Top 10 ways to improve security of your AWS account

Photo by FLY:D on Unsplash

Is your cloud infrastructure hosted on AWS Cloud? If your answer is yes, then here are the top 10 tips to make your cloud security better:

These tips are shared by Stephen Schmidt, who is the Chief Information Security Officer at AWS.

1) Up-to date and accurate account information

When AWS has something to say about your AWS Account it uses contact information you entered in the AWS Management Console while creating account.

The following points will ensure you never miss any communication from AWS:

• Avoid single point of failure person — All email addresses should be set up to go to aliases that are not dependent on a single person.
• Make sure you setup alternative contacts to receive emails and notifications when primary contact is unavailable.
• Keep contact information up-to date, Check if you are responding to emails sent by AWS — especially emails coming from abuse@amazon.com, Create email filters/groups to keep things organized.

2) Use MFA (Multi factor authentication)

Trust me MFA is your best friend !!

• Make sure to set up MFA on your Root user and for AWS Identity and Access Management (IAM) users. “Leave no one out”
• If you use AWS IAM Identity Center to control access to AWS or to federate your corporate identity store, you can enforce MFA there.
• Implementing MFA at the federated identity provider (IdP) means that you can take advantage of existing MFA processes in your organization.

Not particular to AWS Account but you should always configure MFA on every app that you use (If MFA functionality is available), just to add extra layer of protection.

3) Do not use hard-coded passwords/secrets

Having said that, Always use AWS Secrets Manager to rotate, manage, and retrieve database credentials, API keys, and other secrets through their lifecycle.

Don’t you dare ignore below links 😠

• How to use the AWS IAM roles for applications running on EC2 instance
• How to securely provide database credentials to AWS Lambda functions by using AWS Secrets Manager

4) Limiting accessing using Security Groups

A security group acts as a firewall that controls the traffic allowed to and from the resources in your virtual private cloud (VPC).

Open REQUIRED ports ONLY, Connection should only be enabled from KNOWN network ranges.

• Leverage AWS Config or AWS Firewall Manager services to ensure VPC is configured as per expectations.
• Use Network Reachability rules package available in Amazon inspector — Network Reachability rules package analyzes your Amazon VPC network configuration to determine whether your EC2 instances can be reached from external networks such as the Internet, a virtual private gateway, AWS Direct Connect, or from a peered VPC.
• Know how to detect and respond to the changes in the VPC Security Groups.

5) Classification of data / Implementing data policies

Design your data security controls with an appropriate mix of preventative and detective controls to match data sensitivity appropriately. In the suggestions below, we deal mostly with the difference between public and private data

If you have no classification policy currently, public versus private is a good place to start.

• If you have Amazon Simple Storage Service (Amazon S3) buckets that are for public usage, move all of that data into a separate AWS account set aside for public access. Set up policies to allow only processes — not humans — to move data into those buckets. This lets you block the ability to make a public Amazon S3 bucket in any other AWS account.
• Use Amazon S3 to block public access in any account that should not be able to share data through Amazon S3.
• Use two different IAM roles for encryption and decryption with KMS. This lets you separate the data entry (encryption) and data review (decryption), and it allows you to do threat detection on the failed decryption attempts by analyzing that role.

Best practices for securing sensitive data in AWS data stores

6) Verify/Validate IAM roles

Regularly reevaluating AWS IAM roles and permissions

• Remove those unused IAM Roles — Here’s how to search for unused IAM roles. Once you discover them, waste no time to remove them.
• Use AWS Security Hub or tools such as Prowler to get visibility on AWS IAM roles and permissions.
• Use AWS IAM Access Analyzer to review access to your internal AWS resources and determine where you have shared access outside your AWS accounts.

7) Rotate keys

AWS recommend that you regularly rotate (change) IAM user access keys. Regularly rotating long-term credentials helps you familiarize yourself with the process.

• Firstly you should never generate access key for your root account unless it’s absolute necessary, If you do have one, delete it. Root access key is just a weapon of mass destruction if falls into wrong hands.
• You can apply a password policy to your account to require that all of your IAM users periodically rotate their passwords.
• Here’s how to allow users manage their own password, access keys, ad SSH public keys from the My security credentials page.

******IMPORTANT****
The IAM password policy does not apply to the AWS account root user password or IAM user access keys

8) Centralize CloudTrail logs

AWS recommends that you write logs, especially AWS CloudTrail, to an S3 bucket in an AWS account designated for logging (Log Archive). The permissions on the bucket should prevent deletion of the logs, and they should also be encrypted at rest. Once the logs are centralized, you can integrate with SIEM solutions or use AWS services to analyze them.

Learn how to use AWS services to visualize AWS CloudTrail logs. Once you have CloudTrail logs centralized, you can also use the same Log Archive account to centralize logs from other sources, such as CloudWatch Logs and AWS load balancers.

9) Fix the findings reported by AWS security services

AWS Security Hub, Amazon GuardDuty, and AWS Identity and Access Management Access Analyzer are managed AWS services that provide you with actionable findings in your AWS accounts. They are easy to turn on and can integrate across multiple accounts.

You can also use AWS Inspector — Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure.

10) Cultivate a security-first mindset throughout the organization

Security is shared responsibility — not just for those folks with it in their job title, We are stronger when we work together, and this applies to securing the cloud as well.

Mindset is everything

Here’s what Steve Schmidt (CISO, Amazon Web Services) has to say on Cultivating security leadership

THAT WAS IT !! Gooo, Secure your AWS Account :D
If you have more to add apart from points listed above, please comment I’ll update the article accordingly :)

If you like this article make sure to clapp-clapp 👏 and follow me on Medium for more such articles. Suggestions in the comments are always welcome :)

Since content generation is not an easy process, I wouldn’t mind if you supported me by gifting me a Ko-fi to motivate and boost my confidence :)

AWS Or Azure? Which Cloud Platform Should I Choose In 2024?