This are my verbatim notes to the PEAT UK podcast:
Hot shot 006 – Securing your AWS account
Friday, 18th May 2018
Hello there once again to another hot shot. My name is Peter Pilgrim, Platform engineer and DevOps specialist, and Java Champion.
Securing your AWS account and in particular the Identity and Access Management (IAM) console.
Here are some tips:
- You will want to change your personal Amazon account password immediately and make it very secure and very strong. Especially, if you are share the username for your residential Amazon deliveries with your AWS console. Treat your Amazon and AWS root user accounts like a precious gold bar. Because if you lose possession of it, then your goose is, indeed, cooked.
- If you run your own business, you may want to associate your AWS root user account with a business account. Make sure that only you the business owner has access to this account.
- Learn about AWS security, the Identity and Access Management interface otherwise known IAM. Get a deep-dive, I recommend this alot.
- Store the AWS root password in a cyber vault such as a very secure LastPass account that only you can access with a few trusted left tenants (lieutenants USA).
- Create for yourself a read-only user that lets you look at things without accidentally destroying important things like EC clusters, groups, instances, networks and VPCs, security group, databases and resources
- Consider adding Multiple Factor Authentication to protect your account. You’re quids in, if you are already using Google Authenticator mobile phone application like I do for Google Mail and Google account access.
- Create separate IAM Users and IAM Groups. For example, you may want to create EC2 instance user and groups, which allow trusted people to start and stop instances. You may want create another set of users, who can only access database instances such as RDS, Aurora and MySQL.
- Learn about IAM Roles give you an option to allow powered users to assume roles. For example you might create a Administrator group and allow trusted Platform Engineers and DevOps technical-leads (vis-a-vis Anchors) to become Administrator.
- Create IAM Roles with multiple management policies. Amazon has this concept of managed policies for each service that they have in the AWS platform. So for example, you provision an EC2 instance with role so that it launches with enough permissions. You need the policies
AmazonEC2ReadOnlyAccess. If you want EC instances attached to the IAM Role to also access the S3 service, then you have add additional policy for the other service. You can add the custom IAMRole a policy
AmazonS3ReadOnlyAccess. This allows an EC instance with web server to synchronise a static web site with the data on S3. Of course, you will not a script to synchronise the data first at launch time. The benefit of IAM Roles are they share no secrets, but they only provide permissions. Roles can be granted temporarily for users and systems.
- If you are going to secure your AWS account, you definitely want to learn how about monitoring AWS beforehand. So delve into the CloudFront and CloudWatch screens.
- Re-evaluate the default AWS IAM password policy – Follow the advanced user advice from AWS. Once you are really good at AWS, then follow the advice to remove your root access keys. Enable password expiration and set expiration periods. Maybe you want to expire passwords every 3 months, but at 6 months. It depends on your situation (and, of course, your instituation).
- Finally, if you want to call yourself an AWS expert, then you will have already watched the YouTube video from AWS Reinvent 2015 by Anders Samuelsson about IAM Best Practices. Please watch it now to become experienced.
That’s for this hotshot. I hope you liked it.
By the way, all your Shares, Likes, Comments are always more than welcomed!
Addendum: I also recommend that you also watch AWS Reinvent 2017 How to become IAM Ninja, AWS re:Invent 2017: IAM Policy Ninja (SID314) , which has some updated information.
Addendum II: My apologies to my listeners and readers, because I forgot add the User data script for AWS AMI, which modified to
chmod write access to the Apache server.
#!/bin/bash yum update -y yum install -y httpd24 php70 chown -R 777 /var/www/html aws s3 sync s3://your.website.hosted.on.aws.s3 /var/www/html service httpd start chkconfig httpd on