What are some best practices for securing my AWS account and its resources?

Last updated: 2022-08-22

What are some best practices for securing my AWS account and its resources?

-or-

I want to protect my AWS resources or account from unauthorized activity.

Short description

AWS offers many tools to help secure your account. However, because many of these measures aren't active by default, you must take direct action to implement them. Here are some best practices to consider when securing your account and its resources:

  • Safeguard your passwords and access keys
  • Activate multi-factor authentication (MFA) on the AWS account root user and any users with interactive access to AWS Identity and Access Management (IAM)
  • Limit AWS account root user access to your resources
  • Audit IAM users and their policies frequently
  • Create Amazon Elastic Block Store (Amazon EBS) snapshots, Amazon Relational Database Service (Amazon RDS) snapshots, and Amazon Simple Storage Service (Amazon S3) object versions
  • Use AWS Git projects to scan for evidence of unauthorized use
  • Monitor your account and its resources

Note: If you're using AWS Identity Center or IAM federated users, the best practices for IAM users also apply to federated users.

Resolution

Safeguard your passwords and access keys

The two main types of credentials used for accessing your account are passwords and access keys. Passwords and access keys can be applied to the AWS root user account and individual IAM users. It's a best practice to safeguard passwords and access keys as securely as you would any other confidential personal data. Never embed them in publicly accessible code (for example, a public Git repository). For added security, frequently rotate and update all security credentials.

If you suspect that a password or access key pair was exposed, follow these steps:

  1. Rotate all access key pairs.
  2. Change your AWS account root user password.
  3. Follow the instructions in What do I do if I notice unauthorized activity in my AWS account?

Activate MFA

Activating MFA can help secure the accounts and prevent unauthorized users from logging in to accounts without a security token.

For increased security, it's a best practice to configure MFA to help protect your AWS resources. You can activate a virtual MFA for IAM users and the AWS account root user. Activating MFA for the root user affects only the root user credentials. IAM users in the account are distinct identities with their own credentials, and each identity has its own MFA configuration.

For more information, see Activating MFA devices for users in AWS.

Limit root user access to your resources

Root user account credentials (the root password or root access keys) grant unlimited access to your account and its resources. It's a best practice to both secure and minimize root user access to your account.

Consider the following strategies to limit root user access to your account:

For more information, see Safeguard your root user credentials and don't use them for everyday tasks.

Audit IAM users and their policies frequently

Consider the following best practices when working with IAM users:

You can use the visual editor in the IAM console to help you define secure policies. For examples of common business use cases and the policies you might use to address them, see Business use cases for IAM.

Create Amazon EBS snapshots, Amazon RDS snapshots, and Amazon S3 object versions

To create a point-in-time snapshot of an EBS volume, see Create Amazon EBS snapshots.

To activate Amazon RDS automated snapshots and set the backup retention period, see Activating automated backups.

To create a standard S3 bucket for backup and archive, see Creating standard S3 buckets for backup and archive. To create S3 bucket versioning, see Using versioning in S3 buckets.

To create an AWS Backup plan using the console, see Create a scheduled backup. To create an AWS Backup plan using AWS Command Line Interface (AWS CLI), see How can I use the AWS CLI to create an AWS Backup plan or run an on-demand job?

Use AWS Git projects to protect against unauthorized use

AWS offers Git projects that you can install to help protect your account:

  • Git Secrets can scan merges, commits, and commit messages for secret information (access keys). If Git Secrets detects prohibited regular expressions, it can reject those commits from being posted to public repositories.
  • Use AWS Step Functions and AWS Lambda to generate Amazon CloudWatch Events from AWS Health or by AWS Trusted Advisor. If there's evidence that your access keys are exposed, the projects can help you to automatically detect, log, and mitigate the event.

Monitor your account and its resources

It's a best practice to actively monitor your account and its resources to detect any unusual activity or access to your account. Consider one or more of the following solutions:

Note: It's a best practice to turn on logging for all Regions, not just the ones that you regularly use.