As an AWS user, you share responsibility for AWS security with Amazon. Amazon provides infrastructure and services, but businesses must ensure they use those tools in line with AWS security best practices. Businesses that fail to do so make it easier for bad actors to infiltrate their networks and exfiltrate their data.
AWS security is a complex subject, but there are many straightforward security enhancements with minimal cost to the user. This article explores ten high-impact security improvements that every AWS user should implement.
Disable Unused Credentials
AWS Identity and Access Management (IAM) allows users to manage access to AWS resources. It’s an essential tool that provides fine-grained controls and insight into who has access to your cloud infrastructure and services.
As your company builds on AWS, you will create a variety of IAM users and groups to permit or restrict access as required.
However, usage patterns evolve, employees leave the business, and authentication requirements change. It’s common for companies to fail to update their IAM users and permissions. The result is often a mixture of new and old accounts, groups, and permissions that are no longer relevant.
These create a security risk. Consider what could happen if a disgruntled ex-employee used an old account to shut down your cloud servers. AWS users should regularly assess IAM users, groups, and permissions, removing stale accounts to maintain access security.
Turn on Multi-Factor Authentication for IAM Users
AWS allows users to authenticate with a username and password. Together these are assumed to be information only the user knows. But there are many circumstances in which that assumption doesn’t hold. Users may share their passwords, they may choose easily guessed passwords, and passwords can be stolen.
Multi-factor authentication adds another layer of protection. In addition to a username and password, the user must enter a one-time code sent to a mobile device or prove that they possess a dedicated hardware key such as a Yubikey. This second authentication factor prevents bad actors from gaining access even if they possess a correct username and password.
Enable Amazon CloudTrail
Amazon CloudTrail allows users to log and monitor events that occur across their cloud infrastructure. A comprehensive log enhances users’ ability to discover and remediate security threats. CloudTrail logs can also be used by Amazon CloudWatch to alert employees and trigger pre-configured actions when insecure events are logged.
We recommend that Cloud Trail is activated for all regions and that CloudTrail is configured to store logs in an S3 bucket that is not publically accessible.
Do Not Use or Share the Root Account
The AWS root account has complete access to every aspect of your AWS infrastructure. The root user is created when you first set up your AWS account, and it’s helpful when initially configuring IAM users and permissions. However, if a bad actor gets hold of the root user’s credentials, they have unlimited access to your infrastructure.
To be safe, do not use the root user for day-to-day operations. Create new IAM users with only the necessary permissions. Keep the root user’s credentials safe and private. Do not share them with other employees unless strictly necessary. It is also advisable to activate MFA for the root account to protect it even if the password leaks.
Check and Restrict S3 Bucket Permissions
Insecure S3 buckets are a common cause of data leaks. S3 offers granular access controls, but they are often incorrectly configured. In recent years, many large data leaks were attributed to S3 buckets configured for public access, allowing anyone on the internet to access and steal the data. S3 bucket permissions should be regularly checked to ensure only authorized accounts and IP addresses have access.
Ensure Sensitive Resources Are Only Accessible From Internal IPs
Most AWS resources should not be accessible to connections from IP addresses outside of your private network. As we’ve already mentioned, this includes S3 buckets, but also EC2 instances, databases, and any other asset where external access is not required. Amazon provides firewall services that allow users to control traffic to sensitive resources, including AWS Security Groups and Network Access Control Lists.
Restrict Traffic for the Default Security Group
A security group is a virtual firewall that controls traffic to and from EC2 instances. Every EC2 instance has a security group. Users can create custom security groups, but AWS provides a default that is applied to new EC2 instances when a custom group isn’t selected.
It is likely that the default security group will be used with many EC2 instances throughout the life of your AWS environment, either deliberately or because the person deploying the instance neglects to select a different group. It is, therefore, essential that the default firewall rules are secure within the context of your environment.
Ensure Security Groups Rules Block External Access to Vulnerable Ports
To expand on the previous tip, the default security group—and all other security groups—should block access to ports used by potentially vulnerable services such as FTP (21) and Telnet (23), as well as default ports for services that should not be accessible from external IPs, such as MySQL (3306), PostgreSQL (5432), and MongoDB (27017),
Remove Hardcoded API Keys and Database Passwords
It’s often convenient to hardcode API keys, passwords, and other secrets in the code that you run on AWS. For example, if you need to make an API call, it’s natural to put the authentication key in the code. However, this can create a significant security vulnerability if the code becomes accessible to bad actors, which can happen on your servers or in version control.
Avoiding hardcoded keys is particularly urgent when your code accesses services using AWS credentials. Instead, use environmental variables or the AWS credentials files, as described in the Best practices for managing AWS access keys.
Enable Amazon GuardDuty for Automated Threat Detection
Amazon GuardDuty is a threat detection service that monitors accounts, resources, and data for suspicious activity, alerting users when it finds a potential issue. It uses machine learning algorithms and other techniques to analyze log data from AWS CloudTrail for patterns that match known threats. GuardDuty is a valuable tool for discovering malicious activity that might otherwise go unnoticed.
Bonus Tip: Automate Security Checks With KirkpatrickPrice
Throughout this article, you may have been thinking that complying with cloud security best practices is time-consuming and complex. That’s why we created our AWS Security Scanner, which scans and reports over 50 common AWS security vulnerabilities, including many we looked at in this article.
Visit KirkpatrickPrice’s AWS Cybersecurity Services to learn more about our AWS Security Scanner and to access an extensive library of AWS security educational content.