Whether you are a solo developer or an account owner where multiple developers use your account, it is crucial to properly manage access to AWS.
You can access AWS resources in two ways: through the web console and programmatic access.
Many incidents have occurred where AWS accounts received huge bills due to large EC2 instances created for Bitcoin mining programs. Usually, the root cause is exposed AWS credentials with Administrator access through code, application vulnerabilities, or human mistakes.
Root Login Account
When you create an AWS account, the email you provide becomes the root account. This login gives you all the power in the AWS account.
First: Add MFA to the Account
Multi-factor authentication (MFA) is essential for protecting account access. It ensures that anyone with the username and password cannot just log in to your account. Enable MFA for Root.
Second: Don’t Use This Account
Since root account is powerful, set it up, keep it aside, and then use an IAM user instead.
IAM User
You can create any number of IAM (Identity and Access Management) users. These users can have limited access through IAM policies. IAM users can vary in their usage: from regular users with password access to the AWS console to users with access credentials configured in applications to access specific AWS resources, such as an S3 bucket for uploading objects.
Protect IAM Users with MFA
Just like the root account, it’s important to protect IAM users with Multi-Factor Authentication (MFA). This adds an extra layer of security. Even if an IAM user’s credentials are compromised, unauthorized access is still prevented. You can enable MFA for IAM users through the AWS Management Console.
Principle of Least Privilege
We should follow the principle of Least Privilege when configuring IAM user permissions. This means granting an IAM user account only the permissions it needs. For example, if we configure a user access key in an application that uploads files to an S3 bucket, we will assign this user a policy like below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::example_bucket/*"
}
]
}
Access Keys
When you create an IAM user, you can generate access keys, which are a username and password you set in the application. It’s best practice to rotate access keys periodically to ensure:
- Security: By not leaving the same credentials for long periods.
- Traceability: Knowing where the key is used.
You can learn more about creating IAM user accounts and IAM policies by following these links:
GuardKite provides AWS owners with insights for account access security and reminders to rotate access keys regularly. Try it out today to enhance your AWS security!