What are the best practices to secure my AWS account and its resources?

6 minute read
1

I want to know the best practices to secure my AWS account and its resources from unauthorized activity.

Resolution

AWS offers many tools to help secure your account. However, because some of measures aren't active by default, you must take direct action to implement them. The following are some best practices to secure your account and its resources.

Safeguard your passwords and access keys

The two main types of credentials that you use to access your account are passwords and access keys. It's not a best practice to use individual AWS Identity and Access Management (IAM) users or AWS account root users that have long-live credentials for general access. However, if you must use IAM users or a root user account, then those passwords and access keys must be protected. It's a best practice to safeguard passwords and access keys as securely as you secure any other confidential personal data. Never embed them in publicly accessible code, such as a public Git repository. For added security, frequently rotate and update all security credentials.

If you suspect that a password or access key pair was exposed, then complete the following steps:

  1. Update user access keys.
  2. Change your AWS root user account password.
  3. Follow the instructions in What do I do if I notice unauthorized activity in my AWS account?

Activate MFA

Activate multi-factor authentication (MFA) to prevent sign in to accounts from unauthorized users without a security token.

For increased security, it's a best practice to configure MFA to help protect your AWS resources. You can activate a virtual MFA for IAM users and the AWS root user account. When you activate MFA for the root user, only the root user credentials are affected. IAM users in the account are distinct identities with their own credentials, and each identity has its own MFA configuration.

Limit the usage of root user access to your resources

Root user account credentials (the root password or root access keys) grant unlimited access to your account and its resources. It's a best practice to both secure and minimize root user access to your account.

To limit root user access to your account, use the following strategies:

  • Use AWS IAM Identity Center or IAM identity providers to issue temporary credentials to federated users for day-to-day access to your account.
  • Eliminate the use of root access keys. For more information, see Securing access keys.
  • Use an MFA device for the root user of your account.

For more information, see Root user best practices for your AWS account.

Frequently audit IAM users and their policies

When you work with IAM users, use the following best practices:

To help you define secure policies, use the visual editor in the IAM console. For examples of common business use cases and the policies that you might use to address them, see Business use cases for IAM.

Create Amazon EBS snapshots, Amazon RDS snapshots, and Amazon S3 object versions

To create a point-in-time snapshot of an Amazon Elastic Block Store (Amazon EBS) volume, see Create Amazon EBS snapshots.

To activate Amazon Relational Database Service (Amazon RDS) automated snapshots and set the backup retention period, see Activating automated backups.

To create a standard Amazon Simple Storage Service (Amazon S3) bucket for backup and archive, see Creating standard S3 buckets for backup and archive. To create S3 bucket versioning, see Using versioning in S3 buckets.

To create an AWS Backup plan with the console, see Create a scheduled backup. To create an AWS Backup plan with AWS Command Line Interface (AWS CLI), see How can I use the AWS CLI to create an AWS Backup plan or run an on-demand job?

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Use AWS Git projects to protect against unauthorized use

To protect your account, install AWS Git projects:

  • Git Secrets can scan merges, commits, and commit messages for secret information (access keys). If Git Secrets detects prohibited regular expressions, then Git Secrets rejects those commits and the commits don't post to public repositories. For more information, see Git Secrets on the GitHub website.
  • To generate Amazon CloudWatch Events from AWS Health or by AWS Trusted Advisor, use AWS Step Functions and AWS Lambda. If there's evidence that your access keys are exposed, then the projects help you automatically detect, log, and mitigate the event. For more information, see AWS Health tools and Trusted Advisor tools on the GitHub website.

Monitor your account and its resources

It's a best practice to actively monitor your account and its resources to detect any unusual activity or access to your account. Implement one or more of the following solutions:

Note: It's a best practice to turn on logging for all Regions, not just the ones that you regularly use.

Related information

AWS Cloud security

Best practices for security, identity, and compliance

How can I secure the files in my Amazon S3 bucket?

Amazon S3 monitoring and auditing best practices

AWS OFFICIAL
AWS OFFICIALUpdated a month ago