AWS Security Blog

Getting Started: Follow Security Best Practices as You Configure Your AWS Resources

AWS IAM logo

After you create your first AWS account, you might be tempted to start immediately addressing the issue that brought you to AWS. For example, you might set up your first website, spin up a virtual server, or create your first storage solution. However, AWS recommends that first, you follow some security best practices to help protect your AWS resources. In this blog post, I explain why you should follow AWS security best practices, and I link to additional resources so that you can learn more about each best practice.

Best practices to help secure your AWS resources

When you created an AWS account, you specified an email address and password you use to sign in to the AWS Management Console. When you sign in using these credentials, you are accessing the console by using your root account. Following security best practices can help prevent your root account from being compromised, which is an important safeguard because your root account has access to all services and resources in your account.

Create a strong password for your AWS resources

To help ensure that you protect your AWS resources, first set a strong password with a combination of letters, numbers, and special characters. For more information about password policies and strong passwords, see Setting an Account Password Policy for IAM Users. This also might be a good opportunity to use a third-party password management tool, which you can use to create and manage strong passwords.

Use a group email alias with your AWS account

If for any reason you are unavailable to respond to an AWS notification or manage your AWS Cloud workloads, using a group email alias with your AWS account means other trusted members of your organization can manage the account in your absence. To update the email address used with your account, see Managing an AWS Account.

Enable multi-factor authentication

Multi-factor authentication (MFA) is a security capability that provides an additional layer of authentication on top of your user name and password. When using MFA, after you sign in with your user name and password (what you know), you must also provide an additional piece of information that only you have physical access to (what you have), which can come from a dedicated MFA hardware device or an app on a phone.

You must select the type of MFA device you want to use from the list of supported MFA devices. For a hardware device, ensure that you keep the MFA device in a secure location. If you are using a virtual MFA device (such as an app on your phone), you should think about what might happen if your phone is lost or damaged. One approach is to keep the virtual MFA device you use in a safe place. Another option is to activate more than one device at the same time or use a virtual MFA option that has options for device key recovery. To learn more about MFA, watch this video, and see Securing Access to AWS Using MFA and Enabling a Virtual Multi-Factor Authentication (MFA) Device.

Set up AWS IAM users, groups, and roles for daily account access

To manage and control access and permissions to your AWS resources, use AWS Identity and Access Management (IAM) to create users, groups, and roles. When you create an IAM user, group, or role, it can access only the AWS resources to which you explicitly grant permissions, which is also known as least privilege.

If you are the account owner, AWS recommends that you create an IAM user for yourself for daily use of your resources. See How do I set up an IAM user and sign in to the AWS Management Console using IAM credentials? and Now Create and Manage Users More Easily with the AWS IAM Console.

Delete your account’s access keys

You can allow programmatic access to your AWS resources from the command line or for use with AWS APIs. However, AWS recommends that you do not create or use the access keys associated with your root account for programmatic access. In fact, if you still have access keys, delete them. Instead, create an IAM user and grant that user only the permissions needed for the APIs you are planning to call. You can then use that IAM user to issue access keys. To learn more, see Managing Access Keys for Your AWS Account.

Enable CloudTrail in all AWS regions

You can track all activity in your AWS resources by using AWS CloudTrail. Even if you initially do not know how to use CloudTrail, turning it on now can help AWS Support and your AWS solutions architect later if they need to troubleshoot a security or configuration issue. To enable CloudTrail logging in all AWS regions, see AWS CloudTrail Update – Turn On in All Regions and Use Multiple Trails. To learn more about CloudTrail, see Turn On CloudTrail: Log API Activity in Your AWS Account.

Next steps

As your AWS use grows or if you begin managing multiple AWS accounts, you might need to start diving deeper into security topics. For more information, see the following:

If you have comments about this post, submit them in the “Comments” section below. If you have questions about or issues implementing these best practices, please start a new thread on the IAM forum.

– Andy