Thursday, June 9, 2016

Amazon AWS Account level security checklist and how-to

Disclaimer :-):
There are bunch of Amazon AWS security checklists and recommendations online. Definitely the best one is 
I'm not trying to reinvent the wheel, but integrate and summarize lessons I learned and advices given to me by other AWS experts.

This checklist starts from the moment when you begin AWS account creation.

  1.  Create dedicated email address for AWS account registration. This email will become you root account login name, so, please, do not use your daily used or published online email
  2. Enable MFA  (Multi Factor Authentication) on the root account. Details:
  3. Remove or DO NOT create any API key associated with root account. API keys has no MFA - anyone who has root API keys gets full  access to you account. Unintentional leaking of the API key quite common security incident.
  4. Copy/bookmark/save IAM sign-in url. You will need to access you AWS Web GUI.
  5. Create IAM user with  AdministratorAccess policy attached. It will be your new  "root" like account.
  6. Create other IAM users required. Minimize their permission using built-in AWS managed policies like: PowerUserAccess; ReadOnlyAccess; AmazonEC2FullAccess , etc
  7. Enable MFA on all users created.  Details:
  8. Enforce strict password policy. Details:
  9. Generate API keys for users who needs it. For "high-power" user make this keys inactive. They will activate keys through MFA protected AWS Web GUI only when it needed.
  10. Do not use API keys in applications running inside AWS. Use IAM roles instead. Details:
  11. Enable and configure CloudTrail  for all regions  + s3 bucket for the CloudTrailLogs.  Details:
  12. Send CloudTrails Events to the CloudWatch Logs. Details:
  13. Configure monitoring of the CloudTrail Log Files using Amazon CloudWatch Logs metric filters and alarms. Details:
  14. Configure near-real time Log data processing using Subscriptions or/and using lambda function.  Details:
  15. Using #13 and 14 configure notification for suspicions events
  16. Enable AWS Config Service to get AWS configuration snapshots and change notifications. Details:
  17. Enable and configure AWS VPC flow logs to get visibility on network level. Details:
  18. Enforce server side encryption on your S3 buckets: Details:
  19. Enable encryption on you EBS volumes: Details:

Almost all steps covered above could and must be automated. I already published and will publish more automation examples in this blog.

Check your resulted account security status:
And do this periodically. 

Checklists and Best Practices:

AWS CIS Foundations Benchmark (must read document)

AWS Auditing Security Checklist

PS. I would like to thank Liem aka Pimpon  for advices in preparing this checklist.

Wednesday, June 8, 2016

AWS "one-liners": Configure AWS password policy in one shot

"As soon as you have passwords you need a password policy" - © captain obvious

AWS allows you to have only one password policy for whole AWS account.

You can configure it using web GUI or, if you prefer to have all your infrastructure and security as code, using boto and python:


import boto3
import pprint

account_password_policy = iam.AccountPasswordPolicy()
response = account_password_policy.update(


You can find more details about particular password policy parameters here: