Securing AWS Access

Saurabh Rayakwar
3 min readSep 29, 2018

--

There are various reasons you would want to secure access to your AWS account. The following would include steps that require an extra effort from the admin side to ensure the safety of aws account and avoid disaster especially when technology stack is vendor specific (here, aws)

There are two ways to access aws account, using access keys through terminal/sdk/api and browser. The following will be a checklist on the same and using any of these measures adds an extra layer of security to the stack.

  1. When using access keys
  • Tailing cloud trail logs for unusual activity. Amazon CloudWatch Logs is a feature of CloudWatch that you can use specifically to monitor log data. Integration with CloudWatch Logs enables CloudTrail to send events containing API activity in your AWS account to a CloudWatch Logs log group. CloudTrail events that are sent to CloudWatch Logs can trigger alarms according to the metric filters you define. You can optionally configure CloudWatch alarms to send notifications or make changes to the resources that you are monitoring based on log stream events that your metric filters extract. Using CloudWatch Logs, you can also track CloudTrail events alongside events from the operating system, applications, or other AWS services that are sent to CloudWatch Logs.
  • AWS Multi-Factor Authentication (MFA) is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password (the first factor—what they know), as well as for an authentication response from their AWS MFA device (the second factor—what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources. There are different ways in which this can be implemented. In the free version, you can use any application that supports TOTP standard for eg Google authenticator.
  • You can configure your Jenkins build to pull configs from S3 instead of storing it in the codebase. Ideally, the git ignore will have config files added to it, include the local configuration. Also make sure these files on S3 are private to the IAM role accessing these keys.
  • Encrypting config keys before storing in config files that are located in codebase using crypto (nodejs) and decrypting before usage.
  • One of the best ways to protect your account is to not have an access key for your AWS account root user. Unless you must have a root user access key (which is very rare), it is best not to generate one.
  • Temporary security credentials consist of an access key ID and a secret access key, but they also include a security token that indicates when the credentials expire. You can generate these for AWS IAM roles.Long-term access keys, such as those associated with IAM users and AWS account root users, remain valid until you manually revoke them. However, temporary security credentials obtained through IAM roles and other features of the AWS Security Token Service expire after a short period of time. Use temporary security credentials to help reduce your risk in case credentials are accidentally exposed.

2. When using browser

  • You have a mobile app. Do not embed an access key with the app, even in encrypted storage. Instead, use Amazon Cognito to manage user identity in your app. This service lets you authenticate users using Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC)–compatible identity provider. You can then use the Amazon Cognito credentials provider to manage credentials that your app uses to make requests to AWS
  • If users can authenticate inside your organization, you can write an application that can issue them temporary security credentials for access to AWS resources. This is called federating into AWS and your organization has an on-premises identity store.
  • Use an IAM role to establish trust between accounts, and then grant users in one account limited permissions to access the trusted account.

✌️✌️

--

--