Thursday, June 9, 2016

Amazon AWS Account level security checklist and how-to

Disclaimer :-):
There are bunch of Amazon AWS security checklists and recommendations online. Definitely the best one is 
I'm not trying to reinvent the wheel, but integrate and summarize lessons I learned and advices given to me by other AWS experts.

This checklist starts from the moment when you begin AWS account creation.

  1.  Create dedicated email address for AWS account registration. This email will become you root account login name, so, please, do not use your daily used or published online email
  2. Enable MFA  (Multi Factor Authentication) on the root account. Details:
  3. Remove or DO NOT create any API key associated with root account. API keys has no MFA - anyone who has root API keys gets full  access to you account. Unintentional leaking of the API key quite common security incident.
  4. Copy/bookmark/save IAM sign-in url. You will need to access you AWS Web GUI.
  5. Create IAM user with  AdministratorAccess policy attached. It will be your new  "root" like account.
  6. Create other IAM users required. Minimize their permission using built-in AWS managed policies like: PowerUserAccess; ReadOnlyAccess; AmazonEC2FullAccess , etc
  7. Enable MFA on all users created.  Details:
  8. Enforce strict password policy. Details:
  9. Generate API keys for users who needs it. For "high-power" user make this keys inactive. They will activate keys through MFA protected AWS Web GUI only when it needed.
  10. Do not use API keys in applications running inside AWS. Use IAM roles instead. Details:
  11. Enable and configure CloudTrail  for all regions  + s3 bucket for the CloudTrailLogs.  Details:
  12. Send CloudTrails Events to the CloudWatch Logs. Details:
  13. Configure monitoring of the CloudTrail Log Files using Amazon CloudWatch Logs metric filters and alarms. Details:
  14. Configure near-real time Log data processing using Subscriptions or/and using lambda function.  Details:
  15. Using #13 and 14 configure notification for suspicions events
  16. Enable AWS Config Service to get AWS configuration snapshots and change notifications. Details:
  17. Enable and configure AWS VPC flow logs to get visibility on network level. Details:
  18. Enforce server side encryption on your S3 buckets: Details:
  19. Enable encryption on you EBS volumes: Details:

Almost all steps covered above could and must be automated. I already published and will publish more automation examples in this blog.

Check your resulted account security status:
And do this periodically. 

Checklists and Best Practices:

AWS CIS Foundations Benchmark (must read document)

AWS Auditing Security Checklist

PS. I would like to thank Liem aka Pimpon  for advices in preparing this checklist.


  1. Very good blog post Ihor! I have written a tool to check all CIS recommendations (prowler) in case you want to take a look in detail:

  2. That is very interesting; you are a very skilled blogger. I have shared your website in my social networks! A very nice guide. I will definitely follow these tips. Thank you for sharing such detailed article.

    Aws Online Training

  3. I have shared your website in my social networks! A very nice guide. I will definitely follow these tips AWS Jobs in Hyderabad

  4. Thanks for one marvelous posting! I enjoyed reading it; you are a great author. I will make sure to bookmark your blog and may come back someday. I want to encourage that you continue your great posts, have a nice weekend!

    Java Training in Bangalore|

  5. It’s great to come across a blog every once in a while that isn’t the same out of date rehashed material. Fantastic read.
    I’ve bookmarked your site, and I’m adding your RSS feeds to my Google account.
    AWS training in bangalore

  6. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Java developer learn from Java Training in Chennai. or learn thru Java Online Training in India . Nowadays Java has tons of job opportunities on various vertical industry.

  7. Greeting! Just leaving a note to let you know how much I appreciate this post, I can tell a lot of effort had been put in! Keep it up! If you ever want to register a business, I know the best business incorporation provider! accounting company now!