• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Cloud   »   Top 10 AWS Security Tips: #1 Using IAM To Protect Your Resources

Top 10 AWS Security Tips: #1 Using IAM To Protect Your Resources

  • Posted on:February 13, 2013
  • Posted in:Cloud
  • Posted by:
    Trend Micro
4

Over the next several weeks, we will be discussing best practices for securing your Amazon Web Services (AWS) environment. Before we dive into securing your instances, applications and data, we have to start from the top.

As part of the AWS shared responsibility security model, consumers of AWS play a significant role in securing their use of the service. Back in November 2012 at the AWS re:invent conference, Max Ramsay mapped AWS to the CSIS 20 Critical Security Controls as a framework for further understanding this responsibility shared between AWS and the client (you). Critical Control #12 is the controlled use of administrative privileges and the responsibility for protection is squarely on you as the user of AWS. Over the next weeks, we’ll be focusing in on the critical controls that are your responsibility.

Prior to virtualization or cloud the administrative privileges were typically your accounts to the operating system. However, now you have a much more powerful set of credentials to manage — the access to the AWS console and APIs.

Put Away Your AWS “root” Account and Use Identity and Access Management (IAM) to Enable Access

When you signed up for AWS you were given a username and password. This account has full access to all of your AWS resources and billing information. Don’t share this with anyone! A certain manager I know shared the account with his team and they quickly discovered they could order from Amazon.com on the manager’s credit card!

IAMKeep that account safe and head over to the IAM tab on the console to start defining Groups and Users.

Generally you will need two types of users:

  • People with a username and password to access the AWS console
  • Programs using an Access Key Id and Secret Access Key to access the APIs

In both cases you want to assign the minimal privileges required for users via a Group. AWS helps by providing a number of policy templates. For instance you may want to give operations people “Power User Access” while giving development people “EC2 Full Access”.

For the users you create, you will be given a special URL called the IAM user sign-in link. Provide this URL to the users you create along with their username and password.Ā  They won’t be able to use the main sign-in link.

The principle of least privilege is also important for users you create to grant programs access to the AWS APIs. If you are developing an application that ships data from your datacenter to S3 you may want to only enable S3 ā€œPutā€ operations in a custom policy using the policy generator tool. That way if that key is compromised your damage is very limited.

Creating specific users will help you control permissions for the people and programs accessing AWS, and allow you to individually revoke access when needed. For example if you give an access key to the 3rd party program or service, it is much easier to revoke it when it is a properly named user account.

For more on using IAM, see AWS IAM Best Practices.

Proper control of access to AWS is the first step. Later we will discuss other aspects of controlled use of administrative privileges including adding Multi-Factor authentication, AWS Roles, and controlling administrative access to the Operating System.

Any tips for managing access in AWS – share them in the comments! And if you’re interested in securing your EC2 or VPC instances check out our new Deep Security as a Service for cloud servers, currently in free Beta.

Related posts:

  1. Top 10 AWS Security Tips: #2 Password Policies and Multi-Factor Authentication
  2. The Cloud’s Shared Risk Model
  3. Top 10 AWS Security Tips: #10 Penetration Testing
  4. Top 10 AWS Security Tips: #3 Build a Secure Base Amazon Machine Image (AMI)

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Detected Cyber Threats Rose 20% to Exceed 62.6 Billion in 2020
  • Trend Micro Recognized on CRN Security 100 List
  • Trend Micro Reports Solid Results for Q4 and Fiscal Year 2020
  • Connected Cars Technology Vulnerable to Cyber Attacks
  • Trend Micro Asks Students How Their Relationship to the Internet Has Changed During COVID-19
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, ę—„ęœ¬, ėŒ€ķ•œėÆ¼źµ­, å°ē£
  • Latin America Region (LAR): Brasil, MĆ©xico
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Ɩsterreich / Schweiz, Italia, Š Š¾ŃŃŠøŃ, EspaƱa, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.