AWS Account Management Guidance

Similar documents
Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation

Sophos Mobile Control Startup guide. Product version: 3.5

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication

Sophos Mobile Control Startup guide. Product version: 3

2-FACTOR AUTHENTICATION WITH

Sophos Mobile Control Administrator guide. Product version: 3

UP L18 Enhanced MDM and Updated Protection Hands-On Lab

Electronic Questionnaires for Investigations Processing (e-qip)

Velocity Web Services Client 1.0 Installation Guide and Release Notes

How to install and use the File Sharing Outlook Plugin

Multi-Factor Authentication Job Aide

Cloud Services. Lync. IM/ Web Conferencing Admin Quick Start Guide

Managing policies. Chapter 7

User's Guide. Product Version: Publication Date: 7/25/2011

Device LinkUP + Desktop LP Guide RDP

Advanced Configuration Steps

Cloud Print Edition Quick Start Guide

Mobile Device Management Version 8. Last updated:

Sophos Mobile Control as a Service Startup guide. Product version: 3.5

Sophos Mobile Control Administrator guide. Product version: 3.6

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

Sophos Mobile Control Super administrator guide. Product version: 3

Virtual Code Authentication User s Guide. June 25, 2015

User Guide. Version R91. English

Microsoft Lync TM Order & Provisioning. Admin Guide

Livezilla How to Install on Shared Hosting By: Jon Manning

Securing Your Amazon Web Services Account Using Identity and Access Management

Akin Gump Strauss Hauer & Feld LLP Remote Access Resources (DUO)

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

Getting Started with Clearlogin A Guide for Administrators V1.01

Cash Management 5.0 User Guide

NSi Mobile Installation Guide. Version 6.2

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

PRACTICE LINK. Getting Started. version 1.0.x. Digita Support: Digita Sales: digita.com

Getting Started. Getting Started with Time Warner Cable Business Class. Voice Manager. A Guide for Administrators and Users

Evoko Room Manager. System Administrator s Guide and Manual

Configuring user provisioning for Amazon Web Services (Amazon Specific)

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Technology Services Group Procedures. IH Anywhere guide. 0 P a g e

IIS, FTP Server and Windows

Sophos Mobile Control user help. Product version: 6.1

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Two Factor Authentication (TFA; 2FA) is a security process in which two methods of authentication are used to verify who you are.

Defender Token Deployment System Quick Start Guide

Comodo Mobile Device Manager Software Version 3.0

Self-Service Password Manager

Certificate Management

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

Egnyte App for Android Quick Start Guide

Integrating LANGuardian with Active Directory

Marketing to Customers

Sophos Mobile Control SaaS startup guide. Product version: 6

Introduction to Google Apps for Business Integration

AVG Business SSO Partner Getting Started Guide

WatchDox Administrator's Guide. Application Version 3.7.5

ONLINE ACCOUNTABILITY FOR EVERY DEVICE. Quick Reference Guide V1.0

DUO SECURITY CISCO VPN USER GUIDE 1/27/2016

How to Remotely Access the C&CDHB Network from a Personal Device

Multi-Factor Network Authentication

Downloading 3M ebooks to Nook & Kobo ereaders

Managing users. Account sources. Chapter 1

NetIQ Advanced Authentication Framework

Live Maps. for System Center Operations Manager 2007 R2 v Installation Guide

You will need your District Google Mail username (e.g. and password to complete the activation process.

Anchor End-User Guide

Global VPN Client Getting Started Guide

Home Internet Filter User Guide

Brainloop Secure Dataroom Version QR Code Scanner Apps for ios Version 1.1 and for Android

Cloud Services ADM. Agent Deployment Guide

Active Directory Management. Agent Deployment Guide

Using GhostPorts Multi-Factor Authentication

APNS Certificate generating and installation

Configure the idrac Remote Access Console

Two-Factor Authentication

Online Statements. About this guide. Important information

Sophos Mobile Control Installation guide. Product version: 3

FAQs for Open Payments Mobile for Physicians &

In a browser window, enter the Canvas registration URL: silverlakemustangs.instructure.com

Version 3.2 Release Note. V3.2 Release Note

QUANTIFY INSTALLATION GUIDE

Two Factor Authentication - USER GUIDE

GX-V. Quick Start Guide. Microsoft Hyper-V Hypervisor. Before You Begin SUMMARY OF TASKS. Before You Begin WORKSHEET VIRTUAL GMS SERVER

Copyright 2013, 3CX Ltd.

Sophos Mobile Control Installation guide

Cloud Services MDM. Control Panel Provisioning Guide

Release 2.0. Cox Business Online Backup Quick Start Guide

Student BYOD - Olathe Public Schools

Licensing Guide BES12. Version 12.1

Thinspace deskcloud. Quick Start Guide

Citrix Virtual Classroom. Deliver file sharing and synchronization services using Citrix ShareFile. Self-paced exercise guide

Step 1. Step 2. Open your browser and go to and you will be presented a logon screen show below.

Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

Telstra Mobile Device Management (T MDM) Getting Started Guide

Egnyte Single Sign-On (SSO) Installation for OneLogin

Check current version of Remote Desktop Connection for Mac.. Page 2. Remove Old Version Remote Desktop Connection..Page 8

Novo Nordisk Secure File Transfer User Guide


Management Utilities Configuration for UAC Environments

Administrator Quick Start Guide

BlackBerry Universal Device Service. Demo Access. AUTHOR: System4u

Transcription:

AWS Account Management Guidance Introduction Security is a top priority at AWS. Every service that is offered is tightly controlled and adheres to a strict security standard. This is evident in the security and compliance accreditations which AWS have been able to obtain. These can be reviewed on the AWS Compliance website. Simply by using AWS, you are able to directly benefit from the policies that are already in place. However, AWS operates under a Shared Responsibility model where we are responsible for securing the physical infrastructure up to the hypervisor, also including some managed services such as RDS. You, the customer, have a responsibility for managing the security profile of your environment which may include the Operating Systems, the applications, and the access provided to users. The following guidance will assist in your development of an AWS Account Management strategy, which should be a key part to your overall Security strategy. If you browse to the AWS IAM Console, on the dashboard you will see Security Status dashboard. This dashboard provides a status of key checks against fundamental best practices. Anything with a warning Exclamation point should be reviewed. We will be covering all of these topics in the following segments of this video. Step 1: Remove Root Access Keys When you create an AWS account, a root account is created which provides full access to all resources. Part of the registration process has you create a password. With this password, you are able to login to the AWS Management Console. You are also able to create Access Keys which are used to programmatically interact with AWS Services. For example with one of our SDK's or our CLI tools. It is strongly recommended that Access Key's for the root account not be used as you cannot restrict their usage via any IAM policies. If they do not exist, do not create them and plan on using individual IAM Users for all of your AWS Administration. If they exist already, it is recommended that they be deleted. Step 2: From the Security Status Dashboard, expand the Delete your root access keys check and click on the Manage Security Credentials button. Select Continue to Security Credentials on the presented pop-up. Expand the Access Keys section. Here you will have listed the current Access Keys that you created for this root account. There may be up to two created and Active at one time. Step 3: Prior to deleting the root account access keys, you should make any active keys inactive so that you can determine where these keys are being used. 1

For example, errors from existing application configurations may appear or users may have access issues once you make them inactive. IAM Users should be used in each of these cases instead. Once you are confident that you have identified everywhere the access keys were being used and have provided replacement IAM credentials you can then delete all of your root Access Keys. Going back to the IAM console, we can now see the Access Key check is green. Step 3: Enable MFA on Root Account To further restrict and protect access to the root AWS account, it is recommended that a Multi-Factor Authentication (MFA) device be activated and associated. This can be a virtual device (smartphone app) or a physical device from Gemalto. Step 4: From the Security Status dashboard, expand the "Active MFA on your root account" item. Click on Manage MFA. As previously mentioned, there are multiple MFA options available. Click on the AWS Multi-Factor Authentication Link to get details on the supported options. Virtual options via the AWS MFA App or Google Authenticator can be used for any Android or ios Smartphone & Tablet. Gemalto has two options available for a hardware based MFA. A Key Fob or a Credit Card form factor device. Any of these will work similarly; it is simply a matter of preference. Step 5: In this example, I will be using the AWS MFA App which is already installed on my phone. Go back to the IAM tab to continue the MFA wizard. Make sure "A virtual MFA device" is selected and click on Next Step. If you haven't already, install the virtual MFA application on your device and then select Next Step. You are now presented with a QR code which you can scan with your virtual MFA app. If this is the first time you have used this app, you may be prompted to install an additional Barcode scanning tool. If you do not have the ability to scan QR Codes or do not want to, click on the "Show secret key for manual configuration" which you will need to manually input into your Virtual MFA app. Step 6: After scanning the QR Code with your app, it should display information about your root account on the app. Select the account on your screen and you should be presented with a One Time Code. Input this code into the Authentication Code 1 field. 2

Step 7: After waiting 30 seconds, go back to your Virtual MFA App. Select the root account again to display another One Time Code. Make sure it is different from the first one. If it is the same, wait a little bit longer before you try again. Input this code into the Authentication Code 2 field and click Next Step. You should be presented with a successfully associated message. Click Finish. Clicking refresh on the Security Status dashboard, you can now see the "Activate MFA on your root account" is green. Step 8: Let's test the MFA out to verify it is working. Log out of your root account from the AWS Console. Input your existing credentials, email address for the account and password. These have not changed. You are now prompted for the Authentication Code which you can retrieve from your Virtual MFA app. As expected we were able to successfully authenticate to the console. Step 9: Create an IAM Group, Assign Privileges Similar to how you lay out your own authorization groups, you should create IAM Groups which map to specific user job functions. Each IAM group will then have the IAM permissions assigned to perform these specific tasks. The practice of assigning Least Privilege should be followed as well. In our example, we will create a group for our Administrators. From the IAM Console, select Groups from the left menu. Click on Create New Group from the top. Give the group an applicable name. Administrators in my example. Then click on "Next Step". Step 10: Now you need to decide the AWS permissions you want to assign to this IAM Group. o You can choose an existing Policy Template which has predefined permissions set to meet specific roles or services that need to be used. o You can also use a Policy Generator to create an itemized policy for your specific Groups of users. o You can create both Allow and Deny statements for the AWS Services and the respective Actions available for those Services. o If you have a custom policy already developed, you can reuse it. Give the Policy a Name and paste it into the Policy Document field. o The last option is to assign no Permissions. Perhaps you simply want to create a placeholder for the group and will circle back for the permissions at a later time. 3

Step 11: In our example, we will choose Administrator Access from the Policy Templates. You will then be given a view of the Policy that will be assigned to the Group we are creating. Select Next Step. A summary screen will be presented. Click "Create Group" to finalize. Create additional IAM Groups for all of your Job roles. Step 12: Create an IAM Password Policy For those IAM users who need to use the AWS Management Console, they will require the use of a Password versus using Access Keys which are used for programmatic access. Within the policy, you are able to specify requirements related to length, history, and expiration period as well minimum requirements related to the use of letters, numbers, characters. By default, there is no policy enforced regarding the strength of the passwords chosen. It is a Best Practice to create a Password Policy which is in line with your existing company and regulatory policies. From the security status dashboard, expand the Apply an IAM password policy item. Click on Manage Password Policy. Apply the password policy to have your changes take effect. You can edit the existing password policy to update it for any new requirements. Although not recommended, you can also delete the current Password Policy. Step 13: Create an IAM User Granting access to your AWS resources is a necessary step. Resources need to be created, run. So this requires access to interact with these services. With every AWS account, there is a single root account which has unrestricted access to do anything. We have taken steps earlier in this series to restrict the accessibility of the root account credentials. What needs to be absolutely clear is that the root account should not be used unless absolutely necessary. Any user who needs to interact with your AWS Services should have a unique IAM User created. User credentials should not be shared. Instead, create IAM Groups for each job function and assign the necessary IAM permissions for that specific job function. Then create an IAM user and assign the applicable IAM Groups to each IAM User. In our example, we will create a User account who will be an Administrator. Instead of using the root credentials for Administrative tasks. From the IAM Console, click on Users. Click on "Create New Users". Input the username for the account you are creating. As you can see, you can create multiple IAM users at one time. In our example, we will create a single account for joeadmin. A checkbox is already enabled which states that Access Keys will be generated for each user. If the users you are creating only need access via the AWS Management console, access keys are not required. Only the username and password, which will set, are needed. 4

If the users need programmatic access via an SDK, or CLI for example, then Access Keys are required. We will leave it checked for our admin user. Click Create. Step 14: The Access Keys can be viewed and Downloaded from this screen. Click on Download Credentials to receive a csv file containing the Access keys for each user that you have just created. These will need to be provided securely to the users so that they can use them with their programmatic toolsets. Click on Close to return to the IAM Console. Step 15: By default, each IAM User that you create will not have any permissions set. You can either set IAM permissions to specific AWS Services to the individual IAM User or via an IAM Group. IAM Groups are the preferred method. Step 16: Let s assign the Administrator group to a newly created account. Select the user and from the User Actions dropdown choose "Add User to Groups". Select the applicable IAM Groups for this user. In our example, we will assign the Administrator Group we have already created. Check the Administrator Group and click on Add to Groups. An IAM User can be a member of up to 10 IAM Groups at one time. Our new user now has Administrative privileges. Any IAM user that needs to access to the AWS Management Console will need to have a password created. A user can have both a password as well as Access Keys at the same time. The type of interaction they require will dictate the type of credentials created. Step 17: Select the user to assign a password and Choose Manage Password from the "User Actions" dropdown. You can either have a password Auto-generated or choose a custom password as well. In our example, I will have one auto-generated. Also, you can require the user create their own password, in accordance with the Password Policy that is in place, the first time they log into the AWS Management Console. This would be for auto-generated or custom passwords. In our example, I will check the "Require user to create a new password at next sign-in". Click Apply You can now Download the Credentials as well as view the current password that was created. Provide this password securely to the User so that they can test their access. Click Close to go back to the IAM Counsel 5

Enabling an MFA for our root account is a best practice. For the users you create which will have elevated privileges (for example creating IAM resources, Managing SSH Keypairs, Managing Security Groups) you may want to Enable an MFA for those users as well. To enable an MFA for an IAM user, Select a User from the IAM Console and from the User Actions dropdown select "Manage MFA Device". This will be the same procedure we completely for the root account earlier, please refer to those instructions. Conclusion: As you can see, we are now compliant with all of the security status dashboard checks. These are the fundamental steps that should be addressed. Additional material can be referenced in the IAM documentation which showcases best practices related to that service. Also, please reference the AWS security best practices white paper for a more holistic view in preparation of creating your organizations security profile. 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information