Secure your account
- Estimate bills
- 3rd-party Alternatives
- Define organizations
- Root account lockdown
- Account ID to sign in
- In the AWS Console
- Apply an IAM password policy
- MFA (Multi-Factor Authentication)
- Access keys (access key ID and secret access key)
- Use groups to assign permissions
- Create IAM Users
- API Keys
- SSH Keys
- Roles for federated access
- More security
- TCO Calculator
- Inspector service
- Trusted Advisor
- Well-Architected Review
- Social Media
- More on Amazon
- More on DevOps
This tutorial describes how you can secure your account and avoid other making you pay for runaway bills to mine their Bitcoin. Here are also notes about Security toward pass AWS certification exams.
The “shared responsibility model” means AWS secures what’s of the cloud, you secure what’s in the cloud. See this sung and musical by Kate Turchin, a Cloud Security Advocate. “We must all do our part… so MFA your IAM and rotate all your keys…”
This section is addressed to account administators who setup root accounts linked to credit cards.
PROTIP: Before you dive in, calculate your potential bills by providing usage estimates to the AWS calculator:
It has a different sheet for each service. Parameters for EC2 include the number of EC2 instances, hosts, EBS volumes, IPs, data transfer, app and network load balancing.
PROTIP: Remember that there is an additional surcharge for support as a percentage of the whole bill. Rates vary depending on the level of support chosen.
NOTE: Comparison-shop alternatives to services AWS offers:
PROTIP: Pricing for Developer support is the Greater of $29 or 3% of monthly AWS usage, so you may end up paying more if you spend more than $966.67.
Use AWS Organizations (previously __) to group several accounts for consolidated billing.
There is a limit of 20 linked accounts for consolidated billing.
Root account lockdown
Create an AWS account with a credit card and an email.
The account which controls billing is called the root account, which as unlimited access to AWS resources and unlimited ability to rack up charges. By resources I mean: users, groups, roles, IAM Access Policies, API keys, etc. globally for all regions.
PROTIP: When providing answers to Security Challenge Questions, you should not specify the real answer, which someone can figure out by social engineering. Instead, answer with some nonsense and
Write down the questions and answers in a safe place (such as within 1Password)
Also write down the Account Id number (12 digits).
Account ID to sign in
When signing in under IAM, the Account Id number needs to be provided.
To identify your Account ID:
Click on your name on the upper black menu at the top of the page, then select “My Account”.
In the AWS Console
Sign in the AWS Console
- Click to view all Services at the upper-left black menu band.
Scroll to the category “Security, Identify, and Compliance” list of ever-growing services:
- WAF (Web Application Firewall) provides application-level attacks such as SQL injection and cross-site scripting.
Shield protects against DDoS (Denial of Service) attacks
- Click “Artifact” (at the bottom of the list) to read documents associated with security certifications.
- Cognito provides an API to federate authentication with various social identity providers (Facebook, Twitter, etc.)
- Amazon Macie
- AWS Single Sign-On
- Certificate Manager manages security certificates
- Cloud HSM provides
- Directory Service
What’s not listed is the AWS Best Practices which this tutorial addresses.
- Cloud Trail audits usage
Click IAM (for Identity Access Management) for the list Security Status
To get back to this later, click “Dashboard” on the IAM menu on the left.
The FAQ to this is at https://aws.amazon.com/iam/faqs/
Click on “Delete your root access key”.
Check “Don’t show me this message again” and Continue to Security Credentials.
PROTIP: Use 1Password to store your passwords so that you can use a “strong” password of so many characters that it will take hackers too much time to crack it. Because you only have to remember one master password, you can are free to change various passwords as often as you want with no fear of forgetting them.
Apply an IAM password policy
- Click “Manage Password Policy” so AWS will ensure that “strong” passwords are used (and not easy to guess ones). AWS defaults are terrible:
Over time, as hackers have access to more powerful computers that can guess passwords quicker, larger passwords are necessary to make it more difficult to crack.
PROTIP: The largest Minimum password length AWS allows is 128 characters. But 1Password can generate up to only 64 characters. Practically, 22 characters is a reasonable minimum. Require at least one number and one non-alphanumeric character.
Scroll down to “Security Token Service Regions” and deactivate regions your organization will never use.
PROTIP: The region is where most of your users are located. New services are usually restricted to one region, such as N. Virginia or N. California where AWS does development work.
MFA (Multi-Factor Authentication)
Have AWS text or call your smartphone (a virtual device) to make sure that it’s really you logging in.
- Click Activate MFA
- Click “A virtual MFA device”.
Click Next Steps.
- On your iPhone or Android, open the Store app and get the Google Authenticator app installed.
Open up your QR code app and align the code visually.
PROTIP: Don’t have a QR scanner app? My favorite QR app is Norton Snap, which blocks out malicious URLs the image represents. Snap automatically visits the website represented by the picture of dots.
Your QR app may just copy to the invisible Clipboard. Then you would have to switch to a web browser and click on the URL field to paste from Clipboard.
- The Google Authenticator app opens.
- The Google Authenticator app displays a new code every minute.
- Type in the AWS Console website the code displayed. Wait for the second code.
Click “Activate virtual MFA”.
Access keys (access key ID and secret access key)
See that “AWS recommends that you rotate your access keys every 90 days”? Some find it easier to remember by doing it on the first day of each month. Why? There are thousands of big computers around the world literally staying up at night trying different combinations.
PROTIP: Make an appointment on your Calendar with a recurring schedule.
PROTIP: Rotation applies to access key of IAM child accounts, not the root account.
You don’t want programmatic access to your root account, so you don’t need no stinkin’ keys.
- Click Delete to the key. Write down the date Created.
Don’t create a new Access Key.
Use groups to assign permissions
PROTIP: For a user to do something usually require several AWS resources. So several permissions need to be granted to a user. To simplify assignments, we define Groups of permissions which we then can assign to each user.
In other words, An IAM group is a management convenience to manage the same set of permissions for a set of IAM users.
Click Manage Groups then Create New Group.
PROTIP: Groups are usually associated with a particular job: admin, sales, HR, front-end developer, back-end developer, etc.
A user can belong to multiple groups. More complex organizations manage differences in permissions for company, division, project, location, job level, etc. So 128 characters may not be enough if large words are used. Thus, abbreviate and use acronyms.
PROTIP: Put abbreviations and acronyms in a wiki publicly available to avoid duplicate usage.
- “aws_iot_buttons” is the group name I use as an example.
PROTIP: Use underlines or dashes. Space characters are not allowed.
The list shown are “AWS Managed”.
Click on Policy Type to select Job function.
PROTIP: Instead of scrolling down the massive list in Attache Policy (Alexa, Amazon, AWS, etc.), type in the Filter field the first few letters (such as “IoT”) and the list gets smaller. Notice the filter you type is applicable to not just characters beginning with what you typed, but also characters inside names as well.
- Click to select.
Click “Create Group”.
Note different policies have different levels of access, with admin having more capabilities than “read only” ones.
- Names shown on the screen is called a “Policy Summary”.
Click “JSON” to see the file that AWS reads to assign policies. Here you seen what Actions the policy allows.
Click “Access Advisor” to see users who have been assigned to use the policy.
Create IAM Users
- Click Users on the left menu.
- Click Add User.
Specify User Name. For example: firstname.lastname@example.org
PROTIP: Use underscores to separate words in IAM User Names rather than spaces.
- Check “Programmatic Access”.
- Uncheck “User must create a new password at next sign-in”.
- Click “Next: Permissions”.
Click “Attach existing policies directly” for the first user.
PROTIP: The policy attached depends on what the user will be allowed to do.
- Send to each user the AccountId, UserName using a different mode of communication than the password.
- User signs in using the credentials Account Id, the UserName, and password
Click “Send email”
PROTIP: Send credentials to your alternate email rather than to a cloud drive (Amazon, Google, Box, etc.); an email account that you setup with a fake birthdate and other personal information; one you never give out to anyone.
API Keys are assigned to developers using the AWS CLI (Command Line Interface) for programmatic (by a program) rather than manual clicking and typing on a keyboard.
API keys make use of pairs of public (access) key and private (secret) key which stand in for real users typing in passwords.
SSH keys are used only with AWS CodeCommit to access their repositories.
Roles for federated access
An analogy is a private ball where royal guests arrive wearing formal attire present an invitation card to enter. The fancy outfits with sashes and medals are kinda like group permissions that confer permissions to someone. The invitation card is kinda like IAM roles which are only for specific times.
The host of the party is kinda like AWS’s STS (Security Token Service) identify broker which grants access tokens to enable services to “assume” a role to perform on AWS services.
IAM roles are used by computer programs reaching through Enterprise identity federation into Microsoft Active Directory using SAML (Security Assertion Markup Language) or through Web identity federation into Google, Facebook, Amazon, etc.
IAM roles issue keys are valid for short durations, making them a more secure way to grant access.
An IAM user needs to be granted two distinct permissions to launch EC2 instances with roles:
- Permission to launch EC2 instances.
- Permission to associate an IAM role with EC2 instances.
- A Security Token
- An Access Key ID
- A Secret Access Key
- egress rules on your Security Groups (after all there’s no reason ever that your database should be connecting to IP addresses in Russia),
- vulnerability scanning,
- Host-Based Intrusion Detection (HIDS) systems
The Total Cost of Ownership calculator is basically a sales tool to calculate savings moving to AWS from on-premises servers:
Toggle Basic/Advanced for more fields.
The instance type is automatically selected based on the memory selected.
https://aws.amazon.com/inspector automates security assessment to help improve the security and compliance of applications deployed on AWS.
The first 250 agent-assessments is free during your first 90 days. Then it’s $0.30 per agent per assessment (agent-assessment) per month.
Scans the environment to identify tips for usage and security.
Enterprise subscribers ($15,000/month) have AWS Solution Architects conduct a Well-Architected Review in addition to a designated Technical Account Manager (TAM) for proactive guidance.
Free video training and books (in pdf and Kindle) on the Well-Architected Framework
After signing up for https://www.aws.training, Authentication and Authorization with AWS Identity and Access Management 15 minutes
SWF (Simple Workflow Functions) sequences manual work.
AppStream streams desktop apps (like Citrix).
Elastic Transcoder of videos into various sizes and formats (ogg, mp4, etc.)
Orion Papers on Lucidchart
https://cloudonaut.io/aws-security-primer/ includes a thorough mind-map of concepts related to IAM.
More on Amazon
This is one of a series on Amazon:
- AWS On-boarding
- AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
- AWS Lambda
- API Management by Amazon
- AWS server deployment options
- Build load-balanced servers in AWS EC2
More on DevOps
This is one of a series on DevOps:
- ci-cd (Continuous Integration and Continuous Delivery)
- Git and GitHub vs File Archival
- Git Commands and Statuses
- Git Commit, Tag, Push
- Git Utilities
- Data Security GitHub
- GitHub API
- Choices for DevOps Technologies
- Java DevOps Workflow
- AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
- Cloud regions
- AWS Virtual Private Cloud
- Azure Cloud Onramp
- Azure Cloud
- Azure Cloud Powershell
- Digital Ocean
- Packer automation to build Vagrant images
Terraform multi-cloud provisioning automation
- Powershell Ecosystem
- Powershell on MacOS
- Jenkins Server Setup
- Jenkins Plug-ins
- Jenkins Freestyle jobs
- Dockerize apps
- Docker Setup
- API Management Microsoft
- Scenarios for load