Recommendations for configuring an AWS linked account

From PUBLIC-WIKI
Revision as of 11:33, 7 March 2018 by Eyales (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Initial account settings

  • Login to the Amazon management console: https://<AWS_Account_ID>.signin.aws.amazon.com/console
Note: Replace AWS Account ID with your actual account ID or DNS name.
  • From the upper right pane, click on account name -> choose “My account”:
  • Write down the “AWS Account ID” (it will be used in the next sections)
  • Make sure the Contact information is up to date
  • Under “Alternate Contacts” -> specify contact details for “Billing”, “Operations” and “Security”
  • Configure “Security Challenge Questions”

Configuring the IAM policies and IAM administrator account

  • Login to the IAM console:
https://console.aws.amazon.com/iam/
  • From the left pane, click on “Account settings” and set the following password policy:
  • Minimum password length: 8 characters
  • Require at least one uppercase letter (Selected)
  • Require at least one lowercase letter (Selected)
  • Require at least one number (Selected)
  • Allow users to change their own password (Selected)
  • Enable password expiration (Selected)
  • Password expiration period in days: 90
  • Prevent password reuse (Selected)
  • Number of passwords to remember: 24
  • Click on “Apply password policy”
  • From the left pane click on “Users” -> review each and every account member of “admin” / “administrators” group -> click on “Security credentials” tab -> click on the pencil icon near “Assigned MFA device” -> select the MFA device to activate and follow the steps to active the MFA device
  • It is strongly recommended that each and every privileged account will be configured with “AWS Management Console access” only – in case privileged account has Access keys, it is strongly recommended to make all keys inactive and create separate accounts for programmatic access

Configure S3 buckets for auditing

  • Login to the S3 console:
https://s3.console.aws.amazon.com/s3/
  • Click on “Create bucket” -> specify bucket name <AWS_Account_ID>-auditlogs (Replace AWS Account ID with your actual account ID) -> select a region close to your location -> click Next
  • Click on “Server access logging” -> click “Enable” -> click Save
  • Click on “Tags” -> specify key: AccountName, Value – specify here the AWS account name or ID -> click Save
  • Click on “Default encryption” -> select “AES-256” -> click Save
  • Click Next
  • Leave the default settings “Do not grant public read access to this bucket” -> click Next -> click “Create bucket”
  • Login to the AWS CloudTrail console:
https://console.aws.amazon.com/cloudtrail/
  • From the left pane, click on “Dashboard” -> click on “Create trail” -> specify trail name <AWS_Account_ID>-audit-trail (Replace AWS Account ID with your actual account ID)
  • “Apply trail to all regions” should be set to “Yes”
  • “Read/Write events” should be set to “All”
  • Configure “Storage location”:
Create a new S3 bucket – No
S3 bucket – specify <AWS_Account_ID>-auditlogs
Note: Replace AWS Account ID with your actual account ID
  • Click on “Create”
Note: AWS CloudTrail is not free. See the pricing information:
https://aws.amazon.com/cloudtrail/pricing/

Configure Trusted Advisor

  • Login to the Trusted Advisor management console:
https://console.aws.amazon.com/trustedadvisor/
  • From the left pane, click on “Preferences” -> select all recipients and set email addresses for “Billing contact”, “Operations Contact” and “Security contact” (similar to the addresses you set up under “My Account” settings)
  • It is strongly recommended to review from time to time, the AWS Trusted Advisor recommendations in each of the sections (Cost, performance, security, fault tolerance and service limits) in-order to optimize your AWS environment, save money and raise performance, etc.