AWS Account Management Guidance Introduction Security is a top priority at AWS. Every service that is offered is tightly controlled and adheres to a strict security standard. This is evident in the security and compliance accreditations which AWS have been able to obtain. These can be reviewed on the AWS Compliance website. Simply by using AWS, you are able to directly benefit from the policies that are already in place. However, AWS operates under a Shared Responsibility model where we are responsible for securing the physical infrastructure up to the hypervisor, also including some managed services such as RDS. You, the customer, have a responsibility for managing the security profile of your environment which may include the Operating Systems, the applications, and the access provided to users. The following guidance will assist in your development of an AWS Account Management strategy, which should be a key part to your overall Security strategy. If you browse to the AWS IAM Console, on the dashboard you will see Security Status dashboard. This dashboard provides a status of key checks against fundamental best practices. Anything with a warning Exclamation point should be reviewed. We will be covering all of these topics in the following segments of this video. Step 1: Remove Root Access Keys When you create an AWS account, a root account is created which provides full access to all resources. Part of the registration process has you create a password. With this password, you are able to login to the AWS Management Console. You are also able to create Access Keys which are used to programmatically interact with AWS Services. For example with one of our SDK's or our CLI tools. It is strongly recommended that Access Key's for the root account not be used as you cannot restrict their usage via any IAM policies. If they do not exist, do not create them and plan on using individual IAM Users for all of your AWS Administration. If they exist already, it is recommended that they be deleted. Step 2: From the Security Status Dashboard, expand the Delete your root access keys check and click on the Manage Security Credentials button. Select Continue to Security Credentials on the presented pop-up. Expand the Access Keys section. Here you will have listed the current Access Keys that you created for this root account. There may be up to two created and Active at one time. Step 3: Prior to deleting the root account access keys, you should make any active keys inactive so that you can determine where these keys are being used. 1
For example, errors from existing application configurations may appear or users may have access issues once you make them inactive. IAM Users should be used in each of these cases instead. Once you are confident that you have identified everywhere the access keys were being used and have provided replacement IAM credentials you can then delete all of your root Access Keys. Going back to the IAM console, we can now see the Access Key check is green. Step 3: Enable MFA on Root Account To further restrict and protect access to the root AWS account, it is recommended that a Multi-Factor Authentication (MFA) device be activated and associated. This can be a virtual device (smartphone app) or a physical device from Gemalto. Step 4: From the Security Status dashboard, expand the "Active MFA on your root account" item. Click on Manage MFA. As previously mentioned, there are multiple MFA options available. Click on the AWS Multi-Factor Authentication Link to get details on the supported options. Virtual options via the AWS MFA App or Google Authenticator can be used for any Android or ios Smartphone & Tablet. Gemalto has two options available for a hardware based MFA. A Key Fob or a Credit Card form factor device. Any of these will work similarly; it is simply a matter of preference. Step 5: In this example, I will be using the AWS MFA App which is already installed on my phone. Go back to the IAM tab to continue the MFA wizard. Make sure "A virtual MFA device" is selected and click on Next Step. If you haven't already, install the virtual MFA application on your device and then select Next Step. You are now presented with a QR code which you can scan with your virtual MFA app. If this is the first time you have used this app, you may be prompted to install an additional Barcode scanning tool. If you do not have the ability to scan QR Codes or do not want to, click on the "Show secret key for manual configuration" which you will need to manually input into your Virtual MFA app. Step 6: After scanning the QR Code with your app, it should display information about your root account on the app. Select the account on your screen and you should be presented with a One Time Code. Input this code into the Authentication Code 1 field. 2
Step 7: After waiting 30 seconds, go back to your Virtual MFA App. Select the root account again to display another One Time Code. Make sure it is different from the first one. If it is the same, wait a little bit longer before you try again. Input this code into the Authentication Code 2 field and click Next Step. You should be presented with a successfully associated message. Click Finish. Clicking refresh on the Security Status dashboard, you can now see the "Activate MFA on your root account" is green. Step 8: Let's test the MFA out to verify it is working. Log out of your root account from the AWS Console. Input your existing credentials, email address for the account and password. These have not changed. You are now prompted for the Authentication Code which you can retrieve from your Virtual MFA app. As expected we were able to successfully authenticate to the console. Step 9: Create an IAM Group, Assign Privileges Similar to how you lay out your own authorization groups, you should create IAM Groups which map to specific user job functions. Each IAM group will then have the IAM permissions assigned to perform these specific tasks. The practice of assigning Least Privilege should be followed as well. In our example, we will create a group for our Administrators. From the IAM Console, select Groups from the left menu. Click on Create New Group from the top. Give the group an applicable name. Administrators in my example. Then click on "Next Step". Step 10: Now you need to decide the AWS permissions you want to assign to this IAM Group. o You can choose an existing Policy Template which has predefined permissions set to meet specific roles or services that need to be used. o You can also use a Policy Generator to create an itemized policy for your specific Groups of users. o You can create both Allow and Deny statements for the AWS Services and the respective Actions available for those Services. o If you have a custom policy already developed, you can reuse it. Give the Policy a Name and paste it into the Policy Document field. o The last option is to assign no Permissions. Perhaps you simply want to create a placeholder for the group and will circle back for the permissions at a later time. 3
Step 11: In our example, we will choose Administrator Access from the Policy Templates. You will then be given a view of the Policy that will be assigned to the Group we are creating. Select Next Step. A summary screen will be presented. Click "Create Group" to finalize. Create additional IAM Groups for all of your Job roles. Step 12: Create an IAM Password Policy For those IAM users who need to use the AWS Management Console, they will require the use of a Password versus using Access Keys which are used for programmatic access. Within the policy, you are able to specify requirements related to length, history, and expiration period as well minimum requirements related to the use of letters, numbers, characters. By default, there is no policy enforced regarding the strength of the passwords chosen. It is a Best Practice to create a Password Policy which is in line with your existing company and regulatory policies. From the security status dashboard, expand the Apply an IAM password policy item. Click on Manage Password Policy. Apply the password policy to have your changes take effect. You can edit the existing password policy to update it for any new requirements. Although not recommended, you can also delete the current Password Policy. Step 13: Create an IAM User Granting access to your AWS resources is a necessary step. Resources need to be created, run. So this requires access to interact with these services. With every AWS account, there is a single root account which has unrestricted access to do anything. We have taken steps earlier in this series to restrict the accessibility of the root account credentials. What needs to be absolutely clear is that the root account should not be used unless absolutely necessary. Any user who needs to interact with your AWS Services should have a unique IAM User created. User credentials should not be shared. Instead, create IAM Groups for each job function and assign the necessary IAM permissions for that specific job function. Then create an IAM user and assign the applicable IAM Groups to each IAM User. In our example, we will create a User account who will be an Administrator. Instead of using the root credentials for Administrative tasks. From the IAM Console, click on Users. Click on "Create New Users". Input the username for the account you are creating. As you can see, you can create multiple IAM users at one time. In our example, we will create a single account for joeadmin. A checkbox is already enabled which states that Access Keys will be generated for each user. If the users you are creating only need access via the AWS Management console, access keys are not required. Only the username and password, which will set, are needed. 4
If the users need programmatic access via an SDK, or CLI for example, then Access Keys are required. We will leave it checked for our admin user. Click Create. Step 14: The Access Keys can be viewed and Downloaded from this screen. Click on Download Credentials to receive a csv file containing the Access keys for each user that you have just created. These will need to be provided securely to the users so that they can use them with their programmatic toolsets. Click on Close to return to the IAM Console. Step 15: By default, each IAM User that you create will not have any permissions set. You can either set IAM permissions to specific AWS Services to the individual IAM User or via an IAM Group. IAM Groups are the preferred method. Step 16: Let s assign the Administrator group to a newly created account. Select the user and from the User Actions dropdown choose "Add User to Groups". Select the applicable IAM Groups for this user. In our example, we will assign the Administrator Group we have already created. Check the Administrator Group and click on Add to Groups. An IAM User can be a member of up to 10 IAM Groups at one time. Our new user now has Administrative privileges. Any IAM user that needs to access to the AWS Management Console will need to have a password created. A user can have both a password as well as Access Keys at the same time. The type of interaction they require will dictate the type of credentials created. Step 17: Select the user to assign a password and Choose Manage Password from the "User Actions" dropdown. You can either have a password Auto-generated or choose a custom password as well. In our example, I will have one auto-generated. Also, you can require the user create their own password, in accordance with the Password Policy that is in place, the first time they log into the AWS Management Console. This would be for auto-generated or custom passwords. In our example, I will check the "Require user to create a new password at next sign-in". Click Apply You can now Download the Credentials as well as view the current password that was created. Provide this password securely to the User so that they can test their access. Click Close to go back to the IAM Counsel 5
Enabling an MFA for our root account is a best practice. For the users you create which will have elevated privileges (for example creating IAM resources, Managing SSH Keypairs, Managing Security Groups) you may want to Enable an MFA for those users as well. To enable an MFA for an IAM user, Select a User from the IAM Console and from the User Actions dropdown select "Manage MFA Device". This will be the same procedure we completely for the root account earlier, please refer to those instructions. Conclusion: As you can see, we are now compliant with all of the security status dashboard checks. These are the fundamental steps that should be addressed. Additional material can be referenced in the IAM documentation which showcases best practices related to that service. Also, please reference the AWS security best practices white paper for a more holistic view in preparation of creating your organizations security profile. 6