This blog post was written by Dileep Dasari.
When you move applications to the cloud, the attack surface changes while the vulnerabilities at application, database, and network level persist. To address these issues, securing the cloud perimeter, preventing unauthorized access, and protecting data is crucial.
The first step is to reduce the attack surface. Run a port scan specific to an instance IP and lock down all the unnecessary open ports. Also be sure to lock down your meta and user data. In a recent post, we shared detailed instructions to perform these security measures in Amazon Web Services (AWS).
Let’s dig a little deeper into preventing unauthorized access to your cloud servers, in particular, in AWS. Using Identity and Access Management (IAM), you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
Here are five best practices for setting up secure IAM in AWS:
- Never use the root account.
- Manage access keys.
- Grant permissions using IAM roles.
- Enable multifactor authentication.
- Enforce a strong password policies.
Never use the root account: The root account is used when signing up with AWS. It’s similar to a super user account and has unimpeded access to all the AWS services and resources. Therefore, never share the root account credentials with anyone else. Instead, create an admin group to add users who need to have an admin-level privileges for day-to-day activities.
Manage access keys: To access the AWS application programming interface and make a successful request, users require two sets of keys. These keys determine whether the requested resources are allowed, and who is making a request. Moreover, these are used for signing the requests. We recommend not using access keys for the root account.
Use a username and a password to log in to the AWS console with multifactor authentication enabled. Ensure the access keys for the root account get disabled or deleted. If there is a business requirement to use root-account access keys, maintain a regular key rotation.
It is quite common to hardcode keys to the code and push them to public repositories. This step allows anyone to access accounts and to spawn more EC2 instances. Attackers usually scan public repositories like GitHub and SourceForge to steal sensitive information. To avoid exposing keys, follow these steps:
- Do not hardcode access keys directly into the code. Place the keys in specific locations (such as the AWS credential file) that are being accessed by AWS software development kits or the AWS command line.
- Set up environment variables that can be accessed by development kits or the command line.
- Use separate access keys for different applications. This will isolate the permissions used by an application and can be revoked without affecting other applications in case of the key compromise.
- Rotate access keys periodically, about every three to six months.
- Automate the removal of keys that are unused for 90 or more days.
Grant permissions using IAM roles: The IAM roles are different than IAM users and groups. The users and groups are managed in the same account, whereas roles can provide delegated access to resources. The roles provide tight control over identities and key rotation. Access to resources from mobile applications should always be done via IAM roles. This step helps implement the principle of least privilege.
Enable multifactor authentication: Multifactor authentication (MFA) is the process of verifying a user’s identity by more than one independent method. AWS supports MFA and we strongly recommend enabling MFA for all the AWS accounts.
Hardware MFA should be enabled for the root account, to reduce the attack surface compared with a virtual MFA. In general, virtual or SMS-based MFA introduces an attack surface to any mobile or tablet on which a virtual MFA resides. Follow the steps below to enable MFA for AWS accounts:
- Log in to the IAM console.
- Choose Activate MFA on the account under Dashboard > Security Status.
- Click on the Manage MFA button and select either a virtual MFA or hardware MFA (as shown in the following image) upon verifying AWS MFA-compatible applications.
- Proceed to the next step to activate the MFA device selected in the previous step.
Enforce a strong password policy: IAM user accounts should enforce strong password policies similar to traditional applications. The password policy should include the following, from the CIS AWS benchmark:
- Minimum password length of 14 characters.
- Passwords should expire within 90 days.
- Password must contain at least one uppercase letter, one lowercase letter, one number, and one special character.
- The number of passwords to remember should be set to restrict password reuse.
Also configure challenge questions for AWS accounts. This is helpful for identification purposes when contacting customer service. To configure security questions, follow these steps after login:
Account Name (top right) > My Account > Configure Security Challenge Questions
The credential report provides a quick snapshot of all the users’ account details, such as Amazon resource name, account last used, password last changed, next rotation date, etc. These reports are useful for auditing and compliance purposes. This is also helpful for deleting unused accounts.
By implementing a few safeguards—such as never sharing keys or credentials, implementing least-privileged-access roles, and enforcing MFA—you will help secure access to your data in the cloud.