Today we will not speak about a Rocket-Steam Product: this is the first of a series of 3 articles providing information on how to secure your AWS infrastructure, although many of the ideas in these articles can easily be applied to other IaaS providers, or even to your own home based systems.
As a CIO or CTO, you may have considered or been forced to considered moving part of your IT workload to the cloud. Certainly, the offerings from the different provider change the way we’ve been looking at systems provisioning during the last 30 years and transform the whole process into something that can be considered as easy to deploy as a small piece of software.
However, this change of perspective may lead to some distortion in the perception of what is important, dangerous or even suicidal.
Just for reference, the latest report from Imperva, called “Web Application Attack Report” (http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed5.pdf) stated some interesting facts:
- 20% of all the CVEs exploits attempts come from AWS servers
- 10% of all the SQL Injection attempts come from AWS servers
Obviously these attacks don’t come from hackers who legally pay their accounts at the end of each month, they come from accounts that have been hacked and compromised.
Protecting your AWS root account from being hacked is possible, and requires some steps than can be easily done either at the moment you sign up in AWS of afterwards.
Your AWS root account should be protected and be used only to configure billing and payment relations with other AWS accounts (if needed). The rest of functions should be done through IAM accounts with proper permissions. After all, the AWS root account is the new main door to your datacenter and a free pass to your credit card limit.
The following steps will guide you through the process of securing your root account
1. Use an email alias to create your AWS root account.
Do not use this alias for anything public, only for AWS registration. This way an attacker won’t know which email has been used for registration. Don’t use an adress like email@example.com as it is too obvious.
2. Create a strong password
Use any tool of your choice to create an alphanumerical, long (more than 12 characters) random password.Store it in a proper, safe way. This password will be used only for changing the paying credit card. The rest of the operations can be performed through IAM accounts with proper permissions.
Another option is to generate a very long and difficult password and just forget about it and use the “Recover password” option the few times you need to use the root account. If you go this path, remember that each time you have to recreate another password when you finish using your root account.
3. Associate an MFA device
Multi Factor Authentication forces you to provide two passwords, one is fixed and setup by you (in step one), and the second is generated by a third party and changed every few seconds.In the old days an MFA device was expensive, and only big companies had access to them. Nowadays services like Google Authenticator provide you with free MFA solutions, and AWS can use them.
Follow the instructions at
http://docs.aws.amazon.com/IAM/latest/UserGuide/GenerateMFAConfigAccount.html to setup your MFA device for your root account.
4. Delete your root account AWS API keys
Your AWS root account should not have, by any mean, AWS keys for the API. If those keys are stolen, found or acquired in any way, your account is lost.Follow the next steps to delete your root account API:
a. Access https://console.aws.amazon.com/iam/home?#security_credential through your root account and unfold “Access Keys”:
b. Hit “Delete” and confirm, the keys appear as deleted:
5. Setup a CloudWatch alarm for costs
AWS CloudWatch service lets you create an alert to let you know when the current cycle costs more than a certain amount of money, so it’s a good practice to set up this alert for the amount you expect to spend each month:
Obviously the CloudWatch alarm may be one of the first things deleted if the root account gets hacked, but anyway it’s a good practice and does not take more than 5 minutes to set it up.
To create the alert follow the steps detailed at:
6. Enable CloudTrail and implement a monitoring solution for root account and IAM administrators access
CloudTrail records every single bit of activity done on the AWS environment, the log it provides are very detailed and hard to read, but on the next article we will show you how we’ve solved this at Rocket-Steam.
To enable CloudTrail follow the steps at:
Hope you found this information useful; let us know if you had any trouble implementing any of the recommendations, we can help!