Most of the developers and system admins start with the AWS one-year free tier account.
There were many hacking incidents for such accounts which ended up in huge monthly bills (Eg: Bitcoin miners). This happens because of many reasons.
For example, if you accidentally commit your code to a public code repository with your AWS access and secret keys, a hacker might get access to your account and he will launch high capacity instances for his computing needs.
This would result in a huge monthly usage bill. However, you can avoid your account being hacked by applying few security policies and following the AWS security best practices.
This article will explain 18 best practices you can follow to use and securely build applications on the AWS cloud.
18 Ways To Secure your AWS Account
#1: Create an IAM user with required privileges for you even if you have root access. Do not use your root account except for billing purposes. Also, make use of AWS ARNs to restrict permissions at a granular level.
#2: Use a strong password of more than 10 characters for your root account.
#3: Enable a strong password policy with password expiration for IAM users.
#4: Enable MFA (Multi-Factor Authentication) for your root account and all IAM user accounts.
#5: Do not create AWS access keys unless needed. Instead, make the existing keys inactive when not used.
#6: Never hard code your access keys in your code which would end up getting committed to any public repository.
#7: Never store your access keys and secret key in ec2 instances or any other cloud storage. If you need to access AWS resources from an ec2 instance, use IAM ec2 roles.
#8: Never allow all ports in security groups for your instances. Allow only required ports for your applications. While doing POCs, you can apply your public IP as a source rather than
0.0.0.0/0. If you choose my IP it automatically detects your public IP.
#9: While launching instances for testing or doing POCs, always go through all configurations and don’t go with default settings. Especially security groups.
#10: Make use of VPC NACL’s to provide an additional security layer.
#11: Never send your AWS credentials over email. If you do, change the password as soon as possible.
#12: If you plan to host your website on a windows server, install a good antivirus.
#13: If you have more instances in VPC, use a Jump Server to connect to those machines or use Virtual VPN appliances like OpenVPN.
#14: Do not launch instances in the public subnet unless required.
#15: Use NAT instances to patch your private instances rather than attaching an internet gateway to the private subnet.
#16: Set billing alerts and resource monitoring using cloudwatch and SNS.
#17: Enable Cloudtrial service which logs all the actives for your AWS account including API requests. You can use cloudwatch in conjunction with Cloudtrial to get notified of any suspicious activity. (For example data transfer of more than 10 GB).
#18: Make use of AWS Well-Architected tool that describes the key concepts, design principles, and architectural best practices for designing and running workloads in the cloud.
I have listed out all the preliminary security measures you should take to secure your AWS accounts.
If you are going to use your AWS account for any production workloads, you should go through all the AWS security whitepapers and follow AWS Well-Architected Framework.
Let me know if there is anything I have missed in the comment section that would add security for the AWS account.