Best practices for securing AWS account: Difference between revisions

From PUBLIC-WIKI
Jump to navigation Jump to search
No edit summary
No edit summary
Line 43: Line 43:
: Note: It is highly recommended that inbound access on SSH (port 22TCP) or RDP (port 3389TCP) will be limited to specific IP address or IP range from known source location.
: Note: It is highly recommended that inbound access on SSH (port 22TCP) or RDP (port 3389TCP) will be limited to specific IP address or IP range from known source location.
* Log off the AWS Management console.
* Log off the AWS Management console.
== Amazon EBS Public Snapshots ==
In-order to avoid data theft, it is recommended to make sure no Amazon EBS snapshots are configured with public access.
* Open the Amazon EC2 console at
: https://console.aws.amazon.com/ec2/
* In the left navigation panel, under ELASTIC BLOCK STORE section, choose Snapshots.
* Select the volume snapshot that you want to examine.
* Select Permissions tab from the dashboard bottom panel and check the snapshot access permissions. If the selected EBS volume snapshot is publicly accessible, the EC2 dashboard will display the following status: "This snapshot is currently Public."
* Change permissions so that no EBS volume snapshot is configured with public access.
* Logoff the AWS Management console.

Revision as of 16:58, 13 April 2020

Changing IAM user password

In-order to avoid potential compromise of credentials, it is recommended to replace every IAM user’s password, every 90 days.

  • Sign in to the AWS Management Console and open the IAM console at:
https://console.aws.amazon.com/iam/
  • In the navigation pane, choose Users.
  • Choose the name of the user whose password you want to change.
  • Choose the Security credentials tab, and then under Sign-in credentials, choose Manage password next to Console password.
  • Choose whether to have IAM generate a password or create a custom password:
  • To have IAM generate a password, choose Autogenerated password.
  • To create a custom password, choose Custom password, and type the password.
  • To require the user to create a new password when signing in, choose Require password reset. Then choose Apply.
  • If you choose the option to generate a password, choose Show in the New password dialog box. This lets you view the password so you can share it with the user.
  • Log off the AWS Management Console.

Changing IAM user access keys

In-order to avoid potential compromise of credentials, it is recommended to replace every IAM user’s access keys, every 90 days.

  • While the first access key is still active, create a second access key.
  • Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/
  • In the navigation pane, choose Users.
  • Choose the name of the intended user, and then choose the Security credentials tab.
  • Choose Create access key and then choose Download .csv file to save the access key ID and secret access key to a .csv file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this closes. After you have downloaded the .csv file, choose Close.
  • Update all applications and tools to use the new access key.
  • Determine whether the first access key is still in use by reviewing the Last used column for the oldest access key. One approach is to wait several days and then check the old access key for any use before proceeding.
  • Choose Make inactive to deactivate the first access key.
  • Use only the new access key to confirm that your applications are working.
  • After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key:
  • Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/
  • In the navigation pane, choose Users.
  • Choose the name of the intended user, and then choose the Security credentials tab.
  • Locate the access key to delete and choose its X button at the far right of the row. Then choose Delete to confirm.
  • Log off the AWS Management console.

Limit number of inbound ports

Allowing large number of inbound ports access AWS resources increase the chance of network breach. Limit the number of inbound ports to required ports only and to specific resources or specific subnets.

  • Open the Amazon EC2 console at
https://console.aws.amazon.com/ec2/
  • In the navigation pane, choose Security Groups.
  • Select the security group to update, and choose Inbound Rules to update a rule for inbound traffic.
  • Choose Edit. Modify the rule entry as required and choose Save.
Note: It is highly recommended that inbound access on SSH (port 22TCP) or RDP (port 3389TCP) will be limited to specific IP address or IP range from known source location.
  • Log off the AWS Management console.

Amazon EBS Public Snapshots

In-order to avoid data theft, it is recommended to make sure no Amazon EBS snapshots are configured with public access.

  • Open the Amazon EC2 console at
https://console.aws.amazon.com/ec2/
  • In the left navigation panel, under ELASTIC BLOCK STORE section, choose Snapshots.
  • Select the volume snapshot that you want to examine.
  • Select Permissions tab from the dashboard bottom panel and check the snapshot access permissions. If the selected EBS volume snapshot is publicly accessible, the EC2 dashboard will display the following status: "This snapshot is currently Public."
  • Change permissions so that no EBS volume snapshot is configured with public access.
  • Logoff the AWS Management console.