Best practices for securing AWS account

From PUBLIC-WIKI
Revision as of 15:02, 13 April 2020 by Eyales (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Changing IAM user password

In-order to avoid potential compromise of credentials, it is recommended to replace every IAM user’s password, every 90 days.

  • Sign in to the AWS Management Console and open the IAM console at:
https://console.aws.amazon.com/iam/
  • In the navigation pane, choose Users.
  • Choose the name of the user whose password you want to change.
  • Choose the Security credentials tab, and then under Sign-in credentials, choose Manage password next to Console password.
  • Choose whether to have IAM generate a password or create a custom password:
  • To have IAM generate a password, choose Autogenerated password.
  • To create a custom password, choose Custom password, and type the password.
  • To require the user to create a new password when signing in, choose Require password reset. Then choose Apply.
  • If you choose the option to generate a password, choose Show in the New password dialog box. This lets you view the password so you can share it with the user.
  • Log off the AWS Management Console.

Changing IAM user access keys

In-order to avoid potential compromise of credentials, it is recommended to replace every IAM user’s access keys, every 90 days.

  • While the first access key is still active, create a second access key.
  • Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/
  • In the navigation pane, choose Users.
  • Choose the name of the intended user, and then choose the Security credentials tab.
  • Choose Create access key and then choose Download .csv file to save the access key ID and secret access key to a .csv file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this closes. After you have downloaded the .csv file, choose Close.
  • Update all applications and tools to use the new access key.
  • Determine whether the first access key is still in use by reviewing the Last used column for the oldest access key. One approach is to wait several days and then check the old access key for any use before proceeding.
  • Choose Make inactive to deactivate the first access key.
  • Use only the new access key to confirm that your applications are working.
  • After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key:
  • Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/
  • In the navigation pane, choose Users.
  • Choose the name of the intended user, and then choose the Security credentials tab.
  • Locate the access key to delete and choose its X button at the far right of the row. Then choose Delete to confirm.
  • Log off the AWS Management console.

Limit number of inbound ports

Allowing large number of inbound ports access AWS resources increase the chance of network breach. Limit the number of inbound ports to required ports only and to specific resources or specific subnets.

  • Open the Amazon EC2 console at
https://console.aws.amazon.com/ec2/
  • In the navigation pane, choose Security Groups.
  • Select the security group to update, and choose Inbound Rules to update a rule for inbound traffic.
  • Choose Edit. Modify the rule entry as required and choose Save.
Note: It is highly recommended that inbound access on SSH (port 22TCP) or RDP (port 3389TCP) will be limited to specific IP address or IP range from known source location.
  • Log off the AWS Management console.

Amazon EBS Public Snapshots

In-order to avoid data theft, it is recommended to make sure no Amazon EBS snapshots are configured with public access.

  • Open the Amazon EC2 console at
https://console.aws.amazon.com/ec2/
  • In the left navigation panel, under ELASTIC BLOCK STORE section, choose Snapshots.
  • Select the volume snapshot that you want to examine.
  • Select Permissions tab from the dashboard bottom panel and check the snapshot access permissions. If the selected EBS volume snapshot is publicly accessible, the EC2 dashboard will display the following status: "This snapshot is currently Public."
  • Change permissions so that no EBS volume snapshot is configured with public access.
  • Logoff the AWS Management console.

Amazon RDS Public Snapshots

In-order to avoid data theft, it is recommended to make sure no Amazon RDS snapshots are configured with public access.

  • Login to the AWS Management Console.
https://console.aws.amazon.com/rds/
  • In the left navigation panel, under RDS Dashboard, click Snapshots.
  • Select Manual Snapshots from the Filter dropdown menu to display only manual database snapshots.
  • Select the snapshot that you want to examine.
  • Click Snapshot Actions button from the dashboard top menu and select Share Snapshot option.
  • On the Manage Snapshot Permissions page, check the DB Snapshot Visibility setting. If the setting value is set to Public, the selected Amazon RDS database snapshot is publicly accessible, therefore all AWS accounts and users have access to the data available on the snapshot.
  • Change permissions so that no Amazon RDS snapshot is configured with public access.
  • Logoff the AWS Management console.

Amazon RDS Security Group Access Risk

Allowing unnecessary inbound access to Amazon RDS resources increase the chance of network breach. Limit the inbound access to your RDS instance to required sources only.

  • Login to the AWS Management Console
https://console.aws.amazon.com/rds/
  • In the navigation panel, under RDS Dashboard, click Security Groups.
  • Select the DB security group that you want to examine and click on the details button (magnifying glass icon).
  • Check the CIDR/IP value listed in the Details column for each authorized connection. If the security group contains any rules that have set the CIDR/IP to 0.0.0.0/0 and the Status to authorized, the selected DB security group configuration is insecure and does not restrict access to the database instance(s).
  • Configure the source CIDR/IP to the required subnet or required IP address.
  • Log off the AWS Management console.

Amazon S3 Bucket Permissions

Allowing public access to S3 buckets increase the chance of data breach. Make sure no S3 bucket is publicly accessible.

  • Sign in to the AWS Management Console
https://console.aws.amazon.com/s3/
  • Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu.
  • In the Properties panel, click the Permissions tab and check the Access Control List (ACL) for any grantee named "Everyone". A grantee can be an AWS account or an AWS S3 predefined group. The grantee called "Everyone" is an AWS predefined group that allows access to everyone (i.e. anonymous users). If the bucket ACL configuration does specify the "Everyone" predefined group with the List (READ) permission enabled, the selected S3 bucket is publicly accessible for content listing and is rendered as insecure.
  • Make sure no S3 bucket is publicly accessible.
  • Log off the AWS Management console.