: If the mess is visible to the users, they will care about it.
  • Number of users per account: The more users, the more mess. More than 10 users are going to be hard.
  • Degree of automation: Manual work creates a mess. Automation reduces mess.

I developed three approaches to clean up and prevent a mess. I suggest that you tackle them one after the other to not feel overwhelmed.

1. Awareness and Visibility

Awareness and visibility


If your users are not aware of the problem, they can't fix it. Monthly reviews can help to make problems visible to your team.

Security Groups

  • Are your inbound rules as strict as possible?
  • Do you have IP address-based rules where Security Group references are possible?

IAM Roles

  • Are the policies (inline and attached) as strict as possible? Especially look for wildcards (*) in actions and resources. Also look for managed policies that end with FullAccess or the evil AdministratorAccess with root permissions. You can use our Complete AWS IAM Reference!
  • Who is allowed to assume the role? Look at the trust policy.

IAM Users and Groups

  • Are they still needed? Maybe a user left the company?
  • Are the policies (inline and attached) as strict as possible? Especially look for wildcards (*) in actions and resources. Also look for managed policies that end with FullAccess or the evil AdministratorAccess with root permissions. You can use our Complete AWS IAM Reference!
  • Have your users MFA enabled? Learn how to check and enable MFA.
  • How old are the access keys? If they are older than 30 days, rotate them!

S3 Access Policies

  • Do you allow public access and are you okay with that? Look for "Principal": "*" in the statements.
  • Are the policies as strict as possible?

Now it's time to book a meeting room for one hour, invite two or three users, and have a look at one of the topics. You will be surprised! Make sure you document the finding, assign responsibilities, and set due dates. Track the progress in the next review meeting.

2. Reduce Number of Users per Account

Reduce Number of users per account


Reducing the number of users per account works even in enterprises with thousands of employees. No one said that you only need one account! Create many accounts. One per team, one per service, one per customer. Whatever partition make sense for you.

If you choose a multi-account strategy, you will introduce additional complexity. Tackle it with:

3. Automation

Automate all the things


A typical web application consists of many parts:

  • Load Balancer.
  • RDS instance.
  • Auto Scaling Group.
  • Launch Configuration.
  • EC2 instances.
  • Security Groups for EC2, RDS, and ELB.
  • IAM Role for EC2.
  • Key Pair for EC2.
  • CloudWatch Alarms for EC2, RDS, and ELB.
  • Route53 Zone + Record Set.
  • CloudFront Distribution.
  • S3 bucket for static files.

The day will come where one of your applications is approaching end-of-life. The chances are high that you forget about on of the many parts you created years before or that your co-worker added a few months before.

Instead of creating all the resources manually, use CloudFormation to deploy them. You have to write a JSON template that contains a definition of the resources you need. The CloudFormation service will use that template to create a stack with all the resources for you. The cool thing is that if you delete the stack, all the resources are deleted. Nothing is forgotten. You can even use CloudFormation to update a stack when you need to change something in your template.

If you CloudFormation all the things, you can go one step further. Reduce the IAM permissions of your users and protect your CloudFormation managed AWS account from human intervention.

The Cloud Zone is brought to you in partnership with Internap. Read Bare-Metal Cloud 101 to learn about bare-metal cloud and how it has emerged as a way to complement virtualized services.

Topics:
amazon web services ,rules ,security ,iam ,permissions ,amazon ,strategy ,aws

Published at DZone with permission of Michael Wittig, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}