When you first start with AWS, you must understand how the cloud provider's shared responsibility model works and...
the security elements for which you are responsible. Amazon secures its global infrastructure and managed services, but you must manage AWS access control to protect your cloud data and workloads.
AWS offers a sandbox security environment for admins to design and control access to resources as they see fit. But organizations will still face stark consequences if they ignore security best practices. Many IT professionals, for example, fail to secure their accounts, even though it is of paramount importance.
Here are four common examples of AWS security mistakes that you should avoid.
Unnecessary permissions for users and resources
Administrators often grant unnecessary AWS user permissions. This approach is very risky, as someone with too many privileges can -- intentionally or unintentionally -- remove a crucial piece of infrastructure within an environment and potentially hurt your business.
Instead, admins should tailor AWS access control to meet the specific needs of each user or resource. Carefully create and manage roles for various resources so that, for example, you don't give -- or at least limit -- delete privileges for Lambda functions.
Lack of two-factor authentication
Most AWS accounts -- if not all of them -- should include two-factor authentication. This extra level of protection is especially crucial for roles with any kind of extra privileges, such as full access to Elastic Compute Cloud or permission to delete Simple Storage Service buckets.
In the case of a stolen password, two-factor authentication can be the difference between a slight inconvenience and a harmful situation.
Exposed AWS access keys
IT professionals often mistakenly upload AWS keys for programmatic access to Git. This happens so often that GitHub scans for these keys to prevent them from falling into anyone's hands. But, unfortunately, any GitHub user could scan for them as well. So, it's important to keep them safe.
When intruders possess these keys, they can access everything that the original keyholder could. If you don't have additional protections in place, such as regular key rotation, even two-factor authentication won't protect you.
Excessive use of the root account
The AWS root user has unlimited privileges within an account, and a compromised root can devastate your cloud environment and business.
You should only use the root account to create the initial admin users and then store it away. Also, don't have API keys for the root account, as this creates additional risk; if you have already generated or used these keys, delete them.
Dig Deeper on AWS compliance, governance, privacy and regulations
Related Q&A from Ofir Nachmani
Get a cloud expert's take on the technical factors involved in the Capital One data breach that exposed sensitive data of millions of the bank's ... Continue Reading
While Amazon CloudFront can make traffic spikes more manageable, IT teams still need to carefully prepare their environment for these increases in ... Continue Reading
Some AWS users should consider a third-party tool to find better visibility into their network infrastructure and traffic patterns instead of relying... Continue Reading