Securing Cloud Account and Importance of Budget alert

             Introduction

How to Secure the Cloud Account and How to save cost are very important topic to be aware of every cloud user.  We will see more details about in this blog.  As part of Securing Cloud, we will see below topics.

·        Safeguard the keys.

·        MFA authentication

·        Password rule setup

·        Limit the root user’s usage.

·        Audit the account and resources.

Safeguard the keys

Many people never changed their password since the account created.  Is it safe to generate for one time password and use it for lifetime? Absolutely NO!  We don’t realize until we face the impact in our own life / some friends talked about their real time scenarios.  Securing the account such a crucial part of storing the Access Key and Secrete key associated with AWS account in safe location.

Every organization have password rotation policies, password never hard coded directly in code.  Typically, password stored tools like Safeguard/TPAM for the respective service accounts for their production environment.  As part of job execution password retrieved from respective tool and authenticate before proceeding the business functionality of the job.  If the password is wrong job will fail with authentication issue.

When the EC2 instance created in AWS, we will be selecting the key pair, this pem file should not have any permission to Group and Others.  It has only read access to User, usually we will provide 400 permissions to pem file then it will allow to SSH public IP address.  That’s the beauty of AWS making sure we are securing key pair generated for your account, this should not share with anyone else.

 

MFA Authentication

What is mean by MFA?  It’s Multi Factor Authentication.  Now a days all the financial institution mandated to get OTP in your mobile for any critical activities, e.g Account Login, Money Transfer, Trading etc...  Fingerprint and faceid verification also very popular for authentication.  In earlier days we have hard token which generate PIN code to enter for validation.  AWS account has the resources like EC2, EBS, RDS, EMR. which runs business day to day.  Securing the AWS account and these resources also mandatory with MFA authentication.

There is multiple app available for this MFA authentication, popular tools.

·        Google Authenticator

·        Microsoft Authenticator

You need to install these authenticators in your mobile and register this in your AWS account by scan, it will validate with two authentication code as part of registration. 

          This auto generated MFA code is mandatory after you login with your regular password to make sure only authorized person logging into AWS account.  Organization to add policy to enforce MFA authentication to mandatory to login their user account in AWS otherwise user won’t be able to login to protect the account.  Since this authentication required individual users need to setup virtual authentication in their mobile app this is handled by individual users rather than Admin/Organization.

This MFA authentication for compliance related, personal information where Business intended to view only authorized resource to view. 

 

Password Rule Setup

Normal human tendency to forget the password, for easy to remember people keep their password has name, date of birth, week passwords etc… Not realizing how easy for hackers to guess this password to get your personal information/account details.  Setting up password rule at account level so it enforces all the users in that account follow this password rule to make more secure.  AWS account providing multiple options to more secure the password and protect the misuse by others.

Password Rule can set under IAM -> Account Settings -> Edit Password Policy


Limit the root user’s usage

Why do we need to limit root user usage in the account for day-to-day activities? AWS recommend least privilege access for any user.  That means provide the required access do to the job.  Typically, roles and responsibilities are distributed among different team.  Dev/testing team will not have production deployment access.  Only production support team/release management team will have deployment access.  It makes sense individual users perform their task.  Since the root user is super user which is having full access to account utilizing root user to perform day to day operations will have impact of accident delete of the resources unintentionally.  This helps the account more secure and make the system stable to run the business as usual.

 

Audit the account and resources

In general, if any permission denied messages logs are tracked with notification to administrator and management to take immediate action.  Audit team perform the routine check for each application followed the standard and password rotated as per organization policy.  Authorized account has only intendent resources to avoid the misuse/accidental damage to the system.

AWS provide many tools/services to track the cloud services in AWS account.

Cloud Trail – Cloud trails helps to track all the API call make changes to AWS services like EC2, S3, etc..  It captures the IP address and API call details.

Cloud Watch – This service used to monitor real time monitoring logs, identity trend and trouble shoot issues for the AWS resources. 

AWS Config – It provides complete picture of AWS resource for respective environment; also provide relationship of resources and configuration changes over time it can be used for audit/compliance purpose.

AWS IAM – IAM stands for Identity and Access Management, it will have all the resources what access it have.  This help for auditor to check and make sure policy access setup as intended.

AWS Inspector – This service scans the EC2 instance to help to identify the security risk and vulnerabilities.

  

Importance of Budget and Alerts

Setting up Budge and Alerts is very crucial part of Cost Savings.  This helps to track the project level expense and notify with alert mechanism before it reaches the threshold amount, it helps to make necessary changes to AWS service usages based on budget and alerts.

Budget can set alerts from AWS Billing -> Budgets -> Create Budget.

         

Conclusion

We have seen different ways of protecting the AWS accounts with Safeguard the password, MFA authentication for the sensitive and critical data protect with additional layer of security to view.  Also the importance of avoiding root service account for day to day usage as well auditing the AWS resources, setting up Budge and Alerts before the cost shoot up, to provide opportunity to identify where the optimization required in existing system.

         

“P.S. If you read it till the end, Thank you!

Follow me for cloud and AWS content, I ll be back with another interesting topic about AWS

If you have question you can reach me in linked Gnanaprakasam Venkatesan | LinkedIn

This article is part of AWS Career Growth Program (AWS-CGP) by Pravin Mishra

For more AWS related content please visit the website.”

Comments

Post a Comment

Popular posts from this blog

AWS Regions, Availability Zones and Edge Locations

Image
  Introduction Amazon Web Services is early adopter of the cloud.   AWS started in 2006 to provide scalable and flexible computing services to business and individuals.   Business no need to spend upfront infrastructure and developers can build the application in economy of scale, reliable and securely with AWS Infrastructure.   AWS has many services few of them global, most of them hosted in regions/zones based on the consumer of the hosted application to reduce latency to retrieve.   As part of this blog, we will see below topics. ·         AWS Regions ·         AWS Availability Zones ·         AWS Edge Locations   AWS Regions What’s AWS Regions?   How it’s different from Availability Zones?   AWS Regions are physical location of AWS Infrastructure setup around the world.   The region consists of multiple availability zones.   As we speak there are 31 regions as of this blog created, this region counts are increasing rapidly since the cloud adaption for Business inc
Read more

Identity and Access Management

Image
Introduction IAM stands for Identity and Access Management.    IAM is a framework of policies, processes, and technologies that ensure the right individuals have access to the right resources at the right times and for the right reasons. IAM plays critical role in AWS, it determines which user has to access to which AWS resources (e.g S3, EC2, RDS, etc..).  Here user represent actual user/service account which is using your application.  As part of this blog we can look at below topics. ·        What is Identity and Access Management? ·        IAM User and Groups ·        IAM Roles ·        IAM Policies ·        IAM Best Practices What is Identity and Access Management? Identity refers to the digital identity of a person or entity, which includes the information and attributes that identify them in online spaces. This can include usernames, passwords, and other identifying information.  Access Management refers to Access Control, the process of controlling access to resources and data.
Read more

Amazon S3 Access Points VS Amazon S3 Multi-Region Access Points

Image
  Introduction Amazon Web Services (AWS) that enables customers to manage access to shared data sets on Amazon S3. S3 Access Points creates a unique network endpoint that customers can use to manage data access at scale for shared data sets on Amazon S3.   Depends on your business you can create single region or multi-region access points.   We can look at below topics in this blog. What is Amazon S3 Access Points? What is Amazon S3 Multi-Region Access Points? What are the advantages of using Amazon S3 Access Points? When should you use Amazon S3 Multi-Region Access Points? Difference between Amazon S3 Access Points and Amazon S3 Multi-Region Access Points     What is Amazon S3 Access Points? Amazon S3 Access Points is a feature of Amazon Simple Storage Service (S3) that simplifies managing data access at scale for shared data sets. An S3 Access Point is a unique hostname that is used to access a shared data set in an S3 bucket. Access Points can be created fo
Read more