Blog

5 Security Tips for your AWS Account

Mar 25, 2020

Cloud-security_pic By AJ Yawn, CISSP

Amazon Web Services (AWS) is the industry-leading cloud service provider by any metric you can find doing a quick google search. The shared responsibility model is generally understood by individuals managing production workloads that are hosted on AWS and *most* auditors understand how this impacts a SOC 2 or other compliance assessment (if your auditor asks you about the physical security of an AWS data center, close your laptop, leave the conference room and run away really fast!). AWS has developed several services and features to help manage the security of an organizations’ AWS account and resources. These services, when
used effectively, can reduce evidence requirements, reduce or eliminate the risk of auditor findings, and most importantly secure your AWS account. These basic security configurations should be implemented for every organization hosted on AWS regardless of organizational maturity, industry or type. Following these below recommendations will also reduce evidence requirements and documentation for your SOC 2 audit. Auditors can leverage the reports, configuration screenshots, IAM policies, etc. to satisfy several controls. Reducing the operational disruption of your organization and the time it takes to achieve compliance. The below recommendations will result in a more secure AWS account and resources, reduction of time (and hopefully cost) of your SOC 2 examination and allows you to include some unique security controls in your SOC 2 report to differentiate yourself from your competitors.

The Basics
Secure your root account.

The root account on your AWS account has unlimited access to perform unlimited functions within your AWS account. There are very few functions that require you to use your root account, familiarize yourself with these tasks . Securing and minimizing the use of this account is vital to securing your AWS account and resources. Your auditor will (should) ask you to prove that you have secured that account, here are a few recommendations to secure your root
account:

  • If you haven’t, create an IAM user with administrative access and stop using your root account.
  • Enable MFA on the AWS Account Root User
  • Delete the root account access keys
  • Change the password and store in a password vault with limited access
  • Enable AWS CloudTrail and configure alerts to notify administrators when the root account is utilized
  • Add custom controls to your SOC 2 report to differentiate yourself from your competitors.

Utilize AWS Trusted Advisor
AWS Trusted Advisor provides real-time insight into your AWS account and resources to assist with ensuring your following AWS best practices. This insight includes many security checks that highlight critical security risks that you should be monitored regularly.

  • Ensure AWS Trusted Advisor is enabled
  • Configure weekly updated results emails for Trusted Advisor checks
  • Review Trusted Advisor checks for accuracy and implement changes to correct any identified issues (i.e. Trusted Advisor checks if MFA is enabled on your root account)
  • Provide Trusted Advisor security reports to your SOC 2 auditors to reduce evidence requirements by 25%
  • Add custom controls to your SOC 2 report to differentiate yourself from your competitors.

Identity & Access Management (IAM) Credential Report
The IAM credential report is a great resource to view the status of all users within your account, including the status of MFA configurations, passwords, and access key rotation. This report is a treasure trove of information for a SOC 2 auditor. The days of capturing an obscene amount of screenshots of your IAM user are long gone.

  • Review the IAM credential report on a regular (at least quarterly) basis and document the results of your review
  • Provide the IAM Credential Report to your SOC 2 auditors to reduce evidence requirements by at least 10%
  • Implement changes to correct any identified issues (i.e. a user not rotating their access keys in 2 years)
  • Add custom controls to your SOC 2 report to differentiate yourself from your competitors.

Implement Force MFA
The theme of the annual RSA conference this year was Human Element . Humans will always be an integral aspect of a cybersecurity program, despite the advancements we have made in technology. However, humans oftentimes make mistakes. Configuring MFA on AWS is simple for each user however, disabling MFA is also fairly simple for each user. This human aspect of removing MFA has caused significant findings in compliance assessments I have performed for
some of the largest companies in the world. Implementing a “Force MFA” IAM policy will help eliminate this risk of humans being human, this IAM policy requires users to set up and maintain their own MFA devices and prevents them from accessing any AWS resources until they authenticate with MFA. Essentially, users can only enable MFA when their account is created and cannot access any other resources within AWS until MFA is enabled and utilized.

  • Configure the Force MFA policy according to AWS recommendations
  • Enable AWS CloudTrail and configure alerts to notify administrators when MFA is disabled for any user
  • Add custom controls to your SOC 2 report to differentiate yourself from your competitors.

CloudTrail
AWS CloudTrail allows you to audit, continuously monitor, and assess account activity taken through the AWS Management Console, AWS SDKs, command-line tools, and other services. This tool is valuable for audits but also for ongoing event-driven security. Enabling AWS CloudTrail is a minimum security requirement but these additional recommendations should also be considered:

Conclusion
These recommendations listed above describe how you can utilize native services within your AWS account to secure your resources and reduce audit fatigue during an SOC 2 examination. Leveraging these strategies is table stakes when operating a production environment on AWS. AWS makes it easy for administrators to implement these strategies and utilize to provide auditors with less evidence that is technically accurate and provides deeper assurances regarding the compliance of your account and resources.