Welcome AWS Cloud Enthusiasts !! A warm welcome to you all into 2024 !!
When it comes to our internet presence, we use a utility or a app or a service and for that we do create/use login credentials. Thee password setup here plays a key role and is the heart centre for our safe existence on the internet/cloud
Based on various discussions & questions in the forums I thought, I could share my top ten tips for password protection and here it is !!
Tip #1
Never mix personal life, favourites, topics in trend to be your passwords. People often carried away by their nature of tending towards their loved ones or relying on their address, date of birth, anniversaries to be used along with their passwords. Please resist the urge to do so and having them as your passwords doesn't save you from risks and not having them in your passwords doesn't belittle your love & concern for them
Tip #2
Keep you passwords long with mix of alphabets, numbers & special characters. Length plays a crucial part and try to keep it to minimum 12, to start with. Having a lengthy combination password is harder to crack and it takes time and gives us more time to give attention to or rotate the credentials and recover
Tip #3
Best practice & must have is to add in MFA. Multi-factor Authentication. This is what is called as "something you know(password)" + "something you have"
Tip #4
If possible, you can include biometric authentication which is "something you are"
To be more specific, or to come closer to passwords' in AWS, I could think of the below
Tip #5
Use least privileges to any IAM user with MFA enabled. Give access to what is essential to the role of the user and better yet group the users & apply policies to the group, according to the classification. Greatest advantage is, all the users get their permissions revised whenever the role has additional responsibilities. Example, All Data Engg. needs access to S3 buckets or All Bigdata Engg. doesn't need access to cost & billing or other services
Tip #6
Use Roles wherever appropriate for example, accessing other services through EC2. Roles uses STS and users' credentials exposure or theft can be avoided
Tip #7
Store DB passwords in AWS Secrets Manager where it can be rotated automatically and encrypted, as well. If you are hosting DBs or using DB services inside AWS, then store their passwords in AWS Secrets Manager, so that applications or SDK can fetch & use it from here
Tip #8
Use AWS Parameter store for storing any configuration parameters or config file values in parameter store
Tip #9
Setup data perimeter for the data residing in any form of storage inside AWS as customer is responsible for the data in AWS. Use S3 encryption, life cycle policies, bucket policies, resource policies and safe guard the access to the data. This includes network & cross account access considerations, as well
Tip 10
Rotate the credentials of user with a desired time frame like 15 or 30 days, as according to the organizations' compliance & requirements. This is another must have were lot of incidents can be avoided as this hand in hand with MFA is life saviour
Last year's IBM X-Force Threat Landscape report tells us that more than 35% of threats were caused because of compromised credentials. Read more at Link
Top comments (0)