When you create a new AWS account, a new world opens to you. You have lots to learn, test, and build for your production environment. In this blog, I’ll share some useful tips for your AWS account at first sight.
1) Use a distribution list for the root account: When you create a new AWS account, you should use a distribution list for your root account e-mail address. If you use just only one personal e-mail for the AWS root, this can be useless and dangerous for your account. It’s useless because you need to change the root account e-mail when the personal e-mail owner quits the job. It’s dangerous, because, if this person has been phished, this could be a nightmare for the AWS account. So, you should create a distribution list, add only the required people, and use this as a root account e-mail.
2) Please use MFA: With MFA, you need a second authentication factor in addition to your login credentials. MFA is an additional layer that protects you from identity theft. For your AWS root account and IAM users, you should enable MFA. In the AWS IAM console, you will see recommendations if you do not enable MFA for your root account and IAM users. For your AWS IAM users, you can enforce the MFA usage with IAM policy to prevent the users that are not using MFA.
3) Enable AWS CloudTrail: AWS CloudTrail is an auditing service for your AWS account. This service helps you answer these three questions: “What happened?” “Who did this?” “When did this happen?” In CloudTrail, you have audit logs that include all events for your AWS resources. Sometimes, this service can be confused with AWS CloudWatch but, their purposes are different. AWS CloudWatch focuses on applications, and AWS CloudTrail focuses on the AWS environment and users.
For the CloudTrail, here are my tips:
- Configure AWS CloudTrail in all regions enabled.
- Enable log file integrity for your logs.
- Store your logs in AWS S3 buckets. Implement least privilege access to them.
4) Enable AWS GuardDuty: GuardDuty is a threat detection and continuous monitoring service for your AWS accounts and workloads. It’s easy to set up and use. With just a few clicks, you can enable and use this threat detection service. GuardDuty findings are fixable because when you want to analyze a finding, there are lots of useful information in detail. You can try with sample findings to understand. It’s also lots of new features, in the reinforce:2022, AWS announced that GuardDuty Malware Protection is now available.
5) Use AWS IAM Switch Role: You have lots of AWS accounts or you need to access one additional account for cloud security reviews. How can you get cross-account access? The answer is easy: Use switch roles. By using IAM roles, you do not need to create an IAM user for every account. (Not need to remember all passwords) You have only one IAM user for switching to other accounts. In addition to this, using IAM roles has several benefits. IAM role credentials are temporary and rotated automatically (1 hour), so you do not have to manage credentials. Also, from the security perspective, if the credentials are captured by attackers, credentials are temporary, so you do not need to worry about long-term hacks.
6) Use AWS CloudWatch alarms: Getting notified is important in the cloud environment. For the application monitoring and the security side, you should enable your CloudWatch alarms and get notifications when something is going on. Here are some useful notifications that I’m using:
- Console sign in without MFA
- AWS Root account login
- CPU usage exceed for your EC2 servers
- AWS RDS connection count
- AWS IAM policy changes
- Billing alarms for $10, $100 and $1000
7) Delegate AWS Billing to IAM users: For access to the billing details, you need to activate IAM access with your AWS root account credentials. I think this should be the second step after creating your AWS account. You should not log in with root credentials for checking your bills every time. To activate it, you can follow these steps.
8) Always think of Infrastructure as Code: Infrastructure as Code helps you in lots of ways. First, you can minimize the risk of human error when you are creating a new AWS resource. When you start using the AWS CloudFormation, you’ll see increased efficiency in cloud development. Also, it helps your security. For all your resources, you’ll code all security best practices once, they can be deployed without any security misconfigurations anytime you want. So, you need to think always about IaC first.
9) Review your resources regularly: In the AWS account, there are lots of team members that are working, and everyone creating some resources in it. So, you need to review your AWS resources regularly for your infrastructure and cost optimization. Sometimes there are AWS S3 buckets that are not used anymore, AWS EC2 servers for testing, and some AWS RDS that can get high costs every month. It should be beneficial to review weekly or monthly with some useful tools.
10) Centralize your logs on different AWS account:
In AWS, there are lots of logs such as CloudWatch, CloudTrail, and AWS ELB access logs and all of them are important for you. To manage them, you need to centralize your logs on different AWS accounts. This recommendation is an AWS best practice, it has some benefits for your time and security. From a time perspective, when you have a problem and need to analyze your logs, you need to find where they are stored, which AWS bucket, which one is the oldest logs, etc. If you store logs in a different AWS account, this process will be easy. From a security perspective, your logs are stored in another AWS account if any cloud security incident happened. Hackers cannot delete their traces, you have all of them.
Thanks for reading! ☁️