AWS Security Best Practices #1: Disable Root Account API Access Key

Today, we kick off a series on the top 10 security best practices we’ve come across based on our own experiences. As AWS and Security practitioners on large-scale AWS deployments, we’ve about seen it all. Most of these are very easy to implement and will go a very long way to ensuring your success on AWS.

In AWS parlance, a “root” user is the login credential you used to create your AWS account with. This user used to be required for some very important aspects of your access to AWS services. Today, it is not really necessary for the operation of your AWS infrastructure.

We recommend to disable, or even better, delete the AWS root API access keys. Go to the Security Credentials page signed in as the root user. Remove or disable any access keys you find.

The AWS Console warns you when you go to the Credentials page

But first, you’ll have to do a few things to prepare.

1. Create at least 2, but no more than 3, IAM users with administrative policies

But be careful, you don’t want to make every IAM user an admin user! Evident Security Platform (ESP) has security signatures to check for these conditions, and will alert you if you have too few admins, or too many admins in your AWS accounts.

ESP will alert showing too many IAM administrative users

2. Use IAM Roles for EC2 instances if instances need to access other AWS services

Common use cases are for storing and retrieving objects from an S3 bucket, SQS, SNS and other services. More info here. We’ll have a more detailed blog post about in this series about Roles for EC2.

3. Enable Billing and Recovery related capabilities in your account

While still logged in as the root user, go to My Account and fill in the following sections: Alternate Contacts; Security Challenge Questions; and IAM User Access to Billing Information.

A new AWS account needs to have these sections filled out completely before removing root account credentials and API access keys

First, you’ll be able to alert internal email distribution lists for support, billing and security related announcements from AWS separately from the email address you used to sign up to AWS with.

Second, and most importantly, you will be able to recover your account if you happen to lose your root account credentials or worse, if there’s been a compromise of your root account or IAM credentials.

Finally, you’ll also be able to set up and get to the billing analytics data via IAM users, which will allow you to work with 3rd party cost management platforms like Cloudability.

A quick recap of our past AWS Best Practice posts:

  1. Disable Root API Access Key and Secret Key
  2. Enable MFA Tokens Everywhere
  3. Reduce Number of IAM Users with Admin Rights
  4. Use Roles for EC2
  5. Least Privilege: Limit what IAM Entities Can Do with Strong Policies
  6. Rotate all the Keys Regularly
  7. Use IAM Roles with STS AssumeRole Where Possible
  8. Use AutoScaling to Dampen DDoS Effects
  9. Do Not Allow Unless You Mean It
  10. Watch World-Readable and Listable S3 Bucket Policies