Best Practices for accessing AWS accounts - Quick Reference
Introduction
Now and then I run into the question what best practices should apply to providing access to your AWS accounts. To a large extent, this information is readily available in resources across the internet (such as this and this) but I thought it would be useful to provide a quick reference to that.
Providing access to AWS services
|
Practice
|
Rationale
|
Priority
|
|
Always use IAM users, do not use
AWS Account user (or access keys)
|
This AWS Account User is considered the root user,
providing access to all services and data. Normal operations should not be
carried out using this account, instead an IAM account with the appropriate
privileges is recommended.
|
High
|
|
Use different AWS accounts for
production and non-production purposes.
|
This provides strong separation, and requires
re-login when moving from one account to another. This reduces risk for un
intended changes, and allows tailoring access rights for devops engineers.
|
High
|
|
Use RBAC practices using IAM
groups, using least privilege model.
|
Using roles (groups) provides a more transparent and
manageable access right model.
|
Medium
|
|
Enforce strong password policy
|
Important to prevent passwords from being guessed or
cracked.
|
High
|
|
Enable multi-factor
authentication
|
Enable multi-factor authentication for both (human)
IAM users as well as the account owner to increase level of security,
providing an additional layer of security.
|
High
|
|
Implement key rotation
|
It is advisable to ensure that access keys for IAM
users are changed once in a while (say one per three months). For more info,
see this blog.
|
Medium
|
|
Let users manage their own
password
|
Ensure that users can manage their own passwords,
and (strongly) encourage a password rotation schedule.
|
Medium
|
|
Use policy conditions for extra
security
|
By means of policy, additional security can
enforced. For instance, by defining that only particular users can delete a
particular AWS resource. This is useful for fundamental services which
failure would have great impact on service.
|
Medium
|
|
Enable Audit trails
|
Enabling AWS’ CloudTrail option enables security
analysis, resource change tracking, and compliance auditing.
|
Medium
|
Providing access to the AWS hosted environments
|
Practice
|
Rationale
|
Priority
|
|
Always use Virtual Private Clouds
|
This is the default in newly created AWS Accounts,
but should be used in all cases as it adds a lot of additional options from a
security perspective. For certain applications, a dedicated VPC can be
considered.
|
High
|
|
Use temporary credentials
|
When providing your server instances access to AWS
services, always deploy temporary credentials in combination with IAM roles.
|
High
|
|
Consider use of VPNs
|
Consider using a VPN connection between your
corporate network and the VPC, as it provides a strongly secured connection.
However, ensure that only qualified staff have access to that particular
network zone.
|
Medium
|
|
Use remote access bastions
|
In case there is no VPN connectivity between the VPC
and the corporate network, use (SSH or RDP) Bastions to get access to your
server instances. Only run these bastions when access is required.
|
High
|
