Today, we kick off a series on the top 11 security best practices we’ve come across based on our own experiences. As AWS and Security practitioners on large-scale AWS deployments, we’ve about seen it all. Most of these are very easy to implement and will go a very long way to ensuring your success on AWS.
In AWS parlance, a “root” user is the login credential you used to create your AWS account with. This user was originally required for some very important aspects of your access to AWS services. Today, the best practices recommend that it is used only to create your initial administrative accounts in IAM. All future administration should then be done with these newly created IAM accounts.
Now, the root user also has a default generated API access key. Because of the change in root user use recommendations and the addition of IAM in AWS, it is recommended that you disable, or even better, delete the AWS root API access keys.
Our recommendation for the order and steps to insure access is maintained:
- Create IAM admin users (2-3):
Create 2-3 IAM users with administrative policies via a group. It is highly recommended that you create at least 2, but no more than 3 IAM administrators. This provides redundancy in case credentials are lost but limits the number of users with unlimited access to your AWS resources. Evident Security Platform (ESP) will verify these conditions and generate alerts if there are too few or too many IAM administrators.
- Grant access to billing information and tools:
While still logged in as the root user, go to My Account and fill in the following sections: Alternate Contacts; Security Challenge Questions; and IAM User Access to Billing Information.
- Disable/Remove the default AWS root user API access keys:
While still logged in as the root user, go to the Security Credentials page. Under the Access Keys section, disable and/or remove all API keys attached to the root AWS account.
It is highly recommended that you complete steps #1 and #2 prior to deleting the root API access keys (particularly if using the CLI tools to perform the above operations). Particularly step #2 will grant you some important long term benefits including:
- You will be able to alert internal email distribution lists for support, billing and security related announcements from AWS separately from the email address you used to sign up to AWS with.
- You will be able to recover your account if you happen to lose your root account credentials or worse, if there’s been a compromise of your root account or IAM credentials.
- You will be able to set up and get to the billing analytics data via IAM users, which will allow you to work with 3rd party cost management platforms.
A quick recap of our past AWS Best Practice posts:
- Disable Root API Access Key and Secret Key
- Enable MFA Tokens Everywhere
- Reduce Number of IAM Users with Admin Rights
- Use Roles for EC2
- Least Privilege: Limit what IAM Entities Can Do with Strong Policies
- Rotate all the Keys Regularly
- Use IAM Roles with STS AssumeRole Where Possible
- Use AutoScaling to Dampen DDoS Effects
- Do Not Allow 0.0.0.0/0 Unless You Mean It
- Watch World-Readable and Listable S3 Bucket Policies
- CloudTrail and Encryption