AWS Security deep dive
A comprehensive security guidelines for AWS resources with best practices. All resources and services are presented with step-by-step tutorials
Creating a non-root user
Based on AWS best practice, root user is not recommended to perform everyday tasks, even the administrative ones. The root user, rather is used to to create your first IAM user, groups and roles. Then you need to securely lock away the root user credentials and use them to perform only a few account and service management tasks.
Adhering to best practice of AWS, we may consider the following alternatives
Generate and Review the AWS Account Credential Report
It’s highly recommended by AWS to have a thorough review of your AWS accounts on a regular basis in order to maintain highest security protocols. To do so, you should audit your security configuration in the following situations:
- On a periodic basis. You should perform the steps described here at regular intervals as a best practice for security.
- If there are changes in your organization, such as staffs leaving.
- If you have stopped using one or more individual AWS services. This is important for removing permissions that users in your account no longer need.
- If you’ve added or removed software in your accounts, such as applications on Amazon EC2 instances, AWS OpsWorks stacks, AWS CloudFormation templates, etc.
- If you ever suspect that an unauthorized person might have accessed your account.
As you review your account’s security configuration, follow these guidelines:
- Be thorough. Look at all aspects of your security configuration, including those you might not consider on a regular basis
- Don’t assume. Don’t overlook areas which could potentially lead to a security breach. If you are unfamiliar with some aspect of your security configuration (for example, the reasoning behind a particular policy or the existence of a role), investigate the business need until you are satisfied.
- Keep things simple. To make auditing (and management) easier, use IAM groups (that could segment IAM users into different groups based on organizations infrastructure, say departments, functional and business units, or any other structures) , consistent naming schemes (tagging is highly recommended to regulate your AWS account in a orderly manner), and straightforward policies.
You can use the AWS Management Console to download a credential report as a comma-separated values (CSV) file. To download a credential report using the AWS Management Console:
Notes: It could take up to 4 hours before changes is being reflected in the console
Under your account drop down menu, please select my security credentials
Under IAM dashboard, you may choose credential report
After clicking download report, a.csv report file is generated and you may download it as shown below
Enable a Virtual MFA Device for Your AWS Account Root User
You can use IAM in the AWS Management Console to configure and enable a virtual MFA device for your root user. To manage MFA devices for the AWS account, you must be signed in to AWS using your root user credentials. You cannot manage MFA devices for the root user using other credentials.
If your MFA device is lost, stolen, or not working, you can still sign in using alternative factors of authentication. To do this, you must verify your identity using the email and phone that are registered with your account. This means that if you can’t sign in with your MFA device, you can sign in by verifying your identity using the email and phone that are registered with your account. Before you enable MFA for your root user, review your account settings and contact information to make sure that you have access to the email and phone number. To learn about signing in using alternative factors of authentication, see What If an MFA Device Is Lost or Stops Working?. To disable this feature, contact AWS Support.
Locate my security credentials under the drop-down of your account
Expand your MFA section
Choose to set up Virtual MFA device and continue
Configure your MFA device
Now, download Google Authenticator as shown below on your smart phone, you have other alternatives, find it out here.
After typing two MFA codes consecutively under AWS console, you will sign up MFA successfully as shown below.
Notes: Under manage option, you are allowed to either remove or resync your MFA
Configure Account Security Challenge Questions
Configure account security challenge questions because they are used to verify that you own an AWS account.
Under your account drop-down, click my account
Under my account, scroll down and find configure security challenge questions
Edit and update security questions
Configure Account Alternate Contacts
Alternate contacts enable AWS to contact another person about issues with the account, even if you are unavailable.
Under your account drop-down, click my account
Scroll down and find out account contact information
Kick the box to enable the contact information section
Update contact information
Remove Your AWS Account Root User Access Keys
You use an access key (an access key ID and secret access key) to make programmatic requests to AWS. However, do not use your AWS account root user access key. The access key for your AWS account gives full access to all your resources for all AWS services, including your billing information. You cannot restrict the permissions associated with your AWS account access key.
- Check in the credential report; if you don’t already have an access key for your AWS account, don’t create one unless you absolutely need to. Instead, use your account email address and password to sign in to the AWS Management Console and create an IAM user for yourself that has administrative privileges. This will be explained in a later section.
- If you do have an access key for your AWS account, delete it unless you have a specific requirement. To delete or rotate your AWS account access keys, go to the Security Credentials page in the AWS Management Console and sign in with your account’s email address and password. You can manage your access keys in the Access keys section.
Periodically Change the AWS Account Root User Password
You must be signed in as the AWS account root user in order to change the password. To learn how to reset a forgotten root user password, see Resetting Your Lost or Forgotten Passwords or Access Keys.
Notes: If you previously signed in to the console with IAM user credentials, your browser might remember this preference and open your account-specific sign-in page. You cannot use the IAM user sign-in page to sign in with your AWS account root user credentials. If you see the IAM user sign-in page, click Sign-in using root account credentials near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account email address and password.
Locate my security credentials under the drop-down of your account
Notes: Here you are required to sign in with your credential and MFA, then you will be directed to the page below
You may edit your password as shown below
Type in your current password and generate new password and confirm it
Successfully generated new password
Notes: Choose a strong password. Although you can set an account password policy for IAM users, that policy does not apply to your AWS account root user.
AWS requires that your password meet these conditions:
- have a minimum of 8 characters and a maximum of 128 characters
- include a minimum of three of the following mix of character types: uppercase, lowercase, numbers, and
! @ # $ % ^ & * () <> [] {} | _ + - =
symbols - not be identical to your AWS account name or email address
Notes: AWS is rolling out improvements to the sign-in process. One of those improvements is to enforce a more secure password policy for your account. If your account has been upgraded, you are required to meet the password policy above. If your account has not yet been upgraded, then AWS does not enforce this policy, but highly recommends that you follow its guidelines for a more secure password.
To protect your password, it’s important to follow these best practices, here is the rule of thumbs:
- Change your password periodically and keep your password private, since anyone who knows your password can access your account.
- Use a different password on AWS than you use on other sites.
- Avoid passwords that are easy to guess. These include passwords such as secret, password, amazon, or 123456. They also include things like a dictionary word, your name, email address, or other personal information that can easily be obtained.
Configure a Strong Password Policy for Your Users
You can set a password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users’ passwords. The IAM password policy does not apply to the AWS root account password.
Under IAM service, find our password policy section
Click set password policy
Tear down this lab
Please note that the changes you made to the account and root user should remain in place, and have no charges associated with them.
Here are some tips for the potential costs if services are not terminated or stopped.
Notes: Upon completion of this project, please delete resources in S3 bucket, dissociate EIP (Elastic IP addresses) with the VPCs, stop your EC2 instance and detach the volumes mounted to EC2 instance. 10 bucks spent on this project alarmed me to take precaution on what services cost money. So now you may avoid it.
Basic Identity and Access Management User, Group, Role
AWS Identity & Access Management
As a best practice, do not use the AWS account root user for any task where it’s not required. Instead, create a new IAM user for each person that requires administrator access. Then make those users administrators (only if they absolutely need full access to everything) by placing the users into an “Administrators” group to which you attach the AdministratorAccess managed policy.
The following image shows what you will be doing in the next section 1.1 Create Administrator IAM User and Group.
Create Administrator IAM User and Group
Under service drop-down, type in iam
Under IAM service, click users
Click add users and choose AWS Management Console access & user must create a new password at next sign-in (here it forces the user you created to create his/ her credentials upon logging in, which follows the best practice of AWS security guidelines)
Next, create a group and choose AdministratorAccess as policy
With group created, click next tags
Leave tags blank in this case, but tag is a very useful function to help manage users for companies
Review page to check the user you are about to create
Successfully created the user and you may download .csv file
Notes: For security reason, this is the only and last time you may download your credentials created
Create Administrator IAM Role
Now we’ll move on to IAM role. To create an administrator role for yourself (and other administrators) to be used with the administrator user and group you just created:
Under IAM, choose role
Choose another AWS account and provide an account ID with require MFA (this is a forced MFA option that user of this account must provide upon logging in)
Next, select AdministratorAccess as policy
Without tags, move to review page
Type in role name and create role
Role created as shown
Assume Administrator Role from an IAM user
We will assume the role using the IAM user that we previously created in the web console. As the IAM user has full access it is a best practice not to have access keys to assume the role on the CLI, instead we should use a restricted IAM user for this so we can enforce the requirement of MFA.
Use Administrator Role in Web Console
A role specifies a set of permissions that you can use to access AWS resources that you need. In that sense, it is similar to a user in AWS Identity and Access Management (IAM). A benefit of roles is they allow you to enforce the use of an MFA token to help protect your credentials. When you sign in as a user, you get a specific set of permissions. However, you don’t sign in to a role, but once signed in (as a user) you can switch to a role. This temporarily sets aside your original user permissions and instead gives you the permissions assigned to the role. The role can be in your own account or any other AWS account. By default, your AWS Management Console session lasts for one hour.
Notes: The permissions of your IAM user and any roles that you switch to are not cumulative. Only one set of permissions is active at a time. When you switch to a role, you temporarily give up your user permissions and work with the permissions that are assigned to the role. When you exit the role, your user permissions are automatically restored.
Logging in as an adminuser
Locate switch role under drop-down of this account
Provide account name and role and switch role
Notes: The last several roles that you used appear on the menu. The next time you need to switch to one of those roles, you can simply click the role you want. You only need to type the account and role information manually if the role is not displayed on the Identity menu.
To stop using a role, in the IAM console, click your role’s Display Name on the right side of the navigation bar. Click Back to UserName. The role and its permissions are deactivated, and the permissions associated with your IAM user and groups are automatically restored.
Tear down this lab
Please note that the changes you made to the users, groups, and roles have no charges associated with them.
Also, make sure you stop or terminate services as needed. Otherwise, you might be charged by AWS by shock. Tips are provided previously.
CloudFront with WAF Protection
Launch Instance
Search and find EC2 under service
Under EC2 dashboard, click launch instance
Choose instance type — t2.micro and choose configure instance details
Notes: This is only a lab so that we will use the instance under free tier. In a development environment, the instance type depends on the requirements and needs of your business.
Choose create a role, a new window will be popped up as shown below
Click create a role and under AWS service, please choose EC2 and choose next permissions
In search bar, please type in S3 and select AmazonS3ReadOnlyAccess as the policy.
Notes: This policy is solely based on the requirements of the role. Following the best practice of AWS security, no unnecessary policies should be given to a role. In other words, users or roles should be given minimum authorities to operate.
No tags provided and proceed with review
Under review page, please provide role name and create role
Confirmation of role created
Jump back to previous instance creation page and refresh create a role. Next configure instance details shown above and in advance details section, paste below codes in user data
#!/bin/bash
yum update -y
yum install -y httpd
service httpd start
chkconfig httpd on
groupadd www
usermod -a -G www ec2-user
chown -R root:www /var/www
chmod 2775 /var/www
find /var/www -type d -exec chmod 2775 {} +
find /var/www -type f -exec chmod 0664 {} +
Under add storage page, keep the default settings, then click add tags
Proceed to configure security group without adding tags
Configure security group by add source as My IP for ssh and anywhere source as Anywhere for HTTP as shown below
Review instance launch
Launch new instance with a new key pair
Notes: This is the only time when key pair could be shown so that you may need to download and keep it in a safe place for use.
Confirmation of EC2 being launched
Waiting for instance to be up running after pending stage, it may take a few minutes
Configure AWS WAF
Now let’s move on to WAF. Using AWS CloudFormation, we are going to deploy a basic example AWS WAF configuration for use with CloudFront.
Type in CloudFormation in search bar under service drop-down
Create stack under CloudFormation page
Configure stack by choosing Template is ready and Amazon S3 URl. Paste in URL as shown
https://s3-us-west-2.amazonaws.com/aws-well-architected-labs/Security/Code/waf-global.yaml
Under specify stack details page, provide stack name and leave the rest of options as default. Then go to the bottom of the page to proceed
Under configure stack options, tags are not required and leave the rest of options default. Then go to the bottom of the page and proceed to the next step
Create stack
Here is how stack is building up, it may take more than 5 minutes before the WAF stack is complete.
Successfully created CloudFormation as shown by CREATE_COMPLETE on the left side of the page
Configure Amazon CloudFront
After creating WAF using CloudFormation, we now start to configure our CloudFront
In search bar under service drop-down, type in ClourFront
Under CloudFront dashboard, click create distribution
Under creation page, choose web distribution (RTMP is for flash on the website, which is rarely used)
Search and provide Origin Domain Name (where to find is shown in the next step)
Search for DNS under EC2 dashboard (highlighted)
Under distribution settings, choose Web ACL we previously created using CloudFormation
CloudFront distributions in progress
It may take up to 10 minutes before CloudFront is deployed
After deployment, you may access to CloudFront by pasting DNS under origin into a browser, the web page should be shown as below
Tear down this lab
The following instructions will remove the resources that have a cost for running them. Please note that Security Groups and SSH key will exist. You may remove these also or leave for future use.
Delete the CloudFront distribution:
Choose the distribution we created previously and disable it
Around 15 minutes later, you may see the disabled state is deployed
Now, you may select the distribution and delete it
Below is the confirmation of the distribution deletion
Delete the AWS WAF stack:
Delete CloudFormation WAF that we created previously
The CloudFormation deletion is in progress
Aroud another 15 mintues, you may see CloudFormation is in DELETE_COMPLETE status
Automated Deployment of Detective Controls
AWS CloudFormation to configure AWS CloudTrail, AWS Config, and Amazon GuardDuty
Download the latest version of the CloudFormation template here: cloudtrail-config-guardduty.yaml
Under service drop-down, search CloudFormation in search bar
Create a CloudFormation
Create stack with Template is ready and Upload a template file, please upload .yaml file provided
File uploaded
File in following items:
CloudTrailBucketName:
ConfigBucketName:
Above two S3 bucket names should be unique globally
GuardDutyEmailAddress:
Please provide an email you use because you need will receive an email for confirmation to enable GuardDuty
Next
Need to confirm the capabilities at the bottom of the page prior to creating stack
After a few minutes, the CloudFormation creation is complete
Upon CloudFormation completion, you may receive an email for GuardDuty
Please click confirm subscription shown above to confirm the GuardDuty intialization
Tear down
The following instructions will remove the resources that have a cost for running them.
First, we’ll need to delete S3 bucket and its contents due to dependencies.
Notes: If CloudFormation is deleted prior to S3 bucket and its content deletion, it will fail and rollback
Delete contents in S3 bucket cloudtrailbucketname
Delete S3 bucket cloudtrailbucketname
Delete contents in S3 bucket configbucketname
Delete S3 bucket configbucketname
Delete CloudFormation in progress
Upon completion, CloudFormation is emptied
Conclusion
This project covers almost every aspect of security in AWS:
- New AWS Account Setup and Securing Root User
2. Basic Identity and Access Management User, Group, Role
3. CloudFront with WAF Protection
4. Automated Deployment of Detective Controls
First of all, root user should not be in use in operation. So that adminuser with AdministratorAccess is generated and be in use. Apart from that, access keys for root user should not be generated. Access keys for other users can be created, but must be downloaded and kept in a safe place upon generation since credentials are only available for downloading upon creation.
Secondly, IAM is used to manage user, group, role with accessiblity. Users are commonly used to authorize accessibility to new users. Groups allow us to segment users into different sections. Roles are preferred to authenticate accessiblity since they are able to provide temporary accessibility, which is following the best practice of AWS security.
Thirdly, in order that we build up WAF protection, we need to launch an instance first. Instance created should be provided with minimum authenticity due to best security practice. When creating key pair, we need to download and save it upon creation since credentials will not be provided after creation.
Lastly, by implementing cloudtrail-config-guardduty.yaml file, we build up CloudFormation in order to configure AWS CloudTrail, AWS Config, and Amazon GuardDuty. Both CloudTrailBucketName and ConfigBucketName must be given. These two S3 bucket names should be globally unique. GuardDutyEmailAddress is required for us to test.
One more thing to add is that you are charged for using variety of resources in AWS such as S3 bucket content, EC2 instance, the EIP associated with EC2. Apart from that, resources like CloudFormation stack and CloudFront discribution are charged if not deleted.