I work as a Senior Cloud Analyst on Mission’s Cloud Optimization team. I frequently talk with customers about ensuring the integrity of the root user of their AWS accounts and unfortunately, the basics aren’t always known or understood. There are 3 things that we focus on: the root user email address, multi-factor authentication and API access. Let’s start at the top. I can’t stress enough how important it is to ensure that the root user email address is in a company owned domain name. AWS recognizes the owner of an account by the root user email address. In other words, when one of your developers first signed up for that original AWS account and used their personal GMail account, that email address has unrestricted access to the account. The good news is that it can be changed. That said, it needs to be changed before it’s too late. If the user who owns that email address leaves your company for some reason, they can do whatever they want to that account and you’ll have virtually no recourse for it. Recovering the root email account after the fact can be done, but it requires a sworn affidavit and can take 6 weeks or longer to complete. This process is done directly with AWS and even as a Premier Partner, Mission can’t help to speed this up. I can assure you that when you need this, you certainly don’t want to wait that long to get access to it. Mission strongly encourages you to to create a unique distribution group to be used for the root account email address of each account. As AWS issues service disruption notifications, retirement notices and other critical messaging, they typically only go to the root email address. If that address belongs to an individual user, only one person is going to get that notification. By using a distribution group, you eliminate that single point of failure and make sure that those notifications are distributed to a team.  Second on the list is to make sure that multi-factor authentication (MFA) is enabled on the root account. This is one of those things that has become commonplace in the world of technology, but adoption is much slower than it should be. Multi-factor authentication is a lot easier than people think, especially given the tools available to maintain those MFA tokens. The most commonly used MFA device/tool that we see is Google Authenticator but that certainly has some limitations. First of all, it’s going to restrict you to a single device being able to be used, which can be problematic in the event your mobile phone that holds that token is lost, stolen, or broken The alternative here is to use a password management application that can also hold your MFA tokens for you. This would allow you to share them with a select group of people in your organization and protect you in the event that someone leaves the company. Finally, we get to the API keys on the root user account. As the root user has unrestricted access to your account, it’s possible to terminate anything inside the account, up to and including the account itself. If the API keys for the root user were to get into the wrong hands, the resources in your account can be programmatically deleted in a very short period of time. If you currently have API keys in use on the root user, I can’t urge you enough to determine who is using them and move that functionality over to an IAM user or IAM role with permissions restricted to only allow the tasks needed to be completed. In summary, we strongly recommend that you do the following:
And if you’re feeling extra adventurous, don’t forget to set the account security questions inside your AWS account so that you can have an easier time recovering the account in the event that something goes wrong! Make sure that you’re not using the root user on a daily basis, but rather an IAM user account with the appropriate permission set applied. Supporting Documentation: https://aws.amazon.com/blogs/security/getting-started-follow-security-best-practices-as-you-configure-your-aws-resources/ https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html Learn how to navigate the AWS Shared Responsibility Model in order to build on the cloud with the utmost confidence, clarity, flexibility and control. Keeping your Amazon account secure is a major concern for every AWS user and admin. Here are the top five AWS root user account best practices every organization should follow:
Let’s break these down one by one. Credentials for the AWS root account should be shared only with a select group of individuals on the IT team. Don’t share the AWS root account with the CEO, or with an auditor or compliance officer. Only as small number of individuals should know where the root credentials are stored. Create rules about how to access that credential, and what steps to follow when the root account password is updated. If you must assign elevated rights to a user temporarily, create a time-boxed role for that individual. But never share AWS root account credentials. Another AWS root account best practice is to delete any programmatic access keys associated with the root user. If a PEM file or DER certificate exists for the root account, that doubles the root account’s attack surface. Delete those keys immediately. In rare instances, an administrator might perform an administrative function as a root user. There are no reasons why a piece of software should programmatically log in as root with user’s access keys. By default, AWS accounts are only protected by a username and password. The best practice here is to enable MFA. With a password, you prove who you are with a piece of information that only you know. MFA ups the ante by requiring not only what you know but also what you have. In addition to a password the user must also provide a token or code, generated on a device that is not the device on which the user is attempting to log in as the AWS root. Many Gmail or Facebook users are familiar with using SMS messages with MFA. AWS is much stricter — an SMS message to a mobile device is not a valid MFA option. For AWS, the only valid MFA options are:
Securing access to the root AWS account is a crucial best practice. If your organization uses any of the devices listed above, include them in an MFA routine.
MFA is a commonly accepted best practice for root AWS account security. There is no default password rotation for the AWS root account. Once the AWS root password is set, there are no rules that require regular password updates. However, admins can easily create a setup to regularly rotate passwords by updating the password policy attached to the account. A general AWS root user best practice is to set the password rotation period to at least 90 days. For even more security, set it to 60 days. For day-to-day administration of the AWS console, create an administrative group and add trusted users who need elevated rights. The root AWS account can never be deleted, and the rights associated with the root account cannot be revoked. Admins can, however, remove a user from the administrative group or suspend a user’s account altogether. Furthermore, with administrative access provisioned on a per-account basis, admins can monitor the actions of a specific user to identify any peculiar activity that warrant investigation. If the root account is shared by multiple users, there is no way to identify which user performed which administrative tasks. A core tenet of server-side security is to respect the principle of least privilege.
An AWS root account best practice is to always respect the principle of least privilege. An admin should assign to users only the minimal rights to perform their required tasks. Furthermore, don’t add users to the administrative group every time they perform a one-off administrative function — use AWS roles instead. Also, regularly monitor exactly who is included in your account’s administrative group. If a user moves on to a non-administrative role, do not allow that user to perform management functions in AWS. Follow these AWS root account best practices, and you’ll ensure that nefarious cyber-criminals never gain access to your cloud-computing credentials. |
Which of the following are recommended security best practices for the AWS account root user?
Postagens relacionadas
direito autoral © 2024 estudarpara Inc.
