Pavel Ignatov - Fotolia

What are some AWS security best practices?

Our enterprise manages staff access through AWS Identity and Access Management. How can we fine-tune the service to make our public cloud less vulnerable?

AWS Identity and Access Management is all about security -- ensuring that only authorized users can access AWS resources. Securing the cloud in accordance with AWS security best practices helps to prevent data loss, workload disruptions and stolen services. Cloud administrators need to consider AWS security best practices and procedures to properly secure a public cloud.

IT teams should never use root access keys to request access through APIs or other common methods. Essentially, root access keys are the master keys for an AWS account; there is no way to curtail privileges for compromised root keys. Admins must protect AWS root account keys at all costs, and implement alternative login credentials, such as a user name and password or multifactor authentication, for AWS management and service access. This additional layer of authentication prevents hacked login credentials from launching remote attacks and protects critical workloads.

Every user, even the most privileged administrators, should be represented as an individual AWS Identity and Access Management (IAM) user. This allows admins to individually configure user privileges and change or remove those privileges at any time. When assigning privileges, use the principle of least privilege and regularly audit user rights to ensure appropriate levels for each end user's scope of responsibilities.

Amazon Web Services Security Quiz

Test your knowledge of Amazon Web Services security best practices with this 10 question security quiz.

If assigning individual rights is too time-consuming or cumbersome, admins can organize and assign user permissions according to groups. Alternatively, consider using IAM roles to provision privileges to external users or workloads that use Elastic Compute Cloud instances. Roles rely on temporary credentials, which often are safer than sharing the permanent credentials of an IAM user. When IAM users are allowed to change their own passwords, admins should ensure that the company's password policy demands strong passwords. Be sure that end users change or rotate passwords frequently.

In addition to these AWS security best practices, a solid security plan also requires regular monitoring, and AWS provides a variety of monitoring tools that can log end-user actions on resources as well as the effects of those actions. AWS CloudTrail, Amazon CloudWatch and AWS Config provide logging capabilities and Amazon Simple Storage Service logs requests to storage buckets. Admins can also produce a credential report that lists all IAM users in the AWS account along with credential details and activity. These AWS security best practices help admins identify and remove old users, further reducing possible points of attack.

Next Steps

Manage resource access with IAM permissions

Watch out for these common AWS security mistakes

AWS best practices rely on IT teams

Dig Deeper on AWS security