Most of the users start AWS with one-year free tier account. There were many hacking incidents for such accounts which ended up in huge monthly bills. This happens because of many reasons, For example, you may commit your code to a public code repository with your AWS access and secret keys and a hacker would get access to account and launch high capacity instances. This would result in a huge monthly usage bill. We can avoid account being getting hacked just by applying few security policies and following best practices.
- Create IAM user with admin privileges for you even if you have the root access. Do not use you root account except for billing purposes
- Put a strong password of more than 10 characters for your root account.
- Enable strong password policy with password expiration for IAM users.
- Enable MFA (Multi-Factor Authentication) for root account and all IAM users accounts.
- Do not create AWS access keys unless needed. Make the existing keys inactive when not used.
- Never hard code your access keys in your code.
- Never store you access keys and secret key in ec2 instances or any other cloud storage. Use IAM Role instead
- Never allow all ports in security groups for your instances. Allow only required ports for your applications
- Make use of NACL’s to provide an additional security layer.
- Create separate subnets for each application layer (Web,DB,Backend,etc..) and open required port only on each Security Group.
- Never share your AWS credentials through email. If you do, change the password as soon as possible.
- If you have more instances in VPC, use a Jump Box to connect to those machines or use Virtual VPN appliances like OpenVPN.
- Do not launch instances in public subnet unless required.
- Use NAT instances to patch your private instances rather than attaching an internet gateway to the private subnet.
- Set billing alerts and resource monitoring using cloudwatch and SNS..
- Enable cloud-trial service which logs all the actives for your AWS account including API requests.
- Use cloud-watch in conjunction with cloud-trial to get notified for any suspicious activity.
- Configure WAF on top of your CloudFront or Load Balancer.
- Use AWS Organization if you are managing multiple accounts.
We have listed out the basic preliminary security measures you should take to secure your AWS accounts. If you are going to use your AWS account for any production workloads, you should go through all the AWS security whitepapers and follow the best practices mentioned in them.