What are the best practices to secure my AWS account and its resources?
I want to know the best practices to secure my AWS account and its resources from unauthorized activity.
Resolution
AWS offers many tools to help secure your account. However, because some of measures aren't active by default, you must take direct action to implement them. The following are some best practices to secure your account and its resources.
Safeguard your passwords and access keys
The two main types of credentials that you use to access your account are passwords and access keys. It's not a best practice to use individual AWS Identity and Access Management (IAM) users or AWS account root users that have long-live credentials for general access. However, if you must use IAM users or a root user account, then those passwords and access keys must be protected. It's a best practice to safeguard passwords and access keys as securely as you secure any other confidential personal data. Never embed them in publicly accessible code, such as a public Git repository. For added security, frequently rotate and update all security credentials.
If you suspect that a password or access key pair was exposed, then complete the following steps:
- Update user access keys.
- Change your AWS root user account password.
- Follow the instructions in What do I do if I notice unauthorized activity in my AWS account?
Activate MFA
Activate multi-factor authentication (MFA) to prevent sign in to accounts from unauthorized users without a security token.
For increased security, it's a best practice to configure MFA to help protect your AWS resources. You can activate a virtual MFA for IAM users and the AWS root user account. When you activate MFA for the root user, only the root user credentials are affected. IAM users in the account are distinct identities with their own credentials, and each identity has its own MFA configuration.
Limit the usage of root user access to your resources
Root user account credentials (the root password or root access keys) grant unlimited access to your account and its resources. It's a best practice to both secure and minimize root user access to your account.
To limit root user access to your account, use the following strategies:
- Use AWS IAM Identity Center or IAM identity providers to issue temporary credentials to federated users for day-to-day access to your account.
- Eliminate the use of root access keys. For more information, see Securing access keys.
- Use an MFA device for the root user of your account.
For more information, see Root user best practices for your AWS account.
Frequently audit IAM users and their policies
When you work with IAM users, use the following best practices:
- Verify that the IAM users have the most restrictive policies possible, with only enough permissions to allow them to complete their intended tasks. For more information, see Apply least-privilege permissions.
- Analyze your existing permissions with AWS IAM Access Analyzer. For more information, see IAM Access Analyzer makes it easier to implement least privilege permissions by generating IAM policies based on access activity.
- Create different IAM users for each set of tasks.
- When you associate multiple policies with the same IAM user, note that the least restrictive policy takes precedence.
- Frequently audit your IAM users and their permissions, and find unused credentials.
- If your IAM user must access the console, then set up a password to allow console access and limit the user's permissions.
- Set up individual MFA devices for each IAM user who has access to the console.
To help you define secure policies, use the visual editor in the IAM console. For examples of common business use cases and the policies that you might use to address them, see Business use cases for IAM.
Create Amazon EBS snapshots, Amazon RDS snapshots, and Amazon S3 object versions
To create a point-in-time snapshot of an Amazon Elastic Block Store (Amazon EBS) volume, see Create Amazon EBS snapshots.
To activate Amazon Relational Database Service (Amazon RDS) automated snapshots and set the backup retention period, see Activating automated backups.
To create a standard Amazon Simple Storage Service (Amazon S3) bucket for backup and archive, see Creating standard S3 buckets for backup and archive. To create S3 bucket versioning, see Using versioning in S3 buckets.
To create an AWS Backup plan with the console, see Create a scheduled backup. To create an AWS Backup plan with AWS Command Line Interface (AWS CLI), see How can I use the AWS CLI to create an AWS Backup plan or run an on-demand job?
Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Use AWS Git projects to protect against unauthorized use
To protect your account, install AWS Git projects:
- Git Secrets can scan merges, commits, and commit messages for secret information (access keys). If Git Secrets detects prohibited regular expressions, then Git Secrets rejects those commits and the commits don't post to public repositories. For more information, see Git Secrets on the GitHub website.
- To generate Amazon CloudWatch Events from AWS Health or by AWS Trusted Advisor, use AWS Step Functions and AWS Lambda. If there's evidence that your access keys are exposed, then the projects help you automatically detect, log, and mitigate the event. For more information, see AWS Health tools and Trusted Advisor tools on the GitHub website.
Monitor your account and its resources
It's a best practice to actively monitor your account and its resources to detect any unusual activity or access to your account. Implement one or more of the following solutions:
- To receive automated notifications when your bill exceeds thresholds you define, create a billing alarm to monitor your estimated AWS charges. For more information, see Amazon CloudWatch FAQs.
- To track what credentials are used to initiate particular API calls and when they're used, create a trail for your AWS account. If you track credentials use, then you can determine if the usage was accidental or unauthorized and take the appropriate steps to mitigate the situation. For more information, see Security best practices in AWS CloudTrail.
- Use CloudTrail and CloudWatch in conjunction to monitor access key usage and receive alerts for unusual API calls.
- Activate resource-level logging (for example, at the instance or OS level) and Amazon S3 default bucket encryption.
- Activate Amazon GuardDuty for your AWS account in all supported Regions. To generate security findings, GuardDuty analyzes independent streams of data from the following: CloudTrail management and Amazon S3 data events, Amazon Virtual Private Cloud (VPC) Flow Logs, and DNS logs. The primary detection categories include account compromise, instance compromise, and malicious intrusions. For more information, see Amazon GuardDuty FAQs.
Note: It's a best practice to turn on logging for all Regions, not just the ones that you regularly use.
Related information
Best practices for security, identity, and compliance
Related videos
Relevant content
- asked 2 months agolg...
- asked a year agolg...
- asked 3 years agolg...
- Accepted Answerasked a year agolg...
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 8 months ago