What are some best practices for securing my AWS account and its resources?

AWS offers a number of tools to help secure your account. However, because many of these measures aren't active by default, you must take direct action to implement them. Here are some best practices to consider when securing your account and its resources:

Safeguard your passwords and access keys

The two main types of credentials used for accessing your account are passwords and access keys. Both types of credentials can be applied to the AWS root user account or to individual AWS Identity and Access Management (IAM) users. You should safeguard passwords and access keys as securely as you would any other confidential personal data. Never embed them in publicly accessible code (that is, a public Git repository). For added security, frequently rotate and update all security credentials.

If you use GitHub for document or code versioning and sharing, consider using git-secrets, which can scan for AWS credentials and other sensitive information. Using git-secrets can help you avoid committing code or documents that contain sensitive information.

Set up a multi-factor authentication (MFA) device to protect access keys that have only API access. Using MFA can also help fine-tune which API commands require an MFA token to proceed.

If you suspect that a password or access key pair has been exposed:

  1. Rotate all access key pairs.
  2. Change your root user password.
  3. Follow the instructions at My AWS account may be compromised.

Limit root user access to your resources

Root user account credentials (the root password or root access keys) grant unlimited access to your account and its resources, so it's a best practice to both secure and minimize root user access to your account.

Consider the following strategies to limit root user access to your account:

  • Use IAM users for day-to-day access to your account, even if you're the only person accessing it.
  • Eliminate the use of root access keys; instead, rotate them to IAM access keys and then delete the root access keys.
  • Use an MFA device for the root user of your account.

Audit IAM users and their policies frequently

Consider the following best practices when working with IAM users:

  • Be sure that IAM users have the most restrictive policies possible, with only enough permissions to allow them to complete their intended tasks (least privilege).
  • Create different IAM users for each set of tasks.
  • When associating multiple policies with the same IAM user, keep in mind that the least restrictive policy takes precedence.
  • Frequently audit your IAM users and their permissions, and delete any unused IAM users or keys.
  • If your IAM user needs access to the console, you can set up a password to allow console access while limiting the user's permissions.
  • Set up individual MFA devices for each IAM user who has access to the console.

You can use the AWS Policy Generator to help you define secure policies. For examples of common business use cases and the policies you might use to address them, see Business Use Cases.

Monitor your account and its resources

You can contact AWS Support with questions about your account's activity. However, for privacy and security reasons, AWS doesn't actively monitor your usage, and uses limited tools to investigate issues. It's a best practice to actively monitor your account and its resources to detect any unusual activity or access to your account. Consider one or more of these solutions:

Note: If possible, as a best practice, enable logging for all Regions, not just the ones you regularly use.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-03-14

Updated: 2019-02-12