What are some best practices for securing my AWS account and its resources?

AWS offers a number of tools to help secure your account. Many of these measures are not active by default, and you must take direct action to implement them. Here are some best practices to consider to help secure your account and its resources:

Safeguard your passwords and access keys

The two main types of credentials used for accessing your account are passwords and access keys. Both types of credentials can be applied to the root account or to individual IAM users. You should safeguard passwords and access keys as you would any other confidential personal data, and never embed them in publicly accessible code (i.e. a public Git repository). For added security, frequently rotate or update all security credentials.

If you use GitHub for document or code versioning and sharing, consider using git-secrets, which can scan for AWS credentials and other sensitive information, helping you avoid committing code or documents that contain any sensitive information.

Set up a multi-factor authentication (MFA) device to protect access keys that only have API access and fine-tune which API commands require an MFA token to proceed.

If you suspect that a password or access key pair has been exposed, immediately rotate and delete the exposed credentials, and see My AWS account may be compromised.

Limit root user access to your resources

Root account credentials (the root password or root access keys) grant unlimited access to your account and its resources, so it's a best practice to both secure and minimize root user access to your account.

Consider the following strategies to limit root user access to your account:

Audit IAM users and their policies frequently

Consider the following best practices when working with IAM users:

  • Ensure that IAM users are given the most restrictive policies possible, with only enough permissions to allow them to carry out their intended tasks (least privilege).
  • Create different IAM users for each set of tasks.
  • When associating multiple policies with the same IAM user, keep in mind that the least restrictive policy takes precedence.
  • Frequently audit your IAM users and their permissions, and delete any unused IAM users or keys.
  • If your IAM user needs access to the console, you can set up a password to allow console access while limiting the user's permissions.
  • Set up individual MFA devices for each IAM user with access to the console.

You can use the AWS Policy Generator to help you define secure policies. For examples of common business use cases and the policies you might use to address them, see Business Use Cases.

Monitor your account and its resources

You can contact AWS Support with questions you might have about your account's activity. However, for privacy and security reasons, AWS doesn't actively monitor your usage and uses limited tools to investigate issues. It's best to actively monitor your account and its resources to detect any unusual activity or access to your account. Consider one or more of these solutions:

Note: If possible, as a best practice, enable logging for all regions, not just the ones you regularly use.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-03-14