momius - Fotolia

Q
Get started Bring yourself up to speed with our introductory content.

Avoid AWS access control mistakes to keep your cloud safe

If you get clumsy with AWS security, you can put your whole business at risk. Be wary of these common errors, and implement best practices to secure your workloads.

When you first start with AWS, you must understand how the cloud provider's shared responsibility model works and the security elements for which you are responsible. Amazon secures its global infrastructure and managed services, but you must manage AWS access control to protect your cloud data and workloads.

AWS offers a sandbox security environment for admins to design and control access to resources as they see fit. But organizations will still face stark consequences if they ignore security best practices. Many IT professionals, for example, fail to secure their accounts, even though it is of paramount importance.

Here are four common examples of AWS security mistakes that you should avoid.

Unnecessary permissions for users and resources

Administrators often grant unnecessary AWS user permissions. This approach is very risky, as someone with too many privileges can -- intentionally or unintentionally -- remove a crucial piece of infrastructure within an environment and potentially hurt your business.

Instead, admins should tailor AWS access control to meet the specific needs of each user or resource. Carefully create and manage roles for various resources so that, for example, you don't give -- or at least limit -- delete privileges for Lambda functions.

Lack of two-factor authentication

Most AWS accounts -- if not all of them -- should include two-factor authentication. This extra level of protection is especially crucial for roles with any kind of extra privileges, such as full access to Elastic Compute Cloud or permission to delete Simple Storage Service buckets.

In the case of a stolen password, two-factor authentication can be the difference between a slight inconvenience and a harmful situation.

Exposed AWS access keys

IT professionals often mistakenly upload AWS keys for programmatic access to Git. This happens so often that GitHub scans for these keys to prevent them from falling into anyone's hands. But, unfortunately, any GitHub user could scan for them as well. So, it's important to keep them safe.

When intruders possess these keys, they can access everything that the original keyholder could. If you don't have additional protections in place, such as regular key rotation, even two-factor authentication won't protect you.

Excessive use of the root account

The AWS root user has unlimited privileges within an account, and a compromised root can devastate your cloud environment and business.

You should only use the root account to create the initial admin users and then store it away. Also, don't have API keys for the root account, as this creates additional risk; if you have already generated or used these keys, delete them.

This was last published in February 2018

Dig Deeper on AWS compliance, governance, privacy and regulations

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What third-party tools do you use for cloud governance?
Cancel

-ADS BY GOOGLE

SearchCloudApplications

TheServerSide.com

SearchSoftwareQuality

SearchCloudComputing

Close