Which is one of the main recommended best practices for root account security?
Replacing the root user with an administrator should always be your first step. Once that's done, you’ll need to create users with access that reflects the minimum amount of permissions required to do their job. Next, secure those users' access by defining password policies. Show
Get the Free Pen Testing Active Directory Environments EBookAs the organization begins to scale and you begin to use more services, you may require more fine-tuned configuration options. There are some high-level services, however, that will continue to ensure good security, no matter how big or fast the organization grows. AWS services like CloudTrail and Security Hub can be used to monitor and alert users about security issues from day one.
1. Create an admin accountThe principle of least privilege is a well-known security concept that limits a user's access to only what is required to perform their job. For example, providing a user with both read and write access to an S3 bucket when only read access is required would be a violation of least privilege. Root user credentials offer unlimited access to an account and all of its resources. With this in mind, it's easy to see why root access is rarely required, instead, you should use identity and access management (IAM) users and IAM roles with restricted permissions. It is an acceptable practice to create a single administrator user for day-to-day account administration — AWS created a role (with a subset of root access controls) specifically for this purpose. How to add an administrator:
Tip: Similar to how you create the administrator user to prevent root access, you should create more users in a similar manner to prevent the use of the admin user when not required. All further users and roles should strictly follow the principle of least privilege. Why is this important?You should only use the root account on rare occasions for activities such as updating billing details, enabling AWS marketplace or AWS support, or canceling the AWS account. 2. Update root user accessAfter you’ve created an admin user, it's time to restrict root user activity to only top-level account administration duties. Never generate access keys for a root user. Instead, use a strong password and immediately enable multi-factor authentication (MFA) to prevent its misuse — accidental or otherwise. How to update root user access:
Tip: MFA is not a replacement for strong passwords. Use a randomized password with letters, digits, and special characters. If you feel worried about misplacing or forgetting the password, use a password manager. Why is this important?The root user has access to all services and resources and can perform administrative actions including canceling your AWS account. 3. Create your AWS usersNow that you’ve created an administrator user, the next step is to create your day-to-day AWS users and define their access; using the administrator role should be limited to only when it’s necessary. The easiest way to create your AWS users is by using groups. This will allow you to easily change multiple users' access at once. This is useful if a certain group suddenly needs access to a new service, or no longer needs access to another. It’s important to note that users should not share the same login, as this will affect traceability and accountability. How to add daily AWS users:
Tip: At first glance, it may be difficult to select a policy that matches your exact requirements. In this case, select the most suitable option and later create a custom policy that can be added to that group. Why is this important?Minimizing access and keeping a record of who has access to what is critical for securing your AWS account, especially for those seeking to become compliant with standards such as ISO and SOC 2. 4. Secure access using MFANow that you’ve created users and groups, it's time to secure the access of those users via MFA. How to manage MFA:
Tip: If using a virtual device for MFA such as Google Authenticator, submit your codes immediately after generating them to ensure the MFA device is in sync. Why is this important?A user’s access is only as secure as their password. Whereas access keys are inherently complex, a bad actor may be able to guess your password. MFA reduces this risk. 5. Set standard password policiesIt's time to double down on securing user access. Use password policies to make sure passwords meet company, and if applicable, regulatory standards. How to set password policies:
Tip: Choose a balance between secure and maintainable. For example, expiring users' passwords every day could become a logistical nightmare. Why is this important?While it’s vital to maintain a secure password policy, multi-factor authentication becomes less secure if one of the factors is negligible. Having a strong password ensures that even if an MFA token gets compromised, any passwords brute force attacks will fail. 6. Define custom policiesWhen assigning policies to groups, you may have noticed that AWS provides an extensive library of prepackaged policies. These policies will cover a lot of standard use cases, but it's essential to define your own policies if the out-of-the-box policies still provide your users with too much access. For most companies, this is an ongoing, iterative process, and it's an important practice to start early, as these policies are the foundation of a secure AWS architecture. How to create your policies:
Tip: Always refer to the principle of least privilege when writing policies. Reduce any potential attack vectors by limiting the policy to only allow required actions against required resources. Why is this important?Limiting a user to a predefined set of actions and services or resources prevents misuse of AWS services, accidental or otherwise. 7. Secure EC2 useOnce you have your policies and procedures in place and your console users are ready to start using AWS, you can look at locking down individual services at the service level. One example is AWS’s popular compute service, Elastic Compute Cloud (EC2). EC2 allows users to spin up compute instances with their choice of processors, storage types, and operating systems. This is undoubtedly a tremendous help to developers, however, it is also a dangerous service to have enabled if it’s not secured. One of the most simple steps to secure EC2 use is to restrict users to pre-approved tagged Amazon Machine Images (AMI), a supported and maintained image provided by AWS. How to secure EC2:
Tip: See this link for a detailed breakdown. Why is this important?Using an insecure EC2 instance can open up your organization to sophisticated attacks. Should attackers gain access to that instance, they can assume its role and access all the same resources. Other AWS security tips to keep in mindNow that the AWS account has been fully set up, it's time to start future-proofing your AWS security. There are practices and principles you should follow outlined below. Use infrastructure as code via CloudFormation.The CloudFormation service lets you define your entire infrastructure as code (IaC). This allows you to version-control your infrastructure using tools such as git and makes it easy to subject your architecture to peer review and automated validation. You can easily configure, update, and redeploy services and policies across accounts and regions without fear of human error. Create stages using AWS Organizations.AWS Organizations allow you to quickly scale your organization by programmatically creating AWS accounts and managing them all from one central hub. This means you can audit and apply policies to multiple accounts and simplify your billing all in one place. Easy account management combined with CloudFormation allows you to create and monitor development, staging, and production accounts, giving you confidence that production is always stable. You can also have separate accounts for auditing and monitoring, which makes breaking down AWS bills easy. CloudTrail increases activity visibility.Once you have set up multiple accounts, it's important to monitor each account's activity for auditing purposes. CloudTrail logs will show every action a user takes and will allow you to quickly identify if anyone is performing actions they shouldn’t or if any users need resources they cannot access. CloudTrail logs will show what user performed (or attempted to perform) what action against which resource and when. To make sure CloudTrail truly reflects your account's activity, ensure it is configured to send all logs to a central bucket that no one but the CSO can access. This prevents users from carrying out actions and removing any traces of their own activity from CloudTrail. Automate security with Security Hub.As your organization scales, manual processes can become increasingly difficult. AWS offers a range of services to tackle different security issues. Even with those tools, though, managing the findings of the services can be overwhelming. Security Hub reduces the effort required to collect and prioritize security findings across accounts and services. It automatically handles data in different formats and normalizes the data so that it can highlight and correlate findings across multiple services. Security Hub can identify activity patterns and help provide insight into what's happening in your account. This service uses industry best practices and standards to provide you with overall health status. Service Hub even integrates with EventBridge, allowing you to automate the remediation of specific findings. Closing thoughtsIAM is crucial to securing AWS as your organization scales, and role-based access control sits at the heart of AWS security. Before you configure your new AWS account, you can find additional helpful information about IAM here. When it comes to planning your security and gaining insights into your security posture, Varonis can help. We're Varonis. We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform. |