An AWS account is a potent tool, but it must be treated with care like all things powerful. Performing a basic lockdown on an Amazon account is not rocket science but must be done.
The basic steps are as follows:
Use a strong password, and create a strong password policy.
As of November 2020, all new AWS accounts will have a default password policy. One can view this policy as follows.
Sign into the AWS console, search for and select IAM.
Thence select Account Settings from the left hand pane. And note the Password policy settings:
Do note, in this case we have applied a custom policy with the following parameters:
- The minimum password length is 14 characters.
- One uppercase letter
- One lowercase letter
- One Numeric
- One non-alphanumeric character
- 90-day expiration
- Self Service password rotation
- No password reuse for 24 rotations
Enable MFA for root account
As prior, search for and access the IAM dashboard, and select the My access key link from the right hand panel. Note any security alerts. (In this case no MFA)
In the Your Security Credentials Panel, expand the MFA drop down and select Activate MFA.
In the pop up select the MFA device you will use (I have selected Virtual MFA and will use an OTP application on my phone), select continue.
A list of compatible applications can be found here
I have declined to expose my qr code and mfa sequence here, but the steps are select show QR code, scan said with your mfa app, enter two sequential codes and click continue
Note MFA eanbled.
Delete any secret access keys for the root account.
While in the root user Security Credentials panel expand the Access Key drop down.
If any access keys are Status Active, select the Action(s), Make Inactive and then Delete. (Note the key displayed was created for this missive and will be removed)
On Deactivation note the review pop up and select Deactivate.
On Delete Request review the popup, re enter the key and select delete.
Note the confirmation of deletion.
Create IAM groups for day to day functions.
- One group may be for full administrators
- This may have the AdministratorAccesss policy attached
- Another group may be developers
- And may have limited access to specific services
- Another group maybe auditor
- This group may have READ-ONLY access
Create user accounts for each user
Each user should have their own login into the account. Logins should NOT be shared; individual logins allow the tracking of actions to a specific person and the least-privilege application to the individua
Enable MFA for each user
This is quite similar to the process for the root user, but one shall need to interact closely with the end-user
Remove any unneeded user access keys.
Access keys provide access to the AWS APIs and are quite necessary for programmatic (think automation) access. They should be created and documented for a business need. Once created, they should be audited for use and age.
Note that this user, is part of a group, has no access keys, has a current password, is a current user, and has a virtual MFA.
Additional reading resources can be found at: