“If you knew then what you know now you would do things (better, different, etc).”
Learning Amazon Web Services is fun. It is exciting to start learning new services and apply them to the solutions you are building. You can learn fast if you are focusing on the problem you are trying to solve.
This post is your proverbial “monkey wrench” in your learning wheel.
Stop for a second. Make sure you have set yourself up not only for more learning but future scaling and security. Below is a collection of community based best practices around your new AWS account. You should take a break from writing all your exciting features and see if you have done these.
1. Turn Multi Factor Authentication (MFA) On For Your Root Account
When you create your Amazon Web Services account you are creating a ‘root’ account. This root identity has all the power in your account. It can access all AWS services and resources.
Because this account has so much power it is best practice to lock it down. A good step in that direction is to enable an MFA on this account. AWS offers virtual, physical, and SMS text message MFA delivery mechanisms. Either one is a suitable answer based on your needs.
You may choose the virtual MFA via an app on your phone. The disadvantage is now a compromised phone has access to your MFA tokens. You may choose the physical device. The disadvantage is that it must you have to secure it somewhere safe and not lose it.
Any option will have a disadvantage, but an MFA on your root account is going to be a huge security win. Bonus points, it’s a common question on AWS certification exams.
2. Great! Now Stop Using Your Root Account
Ok, you have configured MFA for your root account? Now stop using it. Create a new user in IAM that has the
BillingPolicy
and AdministratorAccess
policies. Generate a unique password for that account and enable MFA on that
new account as well. Generate your CLI keys for this user. Delete any CLI keys your root account has.
Once you have done that you can now sign in as that IAM user and quit accessing your root account all together.
3. Set A Billing Alarm For What You Expect To Spend
You secured your root account and you now have a user that you can sign into your account with. Look at you improving things already.
The biggest thing I have seen folks new to AWS overlook is their billing setup. Most services are inexpensive during your learning. If your account is brand new you also have an entire year of “free tier” eligibility. But, if you become hooked on AWS you will pass the learning phase and burn through your free tier.
If you think this is likely going to be you, avoid the holy sh** AWS bills. Configure your billing alarm to send you an email when you cross a threshold that is more than you can afford. The AWS documentation for turning this on is here.
Conclusion
This is not a comprehensive list. These three things are what all accounts should do out of the gate. Consider these as well if you are looking to launch a product or service with this account.
- Create a non-default VPC with private and public subnets.
- Create fine grain security groups that can be added/removed from instances.
- Consider spinning up a bastion host that allows access via SSH/RDP that you can use to jump to another instance.
- Setup CloudTrail logs on your root account to detect if there has been access you were not expecting.
- Consider turning CloudTrail logs on for any regions you are going to be using. Even if you have no have plans of searching them right now they are nice to have in the event you need them.
- Rotate IAM keys on a regular (but not predictable) cadence.
- Use CloudFormation for everything you can. Starting with CloudFormation templates is much easier out of the gate than doing it later.