AWS Security
Best Practices
You use AWS. It’s secure out of the box, but
introducing security issues through
misconfiguration is easy. This checklist will
help guide you to potential security issues
exposed by your AWS configuration, and
will help you to tighten up the security of
your AWS infrastructure.
The purpose of this article is to remind you
of the most urgent security measures that
should be taken on your AWS
infrastructure. It is by no means exhaustive,
and it should be adapted to your specific
business use cases.
Enforce security settings for
Identity and Access
Management (IAM) accounts
The AWS IAM accounts are the most
important part of your AWS setup, as they
are where configuring the whole platform
starts. Take these steps to secure them:
Use multi-factor authentication to protect
your users against password theft.
© SQREEN 2017
www.sqreen.io
Enable a strong password policy for good
sources of information.
Here is our recommended account
password policy:
$ aws iam get-account-password-policy



{

"PasswordPolicy": {

"RequireUppercaseCharacters":
true,

"MinimumPasswordLength": 10,

"RequireSymbols": true,

"RequireNumbers": true,

"HardExpiry": false,

"RequireLowercaseCharacters":
true,

"AllowUsersToChangePassword":
true,

"ExpirePasswords": false

}

}
The credential report can also provide you
with additional access information related
to each user. The report provides you with
valuable information regarding your users,
such as MFA status (also known as 2FA or
AWS Security Best Practices
two factors authentication), last usage date Rotate your AWS keys
of access keys. Two steps are necessary:
first the report generation… In a typical production environment, AWS
keys get spread across various services,
$ aws iam generate-credential-report
 which have various privilege needs. Many

 employees will have access to multiple
{ "State": "COMPLETE" }
keys — DevOps will have access to most
keys, DBAs will have access to the
…then the report retrieval. database keys, backend team to the log
keys…
$ aws iam get-credential-report | jq
It is often necessary to renew these keys
'.Content' -r | base64 -D
user,arn,user_creation_time,password_e (e.g. when someone leaves a team). This
nabled,password_last_used,password_las procedure should be straightforward and
t_changed,password_next_rotation,mfa_a
ctive,access_key_1_active,access_key_1 risk-free, so that you can do it frequently,
_last_rotated,access_key_1_last_used_d and more importantly, in urgent situations.
ate,access_key_1_last_used_region,acce
ss_key_1_last_used_service,access_key_ You can list the active access keys for a
2_active,access_key_2_last_rotated,acc
ess_key_2_last_used_date,access_key_2_ given user in this way:
last_used_region,access_key_2_last_use
d_service,cert_1_active,cert_1_last_ro
tated,cert_2_active,cert_2_last_rotate $ aws iam list-access-keys --user-name
d 
 Elliot --query 'AccessKeyMetadata[?
<root_account>,arn:aws:iam:: Status==`Active`]'

12345:root, {

2015-08-03T12:09:08+00:00,not_supporte "AccessKeyMetadata": [

d, {

2016-06-23T11:56:59+00:00,not_supporte “CreateDate":
d,not_supported,true,false,N/A,N/A,N/ "2015-10-12T16:52:19Z",

A,N/A,false,N/A,N/A,N/A,N/A,false,N/ "UserName": "Elliot",

A,false,N/A "Status": "Active",
"AccessKeyId":
“AKXXXXXXXXXXXX"

},

Parsing this CSV file is easy {

using e.g. Google Sheets, Numbers, or "CreateDate":
Excel. You can as well use the “Credential "2016-12-06T19:17:25Z",
"UserName": "Elliot",

Report” tool from IAM in order to download "Status": "Active",
the same CSV report. This exhaustive list "AccessKeyId":
"AKZZZZZZZZZZZZZZZZ" 

will allow you to warn non-conforming
}

users with a strict deadline. ]

}

© SQREEN 2017
www.sqreen.io AWS Security Best Practices
This will help you distinguish which keys
-r '.[]' > my-keys.txt $ grep -f my-
are used, and which are not. Keeping your
keys.txt -r source_code1 source_code2
set of keys as reduced as possible will help …
you managing these critical secrets!

All found keys should rather be read from

the environment. This requires updating
Do not commit AWS access
your deploy process and maybe your
keys or credentials infrastructure. Once the new deploy
mechanism is working, make sure your
AWS access keys are meant to be used by
source code does not keep any hard-
your infrastructure and/or your code. Do
coded keys. Then, all the keys need to be
not commit them into your source code. It
rotated: generate new ones, and replace
would else make them available to a lot of
the old with the new ones.
3rd parties, such as contractors or
continuous integration tools. It will also AWS offers Parameter Store for this
make them very difficult to change. A good purpose. Else, systems to store secrets can
way to approach this is to use environment vary from environment variables in your
variables. It would also allow you to easily Jenkins, to dedicated servers such as Vault.
run your code in a non-production
environment. These ideas are described
in The Twelve-actor App. Keep your security groups
You can use a script to list all of the access minimal
keys configured in your AWS account and
By default, any AWS element has an empty
look for them in your applications’ code.
security policy, meaning that nothing is
allowed to access it. You should only give
$ aws iam list-access-keys --user-name access to the IPs and ports that are really
Elliot --query
'AccessKeyMetadata[].AccessKeyId'
 needed for the service, and block all the
[ "AKXXXXXXXXXXXX", "AKZZZZZZZZZZZZZZZ rest.
Z" ]
You can list the security groups that do not
limit IP addresses connecting to them using
You can save these key IDs for searching in
this script:
your source code.

sgs=$(aws ec2 describe-security-groups

$ aws iam list-access-keys --user-name --filters "Name=ip-
Elliot --query permission.cidr,Values=0.0.0.0/0" --
'AccessKeyMetadata[].AccessKeyId' | jq query "SecurityGroups[].[GroupId,

© SQREEN 2017
www.sqreen.io AWS Security Best Practices
 It means your machines will have private IP
GroupName]" --output text)
 addresses, preventing by default
while read -r line; do

sgid=$(echo $line | awk '{print connections to the internet and from being
$1;}')
 accessible from the Internet.
sgname=$(echo $line | awk '{print
$2;}')
 If external internet access is required on
c=$(aws ec2 describe-network-
interfaces --filters "Name=group- your machines, they should use an AWS
id,Values=$sgid" --query NAT gateway as their only way to access
"length(NetworkInterfaces)" --output
text)
 the Internet
echo "$sgid,$c,$sgname"

done <<< "$sgs" If you need to grant public access to these
machines from the outside, use an Elastic
Load Balancer, or an Application Load
The result will look like this: group-id,
Balancer. They are the AWS dedicated
number of assignations, group name:
elements that allow you to easily operate
and scale public accesses.
sg-7xxxxx,11,https_everywhere

sg-7xxxxx,2,http_everywhere
 For internal access (e.g. a microservice), it
sg-7xxxxx,0,demo
is better to create an internal Load
Balancer (that will be restricted to your
If the number of assignations is > 0, then VPC) in order to decouple the network
this group is used. If its name does not configuration of this specific machine from
explicitly state that it is meant to be public, the configuration of its clients.
you should check it: EC2 -> Network &
The following command will display the list
Security -> Security Groups and make sure
of public IP addresses that are used
this group is legitimate.
amongst your EC2 instances. If your
In this example, the https_everywhere and instances are using internal IP addresses,
http_everywhere are legitimate: they are only your NAT gateway should appear
operating load balancers. here.

$ aws ec2 describe-instances --query

Use a private VPC "Reservations[*].Instances[*].
{ip:PublicIpAddress,id:InstanceId}"

{

AWS makes it very easy to configure the [

networks. To make the most of it, your VPC {

"ip": "34.xx.xx.xx.xx",

should be private, and all the instances in
"id": "i-yyyyyyyyyyy"

your VPC should have an internal IP }

address.

© SQREEN 2017
www.sqreen.io AWS Security Best Practices

]
 about logging, your SSL certificates,
}
You can now restrict this list to only display
public IP addresses, along with the
associated EC2 instance ID:
$ aws ec2 describe-instances --query

"Reservations[*].Instances[*].
{ip:PublicIpAddress,id:InstanceId}"

jq -c '.[]|.[]|select(.ip)'

{"ip": "1.2.3.4","id": "i-
xxxxx"} {"ip": "2.3.4.5","id": "i-
yyyyy"}
All of the displayed machines will have a
public IP address. If you do not publicly
expose these machines (but rather rely e.g.
on a load balancer), there is no reason to
have this. If one machine is only publicly
accessed by a load balancer, then this
machine should be on a private VPC, and
the the load balancer should access it
through this VPC.
Use Trusted advisor
AWS Trusted Advisor is a great way to
retrieve many details about the security of
your AWS setup. It also allows you to
monitor billing or performance.
The free version of Trusted advisor will only
tell you about the Security Groups with
unrestricted ports, though the paying
version has much more information
© SQREEN 2017
www.sqreen.io
available. The paid version will tell you
exposed IAM keys and key rotation… The
price is high, up to 10% of your
infrastructure price. Only 4 checks are
available by default, then you need to
purchase Business support (100$ / month)
to access all of them.
Enable CloudTrail
AWS CloudTrail is a logger that will record
all the calls performed to AWS APIs with
credentials that you own. All this
information can be stored to S3 for further
analysis (allowing low-cost retention). It is
not a prevention against security incidents,
though it is a way to be able to analyze
what happened on your infrastructure in
case of an incident, and examine which
services were accessed.
In order to check the trails configured in
your infrastructure, list the trails available:
$ aws cloudtrail describe-trails

{

"trailList": [

{

"Name": "my-trail",

"LogFileValidationEnabled": true,

"IsMultiRegionTrail":
true,

"IncludeGlobalServiceEvent
s": true,

"TrailARN":
"arn:aws:cloudtrail:eu-
west-1:0000000000:trail/my-trail",

"HasCustomEventSelectors":
AWS Security Best Practices
 security issues. Some of them should be
false,
 corrected as soon as possible — even
"S3BucketName": "mytrail",

"HomeRegion": "eu-west-1"
 though some previous steps, such as
}
 reducing network exposure, can mitigate
]

} some of the issues created by an out-of-
date OS.

And check their status: In AWS, the OS is managed with the AMIs.
You should ensure your AMIs are kept up
to date.
$ aws cloudtrail get-trail-status --
name my-trail

{
 When an AMI starts, it will by default
"LatestNotificationAttemptSucceeded": download and apply the latest security
"",

patches. AWS keeps a very up to date list
"TimeLoggingStarted":
"2015-03-07T22:58:34Z",
 of the security issues corrected in the AWS
"LatestDigestDeliveryTime": instances.
1497546412.316,

"TimeLoggingStopped": "",

AMIs can be displayed in the AWS Web
"LatestDeliveryAttemptTime":
"2017-06-15T17:04:32Z",
 console Pay attention when choosing the
"LatestNotificationAttemptTime": region were your EC2 instances are placed.
"",

"IsLogging": true,

"StartLoggingTime": 1283019477,

"LatestDeliveryAttemptSucceeded": Choose your rights carefully
"2017-06-15T17:04:32Z",

"LatestDeliveryTime":
1497546272.808
 Just like your network, the other AWS
} services start with a zero-rights policy
(nothing is allowed by default). So allowing
You can see last time an event was logged certain entities to use this service is part of
with this trail. The same is available from the service configuration. This
the AWS console: configuration need to be tight, and must
not contain any unnecessary privileges.
Access AWS CloudTrail now.
Some tools that are part of AWS IAM can
help perform simulations of the rights you
Update your Amazon Machine are building. The “Access Advisor” in
Images (AMI) IAM will help you fine tune the rights
associated to the roles you create.
Just like any other piece of software, the
OS needs to be upgraded to prevent

© SQREEN 2017
www.sqreen.io AWS Security Best Practices
Monitor billing

Billing is not directly security related,

though it can be an excellent indicator that
Application Security for
something went wrong, or that your
AWS hosted apps
credentials have been used by a third
party. It is not rare to see companies with
dozens of new machines started to relay Start your 14-day free trial today!
traffic or even mine cryptocurrencies (such Get protected in minutes or
as Bitcoin). request your demo.

Billing information can be accessed from

web www.sqreen.io
the AWS dashboard. Billing alarms can also
twitter @sqreenIO
be created in order to monitor this.

Going further
These AWS-authored articles will help you
review what you have done in your
organization and how you should improve
your infrastructure:

AWS Auditing Security Checklist

AWS Security Best Practices

Don’t forget, your infrastructure is only one

piece of your company’s security!

Check out Sqreen to learn how we can

help you protect your apps deployed on
AWS. Integrate continuous security in your
infra. Monitor and protect your apps.

© SQREEN 2017
www.sqreen.io AWS Security Best Practices