Change These 7 Security Settings After Creating a New AWS Account

If you’ve just created your Amazon Web Services (AWS) account and are worried about AWS data security, you’re not alone.

Unknown organization-wide settings or simple misconfigurations could put your data at risk. Fortunately, you can take several immediate actions to enhance your security posture significantly. 

AWS account overview 

Amazon provides tools and services to help secure your environment, but ultimately, you are responsible for configuring these services correctly and routinely monitoring for gaps or issues. AWS uses Identity and Access Management (IAM) for access control, and policy-based granting of access. Their model is similar to role-based access control. By default, services and users (bar the root user) have no access, access must be granted using IAM. The most important steps you need to take to improve AWS security relate to user and policy management. 

Replacing the root user with an IAM user with administrator access should always be your first step. Once that's done, you’ll need to create users with access reflecting the minimum permissions required to do their job. Next, secure those users' access by defining password policies. 

As the organization begins to scale and you use more services, you may require more fine-tuned configuration options. Some high-level services, however, will continue to ensure proper security, no matter how big or fast the organization grows. You can use AWS services like CloudTrail and Security Hub to monitor and alert users to security issues from day one. 

Now, let’s look at seven settings to change after creating a new AWS account for better data security.

1. Create an admin account.

The principle of least privilege is a well-known security concept that limits users' access to only what is required to perform their jobs. For example, providing a user with both read and write access to an S3 bucket when only read access is needed would violate the principle of least privilege. 

Root user credentials offer unlimited access to an account and its resources, which is a significant risk if they are not protected. Root access is rarely required, usually only for changing account settings. Instead, you should use identity and access management (IAM) admin users to grant access. It is best practice to remove all access keys for the root account, add MFA, and lock the credentials down either physically or digitally. 

Another option is to create a single administrator user role for day-to-day account administration, to be assumed only when those tasks are necessary. AWS created a role (with a subset of root access controls) specifically for this purpose. Like all AWS roles, it is temporary and/or time-based, which further improves the state of least privilege for your environment.

How to add the first account administrator: 

1. Log in to your AWS account using your root user credentials.
2. Navigate to the AWS IAM service using the console search bar.
3. Select “Add user.”
4. Set “admin” or “administrator” as the username.
5. Select the access types desired for AWS Management Console and Programmatic access (if required).
6. Enter a strong password containing uppercase and lowercase letters, digits, and special characters. Use a password manager to generate a strong password or select an autogenerated password if needed.
7. Uncheck “Require password reset.”
8. Select “Next: Permissions.”
9. Choose “Attach existing policies directly” and select the AdministratorAccess policy.
10. Select “Next” again to complete the user creation. If programmatic access was selected, store the provided access keys somewhere secure.

Tip: Similar to creating the administrator user to prevent root access, you should generate more users as needed to avoid using the administrator user when not required. All further users and roles should strictly follow the principle of least privilege. 

Why is this important? 

AWS root accounts have access to every resource and service in the account and cannot be restricted. You should only use the root account to update billing details, enable the AWS marketplace or AWS support, or cancel the AWS account. 

2. Update root user access.

After creating an admin user, it's time to restrict root user activity to top-level account administration duties. Never generate access keys for a root user. Instead, use a strong password and immediately enable multifactor authentication (MFA) to prevent misuse — accidental or otherwise. 

How to update root user access: 

1. Log in to the account using root user credentials.
2. Once logged in, click on the username and select “Security credentials” from the dropdown menu.
3. Select “Activate MFA” and choose your desired MFA approach following the on-screen instructions.

Tip: MFA is not a replacement for strong passwords. Use a randomized password with letters, digits, and special characters. If you are worried about misplacing or forgetting the password, use a password manager. 

Why is this important? 

The root user can access all services and resources and perform administrative actions, including canceling your AWS account. Given the extensive permissions granted to the root user, it’s crucial to implement an additional layer of security through MFA. 

3. Create your AWS users.

Now that you’ve created an administrator user, the next step is to create your day-to-day AWS users and define their access; using the administrator role should be limited to only when necessary.

The easiest way to create your AWS users is through groups. This will allow you to easily change multiple users' access at once. This is helpful if a certain group suddenly needs access to a new service or no longer needs access to another. It’s important to note that users should not share the same login, as this will affect traceability and accountability. 

How to add daily AWS users: 

1. Sign in to AWS and open the IAM service.
2. Choose “Users” and then choose “Add users.”
3. Type a username for the new user (use the “Add Additional User” option to bulk-create users). The username will be their AWS sign-in name.
4. Select how the user(s) will access AWS. If the users require API access, select Programmatic access; if they are allowed to log into AWS, select AWS Management Console access. You can select both but consider the use cases and avoid providing unnecessary access.
5. Select “Require password reset” to ensure users change their password the first time they sign in.
6. Select how you want to assign permissions on the next page.
7. The easiest way to assign permissions is by using groups. For now, choose “Create group.” The next time you want to add a user to this group, that option will appear on this page. Type in the group name and select the policies you wish to apply. Remember to follow least privilege principles to limit users' access to only the required services and resources to complete their jobs.
8. The next screen is related to tags; just click “Next” for now.
9. Review your configured options and click “Create User” to access the users' credentials. Distribute these carefully — selecting the “send email option” will provide the user with their username and console URL (if required). However, it’s up to the administrator to provide the password or access keys via phone call or email.

Tip: It may be difficult to select a policy that matches your exact requirements at first glance. In this case, choose the most suitable option and later create a custom policy to add to that group. 

Why is this important? 

Minimizing access and keeping a record of who has access to what is critical for securing your AWS account, especially for orgs seeking compliance with standards such as ISO and SOC 2. 

4. Secure access using MFA.

Now that you’ve created users and groups, it's time to secure their access via MFA. 

How to manage MFA: 

1. Sign in to AWS and open the IAM service.
2. Choose “Users” from the “Access management” menu, and in the users list, select the user's name with console access.
3. Choose the “Security credentials” tab, and next to “Assigned MFA device,” select “Manage.”
4. In the “Manage MFA Device” wizard, choose your desired MFA approach and follow the on-screen instructions.
5. Repeat these steps for all users with console access.

Tip: If you’re using a virtual device for MFA, such as Google Authenticator, submit your codes immediately after generating them to ensure the MFA device is in sync. 

Why is this important? 

A user’s access is only as secure as their password. Whereas access keys are inherently complex, a bad actor may be able to guess your password. MFA reduces this risk. 

5. Set standard password policies.

Use strong password policies to ensure passwords meet company and, if applicable, regulatory standards. 

How to set password policies: 

1. Sign in to AWS and open the IAM service.
2. Choose “Account” settings.
3. Choose “Change Password Policy” in the “Password Policy” section.
4. Select the options to apply to your password policy and save your changes.

Tip: Choose a balance between secure and maintainable policies. For example, expiring users' passwords every day could become a logistical nightmare. 

Why is this important? 

While it’s vital to maintain a secure password policy, multifactor authentication becomes less secure if one of the factors is negligible. A strong password ensures that even if an MFA token is compromised, password brute-force attacks will fail. 

6. Define custom policies.

You may have noticed that AWS provides an extensive library of prepackaged policies when assigning policies to groups. These policies will cover many standard use cases, but it's essential to define your own policies if the out-of-the-box policies still give your users too much access.

For most companies, this is an ongoing, iterative process, and it's an important practice to start early, as these policies are the foundation of a secure AWS architecture. 

How to create your policies: 

1. Sign in to the console and open the IAM service.
2. Choose “Policies” and then choose “Create Policy” or “Get Started” if no policies have been created yet.
3. Choose “Create Your Own Policy” and add a descriptive name in the policy name field.
4. Use a policy generator such as the one provided by AWS to craft a policy document; the screenshot below shows a generated policy that limits the user to a specific set of actions against a specific set of services and resources. Copy the provided policy into the “Policy Document” field and click “Create policy.”

Tip: Always refer to the principle of least privilege when writing policies. Limit the policy to allow only required actions against required resources to reduce potential attack vectors.

Why is this important? 

Limiting a user to a predefined set of actions and services or resources prevents misuse of AWS services, accidental or otherwise. 

7. Secure EC2 use.

Once you have your policies and procedures in place and your console users are ready to start using AWS, you can look at locking down individual services at the service level.

One example is AWS’s popular compute service, Elastic Compute Cloud (EC2). EC2 allows users to spin up compute instances with their choice of processors, storage types, and operating systems. This is undoubtedly a tremendous help to developers; however, it’s also a dangerous service to enable if it’s not secured.

One of the simplest steps to secure EC2 use is restricting users to pre-approved tagged Amazon Machine Images (AMI), a supported and maintained image provided by AWS.

How to secure EC2: 

1. Have the development or security teams create an AMI that meets company security requirements and then review and tag it.
2. Use your policy knowledge to create a tag condition restricting users' permissions to launch only instances that use the tagged AMI.
3. Attach this policy to the user group.

Tip: See this link for a detailed breakdown. 

Why is this important? 

Using an insecure EC2 instance can expose your organization to sophisticated attacks. If attackers gain access to that instance, they can assume its role and access all the same resources. 

Additional AWS security tips to keep in mind 

Now that you’ve fully set up your new AWS account, it's time to start future-proofing your AWS security. 

Use infrastructure as code via CloudFormation. 

The CloudFormation service lets you define your entire infrastructure as code (IaC). This allows you to version-control your infrastructure using tools such as Git and makes it easy to subject your architecture to peer review and automated validation. You can easily configure, update, and redeploy services and policies across accounts and regions without fear of human error. 

Centrally manage multiple accounts using AWS Organizations. 

An AWS account, unlike a user account, is a secure container for AWS resources, user identities, and billing. An AWS account provides an administrative boundary that separates the contents of the account from the rest of the environment, providing isolated management and governance. AWS Organizations is a service that enables you to manage multiple AWS accounts from one central hub. This means you can audit and apply policies to multiple accounts and simplify your billing all in one place. 

AWS Organizations combined with IaC using CloudFormation allows you to create and monitor development, staging, and production accounts quickly and efficiently, giving you confidence that your production environment remains stable. You can also have separate accounts for auditing and monitoring, making breaking down AWS bills easy. 

CloudTrail increases activity visibility. 

Once you’ve set up multiple accounts, monitoring each account's activity is important for auditing. CloudTrail logs show every user's actions and allow you to quickly identify if anyone performs actions they shouldn’t, or if any users need resources they cannot access. CloudTrail logs show what the user performed (or attempted to perform), what action was taken against which resource, and when. 

To ensure CloudTrail reflects your account's activity, confirm it’s configured to send all logs to a central bucket only the CSO can access. This prevents users from carrying out actions and removing any traces of their activity from CloudTrail. 

Automate security with Security Hub. 

As your organization scales, manual processes can become increasingly difficult. AWS offers a range of services to tackle security issues. However, even with those tools, managing the findings of the services can be overwhelming. 

Security Hub reduces the effort required to collect and prioritize security findings across accounts and services. It automatically handles data in different formats and normalizes it to highlight and correlate findings across multiple services. Security Hub can identify activity patterns and help provide insight into what's happening in your account. 

This service uses industry best practices and standards to provide overall health status. Service Hub even integrates with EventBridge, allowing you to automate the remediation of specific findings. 

How Varonis can help 

IAM is crucial to securing AWS as your organization scales, and role-based access control is at the heart of AWS security. Learn more about IAM before configuring your new AWS account.

When it comes to planning your security and gaining insights into your security posture, Varonis can help. Our AWS coverage discovers and classifies sensitive data across your AWS resources and workloads, fix misconfigurations, enforce least privilege, and detect threats with Varonis. 

Schedule a demo to see Varonis for AWS in action today.