I can’t stress how important it is to take the time to safeguard your AWS environment. Here are five quick things that anyone can do right now to improve their AWS security.
1. Update the security email address on your accounts.
Often, the default address is set to whoever built the initial account. Change it to your organization’s Network Operations Center (or anyone who will pay attention and respond).
2. Use Cloud Trail, a service that enables governance, compliance, operational logging, and risk auditing of your AWS account.
Turn it on globally. It doesn’t cost much (no more than the S3 storage that the log’s files will use), and will save your bacon if anything goes awry.
Tip: Point the log to an S3 bucket under a different account with highly limited permissions. Very few people should have access to this separate account. Make sure to enable versioning and multi-factor authentication (MFA) for deletes on this bucket.
3. Turn on GuardDuty, a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads.
GuardDuty is free for the first thirty days. See how much information it gathers for you during the trial to determine if it’s worth paying for.
4. Enable S3 Block Public Access, but be careful.
If some process inside your environment is accessing S3 through public means, turning this on will cause issues. Move any content that is required to be publicly accessible under an isolated account FIRST — and thoroughly test everything out before enabling it.
5. Use MFA on the root account.
Ideally, you should use MFA on any account with elevated privileges.
Tip: If you don’t have an MFA token, check out YubiKey. It’s a great option for MFA security.
None of these steps are very difficult, nor do they cost much to enable.
As AWS CISO Stephen Schmidt stressed at AWS re:Inforce, “Security is job zero.” Please reach out if you have questions.