How to Secure AWS Account: Best Practices and Steps
To secure your AWS account, enable
Multi-Factor Authentication (MFA) on the root user, use IAM roles and policies with least privilege, and monitor activity with AWS CloudTrail. Regularly rotate credentials and avoid using root credentials for daily tasks.Syntax
Here are key AWS security configurations and their usage:
- MFA Setup: Adds a second verification step to your root or IAM user login.
- IAM Roles and Policies: Define permissions for users and services with least privilege.
- CloudTrail: Tracks and logs all API calls for auditing.
- Credential Rotation: Regularly change access keys and passwords.
bash
aws iam create-virtual-mfa-device --virtual-mfa-device-name MyMFADevice --outfile QRCode.png aws iam enable-mfa-device --user-name Alice --serial-number arn:aws:iam::123456789012:mfa/MyMFADevice --authentication-code1 123456 --authentication-code2 789012 aws iam create-policy --policy-name ReadOnlyPolicy --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:Get*","Resource":"*"}]}' aws cloudtrail create-trail --name MyTrail --s3-bucket-name my-trail-bucket aws cloudtrail start-logging --name MyTrail
Output
Virtual MFA device created and QR code saved as QRCode.png
MFA device enabled for user Alice
Policy ReadOnlyPolicy created
Trail MyTrail created and logging started
Example
This example shows how to enable MFA for the root user, create a read-only IAM policy, and start CloudTrail logging using AWS CLI commands.
bash
aws iam create-virtual-mfa-device --virtual-mfa-device-name RootMFA --outfile root-mfa.png aws iam enable-mfa-device --user-name root --serial-number arn:aws:iam::123456789012:mfa/RootMFA --authentication-code1 123456 --authentication-code2 789012 aws iam create-policy --policy-name ReadOnlyAccess --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:Get*","Resource":"*"}]}' aws cloudtrail create-trail --name AccountTrail --s3-bucket-name my-account-trail-bucket aws cloudtrail start-logging --name AccountTrail
Output
Virtual MFA device created and QR code saved as root-mfa.png
MFA device enabled for root user
Policy ReadOnlyAccess created
Trail AccountTrail created and logging started
Common Pitfalls
Common mistakes when securing AWS accounts include:
- Not enabling MFA on the root account, leaving it vulnerable.
- Using root credentials for daily tasks instead of IAM users.
- Granting overly broad permissions instead of least privilege.
- Not monitoring account activity with CloudTrail.
- Failing to rotate access keys regularly.
bash
### Wrong: Using root credentials for daily tasks
aws s3 ls
### Right: Use IAM user with limited permissions
aws configure set aws_access_key_id <IAM_ACCESS_KEY>
aws configure set aws_secret_access_key <IAM_SECRET_KEY>
aws s3 lsQuick Reference
- Enable MFA: Protect root and IAM users with MFA.
- Use IAM Roles: Assign least privilege permissions.
- Monitor with CloudTrail: Track all API activity.
- Rotate Credentials: Change keys and passwords regularly.
- Limit Root Usage: Avoid using root account for daily operations.
Key Takeaways
Always enable Multi-Factor Authentication (MFA) on your AWS root and IAM users.
Use IAM roles and policies with least privilege to control access.
Monitor all account activity using AWS CloudTrail for auditing.
Avoid using root credentials for everyday tasks; create IAM users instead.
Regularly rotate access keys and passwords to reduce risk.