Tuesday, March 22, 2016

Scary false positive or story about Best practice to secure your root AWS account



What the best practice of securing AWS root account? - Not using it at all!

Let's clean it up first:


  1. remove any API key associated with root account
  2.  reset root password and change email assoicated
  3. enable MFA (or deactivate previous and create new) on the root account.


Start using IAM:


  1. Copy/bookmark/save IAM sign-in url 
  2. create required users including one with AdministratorAccess policy attached. 
  3. Enable MFA on all users created


Secure root account:

  1. Print you root account credentials.
  2. Log in using printed credentials to ensure that it works.
  3. Put in tamper evident envelope
  4. Add some signatures, stamps or voodoo on envelope. 
  5. Hide it in SafeBox
  6. Use it only in case of emergency :-)  

Now let's add some monitoring just in case:

  1. Enable and configure CloudTrail + bucket for Logs
  2. Configure CloudWatchLogs (CloudWatch) to process CloudTrail logs
  3. Add metric filters to detect root-user related events
  4. Set-up alarm and notifications (SNS) for the metrics


For root users  CloudWatchLog metric filter looks like:

Filter Name:
Security-CloudWarchAlarms-RootAccessMetricFilte
Filter Pattern:
{$.userIdentity.type = "Root"}



I did everything mentioned above and was ,let's say, "surprised" to get months after notification saying "Root log-in  detected" . Checked CloudTrail looking for  the root user - nothing....Hmm.. Start looking into CloudTrailLogs content  for the detailed row events and found this:

"eventVersion": "1.02", "userIdentity": { "type": "Root", "principalId": "577343344455", "arn": "arn:aws:iam::577343344455:root", "accountId": "5577343344455", "userName": "my_company", "invokedBy": "support.amazonaws.com" }, "eventTime": "2016-03-22T19:22:23Z", "eventSource": "iam.amazonaws.com", "eventName": "GetAccountSummary", "awsRegion": "us-east-1", "sourceIPAddress": "support.amazonaws.com", "userAgent": "support.amazonaws.com", "requestParameters": null, "responseElements": null, "requestID": "675d-fxx3-1x5-9xxd-4768xxx17", "eventID": "b9xxxxfcaf-3xx7-4xxd-a220-exxxx8", "eventType": "AwsApiCall" "recipientAccountId": "577343344455"

Dear AWS support - you got me :-))

2 comments:

  1. You can also add:
    - consult the credentials_access_report periodically. Really interesting info in it regarding user access. It can lead you to clean up and enforce your policy regarding password and accesskey.
    - Using lambda function can be use to notified on suspect event and automate few things.

    ReplyDelete