Best practices for securing AWS account
Changing IAM user password
In-order to avoid potential compromise of credentials, it is recommended to replace every IAM user’s password, every 90 days.
- Sign in to the AWS Management Console and open the IAM console at:
- In the navigation pane, choose Users.
- Choose the name of the user whose password you want to change.
- Choose the Security credentials tab, and then under Sign-in credentials, choose Manage password next to Console password.
- Choose whether to have IAM generate a password or create a custom password:
- To have IAM generate a password, choose Autogenerated password.
- To create a custom password, choose Custom password, and type the password.
- To require the user to create a new password when signing in, choose Require password reset. Then choose Apply.
- If you choose the option to generate a password, choose Show in the New password dialog box. This lets you view the password so you can share it with the user.
- Log off the AWS Management Console.
Changing IAM user access keys
In-order to avoid potential compromise of credentials, it is recommended to replace every IAM user’s access keys, every 90 days.
- While the first access key is still active, create a second access key.
- Sign in to the AWS Management Console and open the IAM console at
- In the navigation pane, choose Users.
- Choose the name of the intended user, and then choose the Security credentials tab.
- Choose Create access key and then choose Download .csv file to save the access key ID and secret access key to a .csv file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this closes. After you have downloaded the .csv file, choose Close.
- Update all applications and tools to use the new access key.
- Determine whether the first access key is still in use by reviewing the Last used column for the oldest access key. One approach is to wait several days and then check the old access key for any use before proceeding.
- Choose Make inactive to deactivate the first access key.
- Use only the new access key to confirm that your applications are working.
- After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key:
- Sign in to the AWS Management Console and open the IAM console at
- In the navigation pane, choose Users.
- Choose the name of the intended user, and then choose the Security credentials tab.
- Locate the access key to delete and choose its X button at the far right of the row. Then choose Delete to confirm.
- Log off the AWS Management console.
Limit number of inbound ports
Allowing large number of inbound ports access AWS resources increase the chance of network breach. Limit the number of inbound ports to required ports only and to specific resources or specific subnets.
- Open the Amazon EC2 console at
- In the navigation pane, choose Security Groups.
- Select the security group to update, and choose Inbound Rules to update a rule for inbound traffic.
- Choose Edit. Modify the rule entry as required and choose Save.
- Note: It is highly recommended that inbound access on SSH (port 22TCP) or RDP (port 3389TCP) will be limited to specific IP address or IP range from known source location.
- Log off the AWS Management console.