InfoSecurity Europe: AWS Security Best Practices
One talk by Evident.io Founder and CTO Justin Lundy focused on securing Amazon Web Services (AWS) access with best security practices in the industry. Here’s a summary of some of the top tips:
Disable the Root Account API Access Key
Don’t use your AWS root access key to make programmatic requests to AWS - you can’t restrict permissions associated with your AWS account access key.
For everyday access, create admin identity access management (IAM) users. This eliminates any risk associated with developers that may hardcode the root key in secret, then accidentally upload it to Github - it can be exposed publicly to anyone online.
Root account credentials give you complete, unrestricted access to all resources on your AWS account - that includes billing information and password management. AWS recommends that you don’t use root account credentials for everyday access.
Enable Multi-Factor (MFA) Everywhere
Use multi-factor authentication to protect your root and IAM users. It can be assigned to certain roles, and you can use either physical or virtual MFA. Physical MFA includes the use of a hardware token or USB device, while virtual MFA refers to the use of an authentication mobile application that sends passcodes or push notifications to the user to approve before logging in.
Adding another method of identity verification to your logins strengthens your access security. Sixty-three percent of reported data breaches involved stolen, weak or default credentials, according to the latest Verizon Data Breach Investigations Report. Using a secondary authentication method can deter and prevent malicious hackers from accessing your AWS account.
Reduce the Number of IAM Users With Admin Access
How many different people have the keys to your kingdom? Limit the scope of risk by creating individual IAM users within a single AWS account, and give them their own passwords and individual access keys. That way, you can quickly revoke or change an IAM user’s access.
Segment your IAM users into different groups, then determine which roles they should each have, and restrict those roles so they can only perform certain actions pertaining to their job.
You can apply conditional policies to deny IAM users access except to a specific set of AWS products and resources, as outlined in Example Policies for Administering AWS Resources.
If your users already have a way to be authenticated, then you can use identity federation to manage your users and AWS. See Federating Existing Users for more information.
Use Roles for Apps that Run on EC2 Instances
According to AWS, you can use IAM roles to provide credentials to an application in a secure way, if your Amazon Elastic Compute Cloud (EC2) instances need to contact other AWS services, like AWS Software Development Kits (SDKs) and AWS Command Line Interface (CLI).
Amazon EC2 refers to the web service that provides scalable computing capacity in the cloud. Amazon’s IAM dynamically provides a set of temporary credentials to the EC2 instance, which are automatically rotated.
This is to reduce your attack surface area, and eliminate the need to hardcode keys. EC2 keys can be exposed and used to launch attacks or host malware. Learn how to manage credentials in IAM Roles for Amazon EC2.
Enact the Principle of Least Privilege for Programs
Programs should use the least amount of privilege to get the job done. IAM can get very granular, and should be applied to all automated workflows, according to Justin. With IAM roles, you can you can assign temporary permissions that applications can use to make calls to other AWS resources.
You can also restrict role permissions to prevent users from obtaining elevated privileges, by creating a policy that uses the PassRole action. Learn more about roles in Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances.
Rotate All Keys Regularly
Rotate your keys every 90 days and change your passwords to limit your exposure, ensuring that any exposed keys or compromised credentials won’t work. There have been cases of accidental uploads of keys to Github, and knowing this, attackers will scan Github to find AWS keys.
ITNews.com reported that thousands of AWS secret keys could be found on Github in plaintext in 2014, uploaded by developers along with their code. Anyone that found the keys could access and delete their entire environment. Hackers actually run bots that scan Github for keys, as Runa Sandvik wrote about in a Forbes article, Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency.
Get step-by-step instructions in the AWS blog, How to Rotate Access Keys for IAM Users.
These are just a few tips on AWS security best practices - get more on Evident.io’s blog.