When you moved your applications to the cloud, your attack surface changed while the vulnerabilities at the application, database, and network level persisted. To address these issues, securing your cloud perimeter, preventing unauthorized access, and protecting your data is crucial.
The first step to reduce the attack surface is to run a port scan specific to an instance IP and lock down all the unnecessary open ports. In addition, be sure to lock down your meta and user data. Detailed instructions on how to perform these security measures in AWS are available from our team.
Let’s dig a little deeper into preventing unauthorized access to your cloud servers, in particular, in Amazon Web Services (AWS). Using Identity and Access Management (IAM), you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. Here are 5 best practices for setting up secure Identity and Access Management in AWS:
1. Never Use the Root Account
The root account is the account used when signing up with AWS. It’s similar to a super user account and has unimpeded access to all the AWS services and resources. Therefore, never share the root account credentials with anyone else. Instead, create an admin group to add users who need to have admin-level privileges for day-to-day activities.
2. Managing Access Keys
To access the AWS Application Programming Interface (API) and make a successful request, users require two set of keys. These keys are used to determine whether the requested resources are allowed, and who is making a request. Moreover, these are used for signing the requests. We recommend not using access keys for the root account.
Alternatively, use a username and a password to login to the AWS console with multi-factor authentication enabled. Ensure the access keys for the root account get disabled or deleted. If there is a business requirement to use root account access keys, maintain a key rotation regularly.
It is quite common to hardcode keys to the code and push to public repositories. This allows anyone to access accounts and to spawn more EC2 instances. Attackers usually scan public repositories like GitHub and SourceForge to steal sensitive information. To avoid exposing keys, follow these steps:
- Do not hardcode access keys directly in to the code. Alternatively, place the keys in specific locations (ie., AWS credential file) that are being accessed by AWS SDKs or AWS CLI.
- Set up environment variables that can be accessed by SDKs or CLI.
- Use separate access keys for different applications. This can isolate the permissions used by an application and allow you to revoke those permissions without affecting other applications in case of the key compromise.
- Rotate access keys periodically; probably every 3 to 6 months.
- Automate removing keys that are unused for 90 days or more.
3. Grant Permissions Using IAM Roles
The IAM roles are different than IAM users and groups. The IAM users and groups are managed within the same account, whereas roles are used to provide delegated access to resources. The roles provides tight control over identities and key rotation. Access to resources from mobile applications should always be done via IAM roles. This helps implement the principle of least privilege.
4. Enable Multi-Factor Authentication
Multi-Factor Authentication (MFA) is the process of verifying a user’s identity in more than one method which are independent. AWS supports MFA and we strongly recommend enabling MFA for all the AWS accounts.
The hardware MFA should be enabled for the root account that reduces the attack surface compared to a virtual MFA. In general, virtual or SMS MFA suffers the attack surface of mobile or tablet on which a virtual MFA resides. Follow the steps below to enable MFA for AWS accounts:
- Login to the IAM Console.
- Choose Activate MFA on your account under Dashboard > Security Status.
- Click on Manage MFA button and select either a virtual MFA or hardware MFA device (as shown in the figure below) upon verifying AWS MFA-compatible applications.
- Proceed to the next step to activate the MFA device selected in the previous step.
5. Enforce a Strong Password Policy
IAM user accounts should enforce strong password policies similar to traditional applications. The password policy should be as follows (CIS AWS benchmark):
- Minimum password length of 14 or greater.
- Passwords should expire within 90 days or less.
- Passwords must contain at least one uppercase letter, one lowercase letter, one number, and one special character.
- The number of passwords to remember should be set to restrict password reuse.
Additionally, configure the challenge questions for AWS accounts. This is helpful for the identification purposes when contacting customer service. To configure security questions, follow these steps after login:
Account Name (top right) > My Account > Configure Security Challenge Questions
The credential report provides a quick snapshot of all the users’ account details such as Amazon Resource Name (ARN), account last used, password last changed, next rotation date, etc. These reports are useful for auditing and compliance purposes. Also, this is helpful for deleting unused accounts.
Implementing a few safeguards, such as never sharing keys/credentials, implementing least privileged access roles, and enforcing MFA, will help secure access to your data in the cloud.