Here are three of the simplest - often overlooked - ways to quickly improve the security of your AWS account.
I’m always amazed when we audit an AWS account, how many folks don’t have a password policy enabled in their AWS account. We would never do this on-premise, but for some reason, it happens all the time on AWS. Enabling a password policy takes all of two minutes and ensure that your users have high-quality passwords.
You can enable an IAM password policy via the AWS Management Console, or if you have the AWS CLI installed, you can simply run the command below: aws iam update-account-password-policy –minimum-password-policy 14 –require-symbols –require-numbers –require-uppercase-characters –require-lowercase-characters –allow-users-to-change-password –max-password-age 90 –password-reuse-prevention 5 –hard-expiry
IAM Access Keys - long-term credentials with no (built-in) method of forcing users to rotate them. The best course of action here is to 1) avoid them at all costs - this means not creating them in the first place and 2) If you must provide programmatic access to your AWS environment you should start with an IAM Role first.
However, if you find yourself in the position of having IAM Access Keys (which you cannot disable - and then remove), I would suggest forcefully rotating any that are older then 90 days.
Just the other week, we performed an AWS Security Audit for a customer and identified keys which were over three years old!
Do yourself a favour - phase them out where you can and when necessary come up with an automated method of rotation.
Finally, enable Multi-Factor Authentication (MFA) - hardware or software based on all account - not just the root and ‘privileged’ IAM accounts - on all accounts. Mistakes happen, and you never know when that ‘read-only’ group accidentally becomes a full-administrator group. Protect yourself by enforcing MFA on all IAM accounts (people and services) by addition Condition statements to your IAM Policies.
A few other services should always be enabled in your AWS Account. AWS Config and CloudTrail give you a complete picture of what is happening in your AWS account. AWS recently released GuardDuty - turn it on as well.
One last thing - if you’re leveraging a 3rd party SaaS tool which does not support IAM Roles - find yourself another solution.
Like what you read? Why not subscribe to the weekly Orbit newsletter and get content before everyone else?