The head of global security programs for Amazon Web Services (AWS) recently said the biggest fear at AWS wasn’t a malicious attack or harmful coding, but a customer’s inadequate security protocols. Amazon stands by its security of a customer’s data at rest, but takes no action to prevent a user from maliciously – or accidentally – deleting any resources on an account.
AWS follows a shared responsibility model for its security — Amazon manages the security of the underlying infrastructure while customers control what security they administer in their AWS account. Yet some customers simply aren’t doing enough to safeguard their AWS assets. Even more bewildering, the tools and best practices available to increase the level of protection are incredibly easy and quick to implement.
Here are three simple things you can do to make sure your AWS account is better protected:
1. Utilize Identity and Access Management (IAM): IAM allows customers to centrally manage users, passwords, access keys, and permission policies that control which AWS services and resources users can access. Since AWS takes no action to prevent other users from wrongly deleting or provisioning AWS resources, it’s recommended that you assign the most restrictive permission levels to IAM users, including administrators.
In addition, consider designating someone to periodically check the IAM users and their policies to make sure no one receives more access than he or she needs. To save time, add your IAM policies at the group level and assign your IAM users to those groups (instead of adding IAM policies at the user level).
2. Enable Multi-factor Authentication (MFA): MFA is another layer of protection that requires users to type in an authentication code with their username and password when they log in. It can be activated on the root and the IAM account. This common safeguard is more secure than a password alone and should be a no-brainer for AWS users.
When setting this up, customers normally leverage a physical device (like a key fob or display card) for their root account, while encouraging their users to use a virtual device (such as Google Authenticator for iPhone or Android) for their IAM accounts
3. Use an email alias for your root account: Setting up a mailing list (i.e. email alias) allows you and your team to quickly identify or stay ahead of any improper activity. More eyes on the account and the notifications that are sent from AWS increase the likelihood that someone will discover a problem – for instance, unauthorized access to an AWS account at the root level – early before significant damage can be done.
In addition to greater visibility, email aliases also obviate the need to replace the email address on the account when an employee leaves the company. This is a minor best practice that can help you avoid a maddening situation later on.
AWS customers must realize that implementing these tools and best practices falls in their court. While Amazon puts itself in charge of the hardware infrastructure and physical security (the four walls, roof, and cement), data protection and asset security fall on the shoulders of customers. With these three simple best practices in place customers can increase the level of protection of their accounts, improve governance, and most of all avoid preventable disaster.
For more information on AWS, contact your SHI Account Team.