Managing Amazon Web Services is hard, let’s face it. AWS is complex, offers numerous amount of services & APIs, it’s constantly changing, web console UX is bad and some concepts behind it are just hard to understand at the beginning. But once you start getting it, you also realize that it has a great power. The power not only to store unlimited amounts of data, handle millions of requests per second or even to predict your next partner using Machine Learning but also the power to literally clean your wallet in couple of seconds. It may be because of your lack of understanding of this system, because of a „miss click” or simply because you didn’t care to secure your account properly. Internet is full of stories like that. In this guide I’ll try to show you some “quick wins” which should decrease the probability of those events taking place.
Disclaimer: This guide is meant to serve as a primer only for account based settings. I’m not going to cover EC2, RDS, Networking and other resource based stuff, security or performance optimizations.
In my opinion this is the most important thing when it comes to your accounts security. By enabling MFA/2FA you’re providing another free strong layer of security. If you don’t know what MFA is it’s a method of confirming a user's claimed identity by utilizing a combination of two different components, in our case - password and a token which is temporary and generated every few seconds.
How to enable it?
This one is a really quick win. Once again go to “My Security Credentials” and open “Access Keys”. You should see something like this.
Go ahead and remove it.
You might ask, “is that really necessary”? Yes, definitely. Root Access Keys provide unrestricted access to your AWS account. If somebody would somehow get those keys, they could use them to provision hundreds of EC2 instances at your cost.
But what if you’d like to use Access Keys for example for API or CLI access?
If you’d like to interact with AWS using CLI on your computer, I strongly recommend creating a separate IAM User & Role for yourself with limited permissions so you can handicap yourself. Follow the principle of least privilege. Do the same for your work partners.
Don’t share one account. AWS is likely to block that account if it observes suspicious activity (logging from many devices & IPs in a short period of time). Also, with multiple accounts, if someone screws up, you can easily track who’s responsible for that using CloudTrail which records all interactions with your AWS account. More on that in point 5.
Amazon gives you an opportunity to force all IAM users to regularly update their passwords, for example every two months. It also can enforce minimal password length, complexity, presence of numbers, capital characters and much more. Longer, more complicated passwords changed regularly mean better security, that’s a fact.
AWS CloudTrail is a service that enables governance, compliance and operational auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure. CloudTrail provides a history of AWS API calls for your account, including API calls made through the AWS Console, SDKs and command line tools. This history simplifies security analysis, resource change tracking, and troubleshooting.
AWS gives you cool monitoring features out of the box. Not only it gives you an opportunity to track CPU, memory & network usage of your instances but also track up-to-date costs and projected future costs. You can even see which service is burning the most money and send an email or SMS whenever threshold is exceeded.
Whenever I start provisioning resources on a new AWS account, I always set up these alarms first to keep my finger on the pulse. It saved me a lot of money. You can also compose a dashboard using all those metrics to have a really clear breakdown of where your money goes.
This one is very underestimated and often forgotten by users. Having a very strict Password Policy might lead to loss of passwords. That’s a common thing, we tend to forget passwords. Security questions might also help in case your account gets hacked. In case that happens, it is very likely that AWS support would use them and other data to confirm your identity.
Besides the CloudWatch dashboard focused on billing, AWS Budgets is another nifty way to plan your usage and your costs (also known as spend data), and to track how close your usage and costs are to exceeding your budgeted amount. Budgets use data from “Cost Explorer” to provide you with a quick way to see your usage-to-date and current estimated charges from AWS, and to see how much your predicted usage accrues in charges by the end of the month. Budgets also compare the current estimated usage and charges to the amount that you indicated which you want to use or spend, and lets you see how much of your budget has already been used.
Did you find these 9 tips for protecting your AWS account useful?