{"id":83748,"date":"2020-10-07T13:00:11","date_gmt":"2020-10-07T10:00:11","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-lock-down-your-aws-resources-cloudsavvy-it\/"},"modified":"2020-10-07T13:00:11","modified_gmt":"2020-10-07T10:00:11","slug":"how-to-lock-down-your-aws-resources-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-lock-down-your-aws-resources-cloudsavvy-it\/","title":{"rendered":"#How to Lock Down Your AWS Resources \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a27805562535\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a27805562535\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-lock-down-your-aws-resources-cloudsavvy-it\/#Use_Two_Factor_Authentication_For_Your_AWS_Account\" >Use Two Factor Authentication For Your AWS Account<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-lock-down-your-aws-resources-cloudsavvy-it\/#Close_Your_Firewalls\" >Close Your Firewalls<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-lock-down-your-aws-resources-cloudsavvy-it\/#Set_Up_IAM_Users\" >Set Up IAM Users<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-lock-down-your-aws-resources-cloudsavvy-it\/#Perform_Regular_Security_Audits\" >Perform Regular Security Audits<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Lock Down Your AWS Resources \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-458 imgchk9\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/4288c9530b45501bba1164fdd520710b\/p\/uploads\/2019\/06\/1037b3fa.png\" alt=\"\" width=\"700\" height=\"300\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>AWS is a very secure ecosystem, but they can\u2019t guarantee that what you do\u00a0<em>in<\/em> the cloud is going to be secure. That responsibility is left up to you, although AWS will try to nudge you in the right direction.<\/p>\n<p>This guide covers what you should do from the AWS Console to make your network and account more secure. In addition to everything here, you\u2019ll need to make sure your own <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lications running on your EC2 servers (or otherwise) are themselves secure. For example, enabling HTTPS on a web server, or keeping your dependencies and programs up to date.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Use_Two_Factor_Authentication_For_Your_AWS_Account\"><\/span>Use Two Factor Authentication For Your AWS Account<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Your main AWS account controls all your AWS resources; if someone were to gain access to it, they\u2019d have complete control over your resources, and could\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.infoworld.com\/article\/2608076\/murder-in-the-amazon-cloud.html?tag=reviewgeek-20\">delete everything<\/a>. You\u2019ll want to make sure your login method isn\u2019t just a simple password that could be stolen.<\/p>\n<p>AWS offers a few <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/aws.amazon.com\/iam\/details\/mfa\/?tag=reviewgeek-20\">multi-factor authentication<\/a> methods. The easiest to use is Virtual MFA device, which uses apps like Google Authenticator and Authy to turn your phone into a virtual key fob. AWS also supports hardware keys from YubiKEy and Gemalto, but those cost money. Alternatively, you can use SMS, but only for administrative users you add, not your root account.<\/p>\n<p>Click on your account name in the top menu bar, and select \u201cMy Security Credentials.\u201d<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-437 imgchk9\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/b038e9d6d71ed7ff77f7cd432649fb11\/p\/uploads\/2019\/06\/ac37771a.png\" alt=\"\" width=\"700\" height=\"300\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Under \u201cMulti-factor Authentication,\u201d click \u201cActivate MFA.\u201d<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-438 imgchk9\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/37a708832d6a76b8c140abd97b9f7b44\/p\/uploads\/2019\/06\/277b1aca.png\" alt=\"\" width=\"700\" height=\"300\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Select \u201cVirtual MFA Device,\u201d and open your authenticator app on your phone.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-439 imgchk9\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/f2ac691335150aba51dc231f9bafc14b\/p\/uploads\/2019\/06\/cb42aca9.png\" alt=\"\" width=\"700\" height=\"300\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>AWS will show you a QR code that you should scan with your authenticator app to link the two together. Then you can begin entering codes; AWS will ask for two consecutive codes, so you\u2019ll have to wait 30 seconds between them. Click \u201cAssign MFA\u201d when you\u2019re done.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-440 imgchk9\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/208bd16a918cf4b527839e6ebf15879f\/p\/uploads\/2019\/06\/1a02c53b.png\" alt=\"\" width=\"700\" height=\"300\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Now when you sign out, you\u2019ll be asked for a code from your phone when you log back in.<\/p>\n<p>If you\u2019re setting up a physical key fob, you\u2019ll just have to plug it in to link it, and then plug it in every time you want to sign in.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Close_Your_Firewalls\"><\/span>Close Your Firewalls<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Whenever you create a new EC2 instance, you\u2019ll be asked to choose a security group or make a new one. This security group is a firewall, and defines which ports will be open. By default, AWS opens port 22 (for SSH) for all IPs coming in, and allows all traffic going out.<\/p>\n<p>This means anyone can attempt to authenticate over SSH, which isn\u2019t a huge issue (since AWS uses SSH keys by default), but it\u2019s good practice to limit most traffic to your IP unless it has a reason to be open to the world.<\/p>\n<p>Click on \u201cSecurity Groups\u201d in the sidebar of the EC2 Management Console, select the group your instance uses, select \u201cInbound,\u201d and click \u201cEdit.\u201d Alternatively, you can access this security group from the Instances panel by clicking on it under the \u201cSecurity groups\u201d property.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-443 imgchk9\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/01c22e6faadbca9b779eaa3b79d5cfba\/p\/uploads\/2019\/06\/e3372587-2.png\" alt=\"\" width=\"700\" height=\"300\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>From here, you can edit the rules for this security group. Outbound is usually fine to leave open, but inbound should be left as closed as possible. Click on the SSH rule and switch the source from \u201cAnywhere\u201d to \u201cMy IP,\u201d which should close it off.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-445 imgchk9\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/bddd814b9a4840e8248a2aaf9d0adb30\/p\/uploads\/2019\/06\/1ee4e619.png\" alt=\"\" width=\"700\" height=\"300\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>You don\u2019t have to worry about your IP changing and locking you out, since you can always reset it from the AWS console.<\/p>\n<p>If you have multiple instances talking to each other, such as a database server that connects to an API server, you should secure the connection between them by only allowing secured traffic between the two instances. Nobody else should be able to talk to the database except the API server, with the exception of your IP address for management purposes.<\/p>\n<p>You don\u2019t have to specify individual IP addresses manually, since AWS will let you allow traffic to all devices assigned a specific security group. If you have multiple database servers, you could give them all the \u201cdatabase\u201d security group, and allow your API server to talk to anything with the that security group. You can also allow everything in a specific <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/docs.aws.amazon.com\/vpc\/latest\/userguide\/VPC_Subnets.html?tag=reviewgeek-20\">subnet<\/a>, which requires you to use <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/aws.amazon.com\/vpc\/?tag=reviewgeek-20\">AWS\u2019s VPC<\/a>.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Set_Up_IAM_Users\"><\/span>Set Up IAM Users<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>AWS Identity and Access Management (IAM) users are a way to allow access to your account without giving out full permissions. If you have multiple people accessing your AWS resources, you should give them access through an <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"http:\/\/redirect.viglink.com?u=https%3A%2F%2Fdocs.aws.amazon.com%2FIAM%2Flatest%2FUserGuide%2Fid_users.html&amp;key=204a528a336ede4177fff0d84a044482\">IAM user<\/a>. You should never give out access to your root account.<\/p>\n<p>IAM users aren\u2019t just for other people though; if you have code that needs to access your AWS account, you should allow access through an IAM user. Some AWS services will make use of IAM users to act on resources in your account.<\/p>\n<p>AWS also recommends using an IAM user with administrator permission for all of your normal tasks. This way, you can lock away your root account credentials and only use it when it\u2019s <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/docs.aws.amazon.com\/general\/latest\/gr\/aws_tasks-that-require-root.html?tag=reviewgeek-20\">absolutely necessary<\/a>, mostly for account maintenance.<\/p>\n<p>IAM users can be assigned very specific permissions, so you can be sure that in the event one of them is compromised, it won\u2019t affect your entire infrastructure. You can also assign these permissions to role groups, and assign roles to users.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-451 imgchk9\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/0b12e795372103ece3a483677140f8a5\/p\/uploads\/2019\/06\/277b1aca-1.png\" alt=\"\" width=\"700\" height=\"300\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>You can create new IAM users through the <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/console.aws.amazon.com\/iam\/home#\/home?tag=reviewgeek-20\">IAM Management Console<\/a>. They\u2019ll be given a randomly generated password, which they\u2019ll be forced to change on first login. You should apply an <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/console.aws.amazon.com\/iam\/home#\/account_settings?tag=reviewgeek-20\">IAM Password Policy<\/a> to make sure these passwords are secure.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Perform_Regular_Security_Audits\"><\/span>Perform Regular Security Audits<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>You should periodically review your security to make sure there\u2019s nothing you missed. AWS provides a <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/docs.aws.amazon.com\/general\/latest\/gr\/aws-security-audit-guide.html?tag=reviewgeek-20\">very thorough checklist<\/a> for this exact purpose.<\/p>\n<p>This checklist has you delete old resources that are not in use anymore and review your security policies for different services. The main sources of insecurity are changes in how you use AWS, like if you\u2019ve started using a new service, stopped using an old one, or have had people leave. In each case, you should review your access policies.<\/p>\n<p>If you\u2019re not using AWS for an organizational account, it\u2019s probably not necessary to go down this entire checklist, but you should still make a good habit of looking over your security policies every once in a while.\n<\/p><\/div>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener noreferrer\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/436\/how-to-lock-down-your-aws-resources\/\" target=\"_blank\" rel=\"noopener noreferrer\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Lock Down Your AWS Resources \u2013 CloudSavvy IT&#8221; AWS is a very secure ecosystem, but they can\u2019t guarantee that what you do\u00a0in the cloud is going to be secure. That responsibility is left up to you, although AWS will try to nudge you in the right direction. This guide covers what you should&#8230;<\/p>\n","protected":false},"author":1,"featured_media":83749,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/06\/1037b3fa.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-83748","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/83748","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=83748"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/83748\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/83749"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=83748"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=83748"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=83748"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}