What are some best practices for securing my AWS account and its resources?

Last updated: 2020-09-18

What are some best practices for securing my AWS account and its resources?

Resolution

AWS offers a number of tools to help secure your account. However, because many of these measures aren't active by default, you must take direct action to implement them. Here are some best practices to consider when securing your account and its resources:

Safeguard your passwords and access keys

The two main types of credentials used for accessing your account are passwords and access keys. Passwords and access keys can be applied to the AWS root user account or individual AWS Identity and Access Management (IAM) users. Safeguard passwords and access keys as securely as you would any other confidential personal data. Never embed them in publicly accessible code (for example, a public Git repository). For added security, frequently rotate and update all security credentials.

If you use GitHub for document or code versioning and sharing, consider using git-secrets, which can scan for AWS credentials and other sensitive information. Using git-secrets can help you avoid committing code or documents that contain sensitive information.

Set up a multi-factor authentication (MFA) device to protect access keys that have only API access. Using MFA can also help fine-tune which API commands require an MFA token to proceed.

If you suspect that a password or access key pair was exposed:

  1. Rotate all access key pairs.
  2. Change your root user password.
  3. Follow the instructions at My AWS account may be compromised.

Limit root user access to your resources

Root user account credentials (the root password or root access keys) grant unlimited access to your account and its resources. It's a best practice to both secure and minimize root user access to your account.

Consider the following strategies to limit root user access to your account:

  • Use IAM users for day-to-day access to your account, even if you're the only person accessing it.
  • Eliminate the use of root access keys. Instead, rotate them to IAM access keys, and then delete the root access keys.
  • Use an MFA device for the root user of your account.

Audit IAM users and their policies frequently

Consider the following best practices when working with IAM users:

You can use the IAM Visual Editor to help you define secure policies. For examples of common business use cases and the policies you might use to address them, see Business use cases.

Monitor your account and its resources

You can contact AWS Support with questions about your account's activity. However, for privacy and security reasons, AWS doesn't actively monitor your usage and uses limited tools to investigate issues. It's a best practice to actively monitor your account and its resources to detect any unusual activity or access to your account. Consider one or more of the following solutions:

Note: If possible, as a best practice, enable logging for all Regions, not just the ones that you regularly use.