AWS Security: 5 Things You Need to Check Right Now

It might be unrealistic to expect your AWS security to be bullet-proof, but there is still a great deal you can do to make things a whole lot better.

AWS Security and more AWS security. We all know it’s important, but if you’re like me, there always seems to be a nagging doubt in the back of your mind that somewhere, there’s a nasty hole in your infrastructure, and that some hacker is prodding and probing away trying to find it. It sometimes seems that keeping everything 100% secure is a losing battle.
However, I do believe there are a few things that can be easily plugged that can make a big difference.

1. AWS security: delete Root Account Keys

This is something about which AWS is constantly trying to remind us – even I’ve written about AWS best practices before. It’s probably the easiest and most important security move you can make.

What you need to check

Login to your AWS console root account and click on Identity and Access Management. If you see a nice green tick next to the “Delete your root access keys” box…
AWS security - delete root access keys
…Then everything is OK and you don’t need to do anything.
However, if you see this:
AWS Security security status
Do the following:

What you need to do

  1. Click on ‘Manage Security Credentials’.
  2. Click on ‘Access Keys (Access Key ID and Secret Access Key)’.
  3. Delete any Access keys that are still Active like the one below.

AWS Security access key IDs - screen 1
AWS Security access key IDs - screen 2

2. Name everything

I originally left this until the end of the article. However, I realized that it makes a lot more sense having it right here before we remove our unused Security Groups in the next step. This is because having everything correctly named will be easier to actually see which Security Groups should, in fact, be removed.

What you need to check

Go through all your resources and check to see that everything – EC2 Instances, Security Groups, Network Interfaces, Volumes, Snapshots – has a name. Why? Because it will make keeping track of your resources so much easier and make it more likely that you will quickly spot anything being misused.

What you need to do

Give everything a name. More importantly, the name should be related to what the resource’s specific function is. Make sure you do this for all your resources in all regions.

Note: If you want to be even more thorough, then TAG everything. So instead of being restricted to just a name, you can add your own key-value pairs.  

3. Remove unused Security Groups

Now, with everything nicely named or tagged, it’s time to get rid of any unused security groups. Cleaning out your security groups eliminates the risk that a forgotten security group policy will be used to accidentally open an attack surface.

What you need to check

Open your EC2 Console and click on ‘Security Groups.’ You should see a list of all your Security Groups

What you need to do

Go through them carefully and delete any that you are certain aren’t being used or don’t belong to a default security group. If you try to delete a group that is being used, you should see a warning pop-up telling you. In any case, review the policies of all groups to make sure there are no unnecessary holes.

4. Restrict SSH access to your IP only

If you are the only one who connects to your instances via SSH, you should restrict access to sessions originating from your IP only.

What you need to check

  1. Open your EC2 Console and click on ‘Security Groups.’
  2. Click on a Security Group and then select ‘Inbound’ in the bottom window.
  3. If you see any SSH connections with a source of 0.0.0.0/0 like this:

AWS security SSH connections with a source of 0.0.0.0/0
…Do the following:

What you need to do

Click on ‘edit’ and then select the Source for SSH as MY IP, then save it as follows:
AWS Security policy SSH
Repeat for all Security Groups in all regions.

5.  Create individual IAM users (especially for yourself)

Avoid using your AWS root account credentials (ie: your original AWS login) to access AWS.

What you need to check

  1. Open the Identity and Access Management console.
  2. Click on Users.
  3. If you have a user for yourself with administrative privileges, then use that to login to AWS from now on (unless you have a really, really good reason not to).
  4. If you don’t have a user for yourself with administrative privileges, then follow these steps:

What you need to do

  1. Create an IAM user for yourself with administrative privileges, and use that IAM user for all your work.
  2. Follow this guide: Create individual IAM users.

Conclusion

AWS Security can be a little overwhelming at times, but if you make sure you get the easy stuff right from the beginning, then you should find yourself ahead of the game.

Avatar

Written by

Michael Sheehy

I have been UNIX/Linux System Administrator for the past 15 years and am slowly moving those skills into the AWS Cloud arena. I am passionate about AWS and Cloud Technologies and the exciting future that it promises to bring.


Related Posts

Amanda Cross
Amanda Cross
— April 9, 2021

New Content: Platforms, Programming, and DevOps – Something for Everyone

This month our team of expert certification specialists released three new or updated learning paths, 16 courses, 13 hands-on labs, and four lab challenges! New content on Cloud Academy You can always visit our Content Roadmap to see what’s just released as well as what’s coming soon....

Read more
  • alibaba
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • programming
  • Security
Luca Casartelli
Luca Casartelli
— March 31, 2021

Mastering AWS Organizations Service Control Policies

Service Control Policies (SCPs) are IAM-like policies to manage permissions in AWS Organizations. SCPs restrict the actions allowed for accounts within the organization making each one of them compliant with your guidelines. SCPs are not meant to grant permissions; you should consider ...

Read more
  • AWS
  • Organizations
  • SCP
Amanda Cross
Amanda Cross
— March 12, 2021

New Content: Focus on DevOps and Programming Content this Month

This month our team of expert certification specialists released 12 new or updated learning paths, 15 courses, 25 hands-on labs, and four lab challenges! New content on Cloud Academy You can always visit our Content Roadmap to see what’s just released as well as what’s coming soon. Ja...

Read more
  • alibaba
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • programming
Amanda Cross
Amanda Cross
— February 12, 2021

New Content: Get Ready for the CISM Cert Exam & Learn About Alibaba, Plus All the AWS, GCP, and Azure Courses You Know You Can Count On

This month our team of intrepid certification specialists released five learning paths, seven courses, 19 hands-on labs, and three lab challenges!  One particularly interesting new learning path is Certified Information Security Manager (CISM) Foundations. After completing this learn...

Read more
  • alibaba
  • AWS
  • Azure
  • cism
  • DevOps
  • Google Cloud Platform
  • programming
Avatar
Cloud Academy Team
— January 31, 2021

Which Certifications Should I Get?

The old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and companies. With all that in mind, the s...

Read more
  • AWS
  • Azure
  • Certifications
  • Cloud Computing
  • Google Cloud Platform
Avatar
Andrew Larkin
— January 31, 2021

The 12 AWS Certifications: Which is Right for You and Your Team?

As companies increasingly shift workloads to the public cloud, cloud computing has moved from a nice-to-have to a core competency in the enterprise. This shift requires a new set of skills to design, deploy, and manage applications in cloud computing. As the market leader and most ma...

Read more
  • AWS
  • AWS Certifications
Avatar
Stuart Scott
— January 29, 2021

AWS Certified Solutions Architect Associate: A Study Guide

Want to take a really impactful step in your technical career? Explore the AWS Solutions Architect Associate certificate. Its new version (SAA-C02) was released on March 23, 2020. The AWS Solutions Architect - Associate Certification (or Sol Arch Associate for short) offers some ...

Read more
  • AWS
  • AWS Certifications
  • AWS Certified Solutions Architect Associate
Amanda Cross
Amanda Cross
— January 7, 2021

New Content: AWS Terraform, Java Programming Lab Challenges, Azure DP-900 & DP-300 Certification Exam Prep, Plus Plenty More Amazon, Google, Microsoft, and Big Data Courses

This month our Content Team continues building the catalog of courses for everyone learning about AWS, GCP, and Microsoft Azure. In addition, this month’s updates include several Java programming lab challenges and a couple of courses on big data. In total, we released five new learning...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Avatar
Stuart Scott
— December 17, 2020

Where Should You Be Focusing Your AWS Security Efforts?

Another day, another re:Invent session! This time I listened to Stephen Schmidt’s session, “AWS Security: Where we've been, where we're going.” Amongst covering the highlights of AWS security during 2020, a number of newly added AWS features/services were discussed, including: AWS Audit...

Read more
  • AWS
  • AWS re:Invent
  • cloud security
Joe Nemer
Joe Nemer
— December 4, 2020

AWS re:Invent: 2020 Keynote Top Highlights and More

We’ve gotten through the first five days of the special all-virtual 2020 edition of AWS re:Invent. It’s always a really exciting time for practitioners in the field to see what features and services AWS has cooked up for the year ahead.  This year’s conference is a marathon and not a...

Read more
  • AWS
  • AWS Glue Elastic Views
  • AWS re:Invent
Bryony Harrower
Bryony Harrower
— November 6, 2020

WARNING: Great Cloud Content Ahead

At Cloud Academy, content is at the heart of what we do. We work with the world’s leading cloud and operations teams to develop video courses and learning paths that accelerate teams and drive digital transformation. First and foremost, we listen to our customers’ needs and we stay ahea...

Read more
  • AWS
  • Azure
  • content roadmap
  • GCP
Joe Nemer
Joe Nemer
— October 25, 2020

Excelling in AWS, Azure, and Beyond – How Danut Prisacaru Prepares for the Future

Meet Danut Prisacaru. Danut has been a Software Architect for the past 10 years and has been involved in Software Engineering for 30 years. He’s passionate about software and learning, and jokes that coding is basically the only thing he can do well (!). We think his enthusiasm shines t...

Read more
  • AWS
  • careers
  • champions
  • upskilling