Simple ways to improve the security of your AWS account

Brett Gillett

Here are three of the simplest - often overlooked - ways to quickly improve the security of your AWS account.

Enable a Password Policy

I’m always amazed when we audit an AWS account, how many folks don’t have a password policy enabled in their AWS account. We would never do this on-premise, but for some reason, it happens all the time on AWS. Enabling a password policy takes all of two minutes and ensure that your users have high-quality passwords.

You can enable an IAM password policy via the AWS Management Console, or if you have the AWS CLI installed, you can simply run the command below: aws iam update-account-password-policy –minimum-password-policy 14 –require-symbols –require-numbers –require-uppercase-characters –require-lowercase-characters –allow-users-to-change-password –max-password-age 90 –password-reuse-prevention 5 –hard-expiry

Rotate Old Credentials

IAM Access Keys - long-term credentials with no (built-in) method of forcing users to rotate them. The best course of action here is to 1) avoid them at all costs - this means not creating them in the first place and 2) If you must provide programmatic access to your AWS environment you should start with an IAM Role first.

However, if you find yourself in the position of having IAM Access Keys (which you cannot disable - and then remove), I would suggest forcefully rotating any that are older then 90 days.

Just the other week, we performed an AWS Security Audit for a customer and identified keys which were over three years old!

Do yourself a favour - phase them out where you can and when necessary come up with an automated method of rotation.

Enable MFA

Finally, enable Multi-Factor Authentication (MFA) - hardware or software based on all account - not just the root and ‘privileged’ IAM accounts - on all accounts. Mistakes happen, and you never know when that ‘read-only’ group accidentally becomes a full-administrator group. Protect yourself by enforcing MFA on all IAM accounts (people and services) by addition Condition statements to your IAM Policies.

Bonus Tips

A few other services should always be enabled in your AWS Account. AWS Config and CloudTrail give you a complete picture of what is happening in your AWS account. AWS recently released GuardDuty - turn it on as well.

One last thing - if you’re leveraging a 3rd party SaaS tool which does not support IAM Roles - find yourself another solution.