Best practices for managing AWS account: Difference between revisions

From PUBLIC-WIKI
Jump to navigation Jump to search
Eyales (talk | contribs)
No edit summary
Eyales (talk | contribs)
No edit summary
Line 1: Line 1:
== Securing the Root account ==
== Securing the Root account ==
* Login to the Amazon management console: https://<AWS_Account_ID>.signin.aws.amazon.com/console
# Login to the Amazon management console: https://<AWS_Account_ID>.signin.aws.amazon.com/console
Note: Replace AWS Account ID with your actual account ID or DNS name.
: Note: Replace AWS Account ID with your actual account ID or DNS name.
* Click on “Sign-in using root account credentials” -> specify the password for the Root account and click “Sign In”
# Click on “Sign-in using root account credentials” -> specify the password for the Root account and click “Sign In”
* From the upper right pane, click on the account name -> choose “My Security Credentials” -> click on “Continue to Security Credentials”
# From the upper right pane, click on the account name -> choose “My Security Credentials” -> click on “Continue to Security Credentials”
* From the main window, expand “Password” -> select “Click here” to replace the initial Root account password -> set a new complex password (minimum 8 characters, including upper case, lower case, at least one number and at least one non-alphanumeric character)
# From the main window, expand “Password” -> select “Click here” to replace the initial Root account password -> set a new complex password (minimum 8 characters, including upper case, lower case, at least one number and at least one non-alphanumeric character)
* From the main window, expand “Multi-factor authentication (MFA)” -> click on Activate MFA -> select the MFA device to activate and follow the steps to active the MFA device
# From the main window, expand “Multi-factor authentication (MFA)” -> click on Activate MFA -> select the MFA device to activate and follow the steps to active the MFA device
* From the main window, expand “Access keys (access key ID and secret key)” -> make sure the Root account has no access or secrets keys (delete all previously assigned keys)
# From the main window, expand “Access keys (access key ID and secret key)” -> make sure the Root account has no access or secrets keys (delete all previously assigned keys)
* From the upper right pane, click on account name -> choose “My account”:
# From the upper right pane, click on account name -> choose “My account”:
** Write down the “AWS Account ID” (it will be used in the next sections)
** Write down the “AWS Account ID” (it will be used in the next sections)
** Make sure the Contact information is up to date
** Make sure the Contact information is up to date
** Under “Alternate Contacts” -> specify contact details for “Billing”, “Operations” and “Security”
** Under “Alternate Contacts” -> specify contact details for “Billing”, “Operations” and “Security”
** Configure “Security Challenge Questions”
** Configure “Security Challenge Questions”
* From the left pane, click on “Cost Explorer” -> click on Enable Cost Explorer”
# From the left pane, click on “Cost Explorer” -> click on Enable Cost Explorer”
* From the left pane, click on “Budgets” -> click on “Create budget” -> specify the budget details and notifications -> click “Create”
# From the left pane, click on “Budgets” -> click on “Create budget” -> specify the budget details and notifications -> click “Create”
* From the left pane, click on “Preferences” -> select the notifications you would like to receive via email
# From the left pane, click on “Preferences” -> select the notifications you would like to receive via email



Revision as of 09:13, 7 March 2018

Securing the Root account

  1. Login to the Amazon management console: https://<AWS_Account_ID>.signin.aws.amazon.com/console
Note: Replace AWS Account ID with your actual account ID or DNS name.
  1. Click on “Sign-in using root account credentials” -> specify the password for the Root account and click “Sign In”
  2. From the upper right pane, click on the account name -> choose “My Security Credentials” -> click on “Continue to Security Credentials”
  3. From the main window, expand “Password” -> select “Click here” to replace the initial Root account password -> set a new complex password (minimum 8 characters, including upper case, lower case, at least one number and at least one non-alphanumeric character)
  4. From the main window, expand “Multi-factor authentication (MFA)” -> click on Activate MFA -> select the MFA device to activate and follow the steps to active the MFA device
  5. From the main window, expand “Access keys (access key ID and secret key)” -> make sure the Root account has no access or secrets keys (delete all previously assigned keys)
  6. From the upper right pane, click on account name -> choose “My account”:
    • Write down the “AWS Account ID” (it will be used in the next sections)
    • Make sure the Contact information is up to date
    • Under “Alternate Contacts” -> specify contact details for “Billing”, “Operations” and “Security”
    • Configure “Security Challenge Questions”
  1. From the left pane, click on “Cost Explorer” -> click on Enable Cost Explorer”
  2. From the left pane, click on “Budgets” -> click on “Create budget” -> specify the budget details and notifications -> click “Create”
  3. From the left pane, click on “Preferences” -> select the notifications you would like to receive via email

  Configuring the IAM policies and initial IAM administrator account • Login to the IAM console: https://console.aws.amazon.com/iam/ • From the left pane, click on “Account settings” and set the following password policy: o Minimum password length: 8 characters o Require at least one uppercase letter (Selected) o Require at least one lowercase letter (Selected) o Require at least one number (Selected) o Allow users to change their own password (Selected) o Enable password expiration (Selected)  Password expiration period in days: 90 o Prevent password reuse (Selected)  Number of passwords to remember: 24 • Click on “Apply password policy” • From the left pane click on “Users” to create the first administrator IAM user and group -> click on “Add user” -> specify the user name -> leave “Programmatic access” unselected -> select “AWS Management Console access” -> select “Custom password” -> specify complex password -> unselect “User must create a new password at next sign-in” -> click “Next: Permissions” -> select “Add user to group” -> click on “Create group” -> on the “Group name” specify “AdministratorAccess” -> on the “Policy type” select “AdministratorAccess” -> click on “Create group” • Click on “Next: Review” -> click on “Create user” -> click on Close • From the left pane, click on Users -> click on the newly created admin account -> click on “Security credentials” tab -> click on the pencil icon near “Assigned MFA device” -> select the MFA device to activate and follow the steps to active the MFA device

  Configure S3 buckets for auditing and for billing reports • Login to the S3 console: https://s3.console.aws.amazon.com/s3/ • Click on “Create bucket” -> specify bucket name <AWS_Account_ID>-auditlogs (Replace AWS Account ID with your actual account ID) -> select a region close to your location -> click Next o Click on “Server access logging” -> click “Enable” -> click Save o Click on “Tags” -> specify key: AccountName, Value – specify here the AWS account name or ID -> click Save o Click on “Default encryption” -> select “AES-256” -> click Save • Click Next • Leave the default settings “Do not grant public read access to this bucket” -> click Next -> click “Create bucket” • Click on “Create bucket” -> specify bucket name <AWS_Account_ID>-billing-reports (Replace AWS Account ID with your actual account ID) -> select a region close to your location -> click Next o Click on “Server access logging” -> click “Enable” -> click Save o Click on “Tags” -> specify key: AccountName, Value – specify here the AWS account name or ID -> click Save o Click on “Default encryption” -> select “AES-256” -> click Save • Click Next • Leave the default settings “Do not grant public read access to this bucket” -> click Next -> click “Create bucket” • Login to the AWS billing console: https://console.aws.amazon.com/billing/ • From the left pane, click on “Preferences” -> select “Receive Billing Reports” -> billing reports S3 bucket previously created -> make sure the billing reports S3 bucket policy is configured according to the sample policy link -> when done configuring the billing reports S3 bucket policy, click on “Verify” -> select all type of reports -> click on “Save preferences” • Login to the AWS CloudTrail console: https://console.aws.amazon.com/cloudtrail/ • From the left pane, click on “Dashboard” -> click on “Create trail” -> specify trail name <AWS_Account_ID>-audit-trail (Replace AWS Account ID with your actual account ID) o “Apply trail to all regions” should be set to “Yes” o “Read/Write events” should be set to “All” o Configure “Storage location”:  Create a new S3 bucket – No  S3 bucket – specify <AWS_Account_ID>-auditlogs (Replace AWS Account ID with your actual account ID) • Click on “Create” Note: AWS CloudTrail is not free. See the pricing information: https://aws.amazon.com/cloudtrail/pricing/

Configure Trusted Advisor • Login to the Trusted Advisor management console: https://console.aws.amazon.com/trustedadvisor/ • From the left pane, click on “Preferences” -> select all recipients and set email addresses for “Billing contact”, “Operations Contact” and “Security contact” (similar to the addresses you set up under “My Account” settings)