Best practices for managing AWS account: Difference between revisions

From PUBLIC-WIKI
Jump to navigation Jump to search
Eyales (talk | contribs)
Created page with "Securing the Root account • Login to the Amazon management console: https://<AWS_Account_ID>.signin.aws.amazon.com/console Note: Replace AWS Account ID with your actual acco..."
 
Eyales (talk | contribs)
No edit summary
 
(17 intermediate revisions by the same user not shown)
Line 1: Line 1:
Securing the Root account
== Securing the Root account ==
Login to the Amazon management console: https://<AWS_Account_ID>.signin.aws.amazon.com/console
* Login to the Amazon management console: https://<AWS_Account_ID>.signin.aws.amazon.com/console
Note: Replace AWS Account ID with your actual account ID or DNS name.
: Note: Replace AWS Account ID with your actual account ID or DNS name.
Click on “Sign-in using root account credentials” -> specify the password for the Root account and click “Sign In”
* Click on “Sign-in using root account credentials” -> specify the password for the Root account and click “Sign In”
From the upper right pane, click on the account name -> choose “My Security Credentials” -> click on “Continue to Security Credentials”
* From the upper right pane, click on the account name -> choose “My Security Credentials” -> click on “Continue to Security Credentials”
From the main window, expand “Password” -> select “Click here” to replace the initial Root account password -> set a new complex password (minimum 8 characters, including upper case, lower case, at least one number and at least one non-alphanumeric character)
* From the main window, expand “Password” -> select “Click here” to replace the initial Root account password -> set a new complex password (minimum 8 characters, including upper case, lower case, at least one number and at least one non-alphanumeric character)
From the main window, expand “Multi-factor authentication (MFA)” -> click on Activate MFA -> select the MFA device to activate and follow the steps to active the MFA device
* From the main window, expand “Multi-factor authentication (MFA)” -> click on Activate MFA -> select the MFA device to activate and follow the steps to active the MFA device
From the main window, expand “Access keys (access key ID and secret key)” -> make sure the Root account has no access or secrets keys (delete all previously assigned keys)
* From the main window, expand “Access keys (access key ID and secret key)” -> make sure the Root account has no access or secrets keys (delete all previously assigned keys)
From the upper right pane, click on account name -> choose “My account”:
* From the upper right pane, click on account name -> choose “My account”:
o Write down the “AWS Account ID” (it will be used in the next sections)
:* Write down the “AWS Account ID” (it will be used in the next sections)
o Make sure the Contact information is up to date
:* Make sure the Contact information is up to date
o Under “Alternate Contacts” -> specify contact details for “Billing”, “Operations” and “Security”
:* Under “Alternate Contacts” -> specify contact details for “Billing”, “Operations” and “Security”
o Configure “Security Challenge Questions”
:* Configure “Security Challenge Questions”
From the left pane, click on “Cost Explorer” -> click on Enable Cost Explorer”
* From the left pane, click on “Cost Explorer” -> click on Enable Cost Explorer”
From the left pane, click on “Budgets” -> click on “Create budget” -> specify the budget details and notifications -> click “Create”
* From the left pane, click on “Budgets” -> click on “Create budget” -> specify the budget details and notifications -> click “Create”
From the left pane, click on “Preferences” -> select the notifications you would like to receive via email
* From the left pane, click on “Preferences” -> select the notifications you would like to receive via email


Configuring the IAM policies and initial IAM administrator account
== Configuring the IAM policies and initial IAM administrator account ==
Login to the IAM console:
* Login to the IAM console:
https://console.aws.amazon.com/iam/
: https://console.aws.amazon.com/iam/
From the left pane, click on “Account settings” and set the following password policy:
* From the left pane, click on “Account settings” and set the following password policy:
o Minimum password length: 8 characters
:* Minimum password length: 8 characters
o Require at least one uppercase letter (Selected)
:* Require at least one uppercase letter (Selected)
o Require at least one lowercase letter (Selected)
:* Require at least one lowercase letter (Selected)
o Require at least one number (Selected)
:* Require at least one number (Selected)
o Allow users to change their own password (Selected)
:* Allow users to change their own password (Selected)
o Enable password expiration (Selected)
:* Enable password expiration (Selected)
Password expiration period in days: 90
::* Password expiration period in days: 90
o Prevent password reuse (Selected)
:* Prevent password reuse (Selected)
Number of passwords to remember: 24
::* Number of passwords to remember: 24
Click on “Apply password policy”
* Click on “Apply password policy”
From the left pane click on “Users” to create the first administrator IAM user and group -> click on “Add user” -> specify the user name -> leave “Programmatic access” unselected -> select “AWS Management Console access” -> select “Custom password” -> specify complex password -> unselect “User must create a new password at next sign-in” -> click “Next: Permissions” -> select “Add user to group” -> click on “Create group” -> on the “Group name” specify “AdministratorAccess” -> on the “Policy type” select “AdministratorAccess” -> click on “Create group”
* From the left pane click on “Users” to create the first administrator IAM user and group -> click on “Add user” -> specify the user name -> leave “Programmatic access” unselected -> select “AWS Management Console access” -> select “Custom password” -> specify complex password -> unselect “User must create a new password at next sign-in” -> click “Next: Permissions” -> select “Add user to group” -> click on “Create group” -> on the “Group name” specify “AdministratorAccess” -> on the “Policy type” select “AdministratorAccess” -> click on “Create group”
Click on “Next: Review” -> click on “Create user” -> click on Close
* Click on “Next: Review” -> click on “Create user” -> click on Close
From the left pane, click on Users -> click on the newly created admin account -> click on “Security credentials” tab -> click on the pencil icon near “Assigned MFA device” -> select the MFA device to activate and follow the steps to active the MFA device
* From the left pane, click on Users -> click on the newly created admin account -> click on “Security credentials” tab -> click on the pencil icon near “Assigned MFA device” -> select the MFA device to activate and follow the steps to active the MFA device


Configure S3 buckets for auditing and for billing reports
== Configure S3 buckets for auditing and for billing reports ==
Login to the S3 console:
* Login to the S3 console:
https://s3.console.aws.amazon.com/s3/
: https://s3.console.aws.amazon.com/s3/
Click on “Create bucket” -> specify bucket name <AWS_Account_ID>-auditlogs (Replace AWS Account ID with your actual account ID) -> select a region close to your location -> click Next
* Click on “Create bucket” -> specify bucket name <AWS_Account_ID>-auditlogs (Replace AWS Account ID with your actual account ID) -> select a region close to your location -> click Next
o Click on “Server access logging” -> click “Enable” -> click Save
:* Click on “Server access logging” -> click “Enable” -> click Save
o Click on “Tags” -> specify key: AccountName, Value – specify here the AWS account name or ID -> click Save
:* Click on “Tags” -> specify key: AccountName, Value – specify here the AWS account name or ID -> click Save
o Click on “Default encryption” -> select “AES-256” -> click Save
:* Click on “Default encryption” -> select “AES-256” -> click Save
Click Next
* Click Next
Leave the default settings “Do not grant public read access to this bucket” -> click Next -> click “Create bucket”
* Leave the default settings “Do not grant public read access to this bucket” -> click Next -> click “Create bucket”
Click on “Create bucket” -> specify bucket name <AWS_Account_ID>-billing-reports (Replace AWS Account ID with your actual account ID) -> select a region close to your location -> click Next
* Click on “Create bucket” -> specify bucket name <AWS_Account_ID>-billing-reports (Replace AWS Account ID with your actual account ID) -> select a region close to your location -> click Next
o Click on “Server access logging” -> click “Enable” -> click Save
:* Click on “Server access logging” -> click “Enable” -> click Save
o Click on “Tags” -> specify key: AccountName, Value – specify here the AWS account name or ID -> click Save
:* Click on “Tags” -> specify key: AccountName, Value – specify here the AWS account name or ID -> click Save
o Click on “Default encryption” -> select “AES-256” -> click Save
:* Click on “Default encryption” -> select “AES-256” -> click Save
Click Next
* Click Next
Leave the default settings “Do not grant public read access to this bucket” -> click Next -> click “Create bucket”
* Leave the default settings “Do not grant public read access to this bucket” -> click Next -> click “Create bucket”
Login to the AWS billing console:
* Login to the AWS billing console:
https://console.aws.amazon.com/billing/
: https://console.aws.amazon.com/billing/
From the left pane, click on “Preferences” -> select “Receive Billing Reports” -> billing reports S3 bucket previously created -> make sure the billing reports S3 bucket policy is configured according to the sample policy link -> when done configuring the billing reports S3 bucket policy, click on “Verify” -> select all type of reports -> click on “Save preferences”
* From the left pane, click on “Preferences” -> select “Receive Billing Reports” -> billing reports S3 bucket previously created -> make sure the billing reports S3 bucket policy is configured according to the sample policy link -> when done configuring the billing reports S3 bucket policy, click on “Verify” -> select all type of reports -> click on “Save preferences”
Login to the AWS CloudTrail console:
* Login to the AWS CloudTrail console:
https://console.aws.amazon.com/cloudtrail/
: https://console.aws.amazon.com/cloudtrail/
From the left pane, click on “Dashboard” -> click on “Create trail” -> specify trail name <AWS_Account_ID>-audit-trail (Replace AWS Account ID with your actual account ID)
* From the left pane, click on “Dashboard” -> click on “Create trail” -> specify trail name <AWS_Account_ID>-audit-trail (Replace AWS Account ID with your actual account ID)
o “Apply trail to all regions” should be set to “Yes”
:* “Apply trail to all regions” should be set to “Yes”
o “Read/Write events” should be set to “All”
:* “Read/Write events” should be set to “All”
o Configure “Storage location”:
:* Configure “Storage location”:
Create a new S3 bucket – No
:: Create a new S3 bucket – No
S3 bucket – specify <AWS_Account_ID>-auditlogs (Replace AWS Account ID with your actual account ID)
:: '''S3 bucket – specify <AWS_Account_ID>-auditlogs'''
Click on “Create”
:: Note: Replace AWS Account ID with your actual account ID
Note: AWS CloudTrail is not free. See the pricing information:
* Click on “Create”
https://aws.amazon.com/cloudtrail/pricing/
: Note: AWS CloudTrail is not free. See the pricing information:
: https://aws.amazon.com/cloudtrail/pricing/


Configure Trusted Advisor
== Configure Trusted Advisor ==
Login to the Trusted Advisor management console:
* Login to the Trusted Advisor management console:
https://console.aws.amazon.com/trustedadvisor/
: https://console.aws.amazon.com/trustedadvisor/
From the left pane, click on “Preferences” -> select all recipients and set email addresses for “Billing contact”, “Operations Contact” and “Security contact” (similar to the addresses you set up under “My Account” settings)
* From the left pane, click on “Preferences” -> select all recipients and set email addresses for “Billing contact”, “Operations Contact” and “Security contact” (similar to the addresses you set up under “My Account” settings)

Latest revision as of 11:31, 7 March 2018

Securing the Root account

  • Login to the Amazon management console: https://<AWS_Account_ID>.signin.aws.amazon.com/console
Note: Replace AWS Account ID with your actual account ID or DNS name.
  • Click on “Sign-in using root account credentials” -> specify the password for the Root account and click “Sign In”
  • From the upper right pane, click on the account name -> choose “My Security Credentials” -> click on “Continue to Security Credentials”
  • From the main window, expand “Password” -> select “Click here” to replace the initial Root account password -> set a new complex password (minimum 8 characters, including upper case, lower case, at least one number and at least one non-alphanumeric character)
  • From the main window, expand “Multi-factor authentication (MFA)” -> click on Activate MFA -> select the MFA device to activate and follow the steps to active the MFA device
  • From the main window, expand “Access keys (access key ID and secret key)” -> make sure the Root account has no access or secrets keys (delete all previously assigned keys)
  • From the upper right pane, click on account name -> choose “My account”:
  • Write down the “AWS Account ID” (it will be used in the next sections)
  • Make sure the Contact information is up to date
  • Under “Alternate Contacts” -> specify contact details for “Billing”, “Operations” and “Security”
  • Configure “Security Challenge Questions”
  • From the left pane, click on “Cost Explorer” -> click on Enable Cost Explorer”
  • From the left pane, click on “Budgets” -> click on “Create budget” -> specify the budget details and notifications -> click “Create”
  • From the left pane, click on “Preferences” -> select the notifications you would like to receive via email

Configuring the IAM policies and initial IAM administrator account

  • Login to the IAM console:
https://console.aws.amazon.com/iam/
  • From the left pane, click on “Account settings” and set the following password policy:
  • Minimum password length: 8 characters
  • Require at least one uppercase letter (Selected)
  • Require at least one lowercase letter (Selected)
  • Require at least one number (Selected)
  • Allow users to change their own password (Selected)
  • Enable password expiration (Selected)
  • Password expiration period in days: 90
  • Prevent password reuse (Selected)
  • Number of passwords to remember: 24
  • Click on “Apply password policy”
  • From the left pane click on “Users” to create the first administrator IAM user and group -> click on “Add user” -> specify the user name -> leave “Programmatic access” unselected -> select “AWS Management Console access” -> select “Custom password” -> specify complex password -> unselect “User must create a new password at next sign-in” -> click “Next: Permissions” -> select “Add user to group” -> click on “Create group” -> on the “Group name” specify “AdministratorAccess” -> on the “Policy type” select “AdministratorAccess” -> click on “Create group”
  • Click on “Next: Review” -> click on “Create user” -> click on Close
  • From the left pane, click on Users -> click on the newly created admin account -> click on “Security credentials” tab -> click on the pencil icon near “Assigned MFA device” -> select the MFA device to activate and follow the steps to active the MFA device

Configure S3 buckets for auditing and for billing reports

  • Login to the S3 console:
https://s3.console.aws.amazon.com/s3/
  • Click on “Create bucket” -> specify bucket name <AWS_Account_ID>-auditlogs (Replace AWS Account ID with your actual account ID) -> select a region close to your location -> click Next
  • Click on “Server access logging” -> click “Enable” -> click Save
  • Click on “Tags” -> specify key: AccountName, Value – specify here the AWS account name or ID -> click Save
  • Click on “Default encryption” -> select “AES-256” -> click Save
  • Click Next
  • Leave the default settings “Do not grant public read access to this bucket” -> click Next -> click “Create bucket”
  • Click on “Create bucket” -> specify bucket name <AWS_Account_ID>-billing-reports (Replace AWS Account ID with your actual account ID) -> select a region close to your location -> click Next
  • Click on “Server access logging” -> click “Enable” -> click Save
  • Click on “Tags” -> specify key: AccountName, Value – specify here the AWS account name or ID -> click Save
  • Click on “Default encryption” -> select “AES-256” -> click Save
  • Click Next
  • Leave the default settings “Do not grant public read access to this bucket” -> click Next -> click “Create bucket”
  • Login to the AWS billing console:
https://console.aws.amazon.com/billing/
  • From the left pane, click on “Preferences” -> select “Receive Billing Reports” -> billing reports S3 bucket previously created -> make sure the billing reports S3 bucket policy is configured according to the sample policy link -> when done configuring the billing reports S3 bucket policy, click on “Verify” -> select all type of reports -> click on “Save preferences”
  • Login to the AWS CloudTrail console:
https://console.aws.amazon.com/cloudtrail/
  • From the left pane, click on “Dashboard” -> click on “Create trail” -> specify trail name <AWS_Account_ID>-audit-trail (Replace AWS Account ID with your actual account ID)
  • “Apply trail to all regions” should be set to “Yes”
  • “Read/Write events” should be set to “All”
  • Configure “Storage location”:
Create a new S3 bucket – No
S3 bucket – specify <AWS_Account_ID>-auditlogs
Note: Replace AWS Account ID with your actual account ID
  • Click on “Create”
Note: AWS CloudTrail is not free. See the pricing information:
https://aws.amazon.com/cloudtrail/pricing/

Configure Trusted Advisor

  • Login to the Trusted Advisor management console:
https://console.aws.amazon.com/trustedadvisor/
  • From the left pane, click on “Preferences” -> select all recipients and set email addresses for “Billing contact”, “Operations Contact” and “Security contact” (similar to the addresses you set up under “My Account” settings)