This is a highlight of the best practices as listed in AWS website along with personal experiences and from other materials.
-
Lock away your AWS account (root) access keys
-
Create individual IAM users. Use only root account rarely (or never after initial setup).
-
Use AWS-defined policies to assign permissions whenever possible
-
Use groups to assign permissions to IAM users.
-
Even if it is one user, it is recommended to create groups.
-
-
Grant least privilege
-
Configure a strong password policy for your users
-
Enable MFA for privileged users.
-
Use roles for applications that run on Amazon EC2 instances; should not copy user’s access key to EC2 instance.
-
Delegate by using roles instead of by sharing credentials.
-
Delegation is granting permission to someone that allows access to resources that you control.
-
To delegate permission to access a resource, you create an IAM role that has two policies attached.
-
The permissions policy grants the user of the role the needed permissions to carry out the desired tasks on the resource.
-
The trust policy specifies which trusted accounts are allowed to grant its users permissions to assume the role.
-
-
Read more @ http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html.
-
-
Rotate credentials regularly
-
Remove unnecessary credentials
-
Use policy conditions for extra security
-
Monitor activity in your AWS account
- heartin's blog
- Log in or register to post comments
Recent comments