Security is the forefront for any online business today, and at AWS cloud it has priority zero. In this post we will discuss some of the most important security best practices at aws, which you must know and enforce in your infrastructure. You may have already enforced the basic security practices, but that may not be enough considering the highly elastic nature of AWS and the rapid growth of your team.
Here is the list of top security checks you must have on your AWS infra
1. Security groups for varios aws services.
As you must be aware, aws allows you to create security groups which will sit infront of your aws assets and control access to it, by simple whitelist of IPs and opening ports . This is a very critical feature, as it controls who can assess your services/applications. If you keep ssh port open to public on your servers, there are high chances of brute force attacks on ssh port.if you have a weak password, no doubt attacker will get in to your server. We recomment you open ports only to trusted IPs and networks .
Also, its good to create new security groups for different services and use cases and associate those with services intead of using common security groups.
2. Enable MFA for portal
To add an extra layer of security to your aws account, its good to have MFA enabled.This way you make sure hackers cant get in to your accounts using stolen passwords.
3. Disable root keys
This is critical, account’s root keys have access to all services. That means, it can be used to delete all your servers, s3 buckets, ebs volumes , backups, snapshots .. Make sure you disable/delete these keys . You can create IAM users and use the corresponding keys to access the services. Its recommended to create IAM users with access only to the resources needed.
4. Admin IAM account
If there are too many admin accounts, you will land up in security issues. Make sure you are not creating too many admin accounts and tracking existing IAM admin accounts closely.
5. IAM password policy
While setting password policy for your AWS account , make sure you specify requirements and mandatory password regeneration on expiration of the IAM users password . This way you can avoid IAM users with weak passwords in your system
6. S3 bucket and Objects permissions
Make sure you are granting limited permissions to others while setting bucket access policy. Also, while uploading files to s3, if you set ACLpublic on the files, it would be accessible py public on web. Make sure you are not doing this on files which are supposed to be private
7. Keep an eye on IAM users “access key last used” info
In aws control panel, you can find a user’s access key last used details by clicking Users in the navigation pane. When you click an individual user name, access key last used details are included in the Security Credentials section