"There is always someone waiting for you to do a mistake."
Security is a major challenge in nowadays. So everyone should focus on it. Now, tell me if you are a thief, whom are you going to steal? Obviously the richest one.
In our world, the richest person is one who has most of the rights. Yeah, you got it right. The Root account.
What should you do with your root account?
Everyone knows that you can do anything with root account in AWS. You must be careful by using it. I would suggest some points which you should follow to prevent misuse of your Root account.
Experts say that you should only use Root account to create an admin account, that's it!
- As you know, other tasks can be done with admin account itself. So whenever you have admin account then try to avoid using root.
- Yeah, that's true. Because that's too dangerous! If by mistake that access keys got leaked, then the attacker, not only steals your data but can also delete your AWS account!
Never ever create access keys for Root.
Some other :
- Rotate IAM user passwords and access keys regularly. (You can also automate it. ;) )
- Use policy to alert when the user is not using MFA.
- Regularly check IAM uses. You may find unknown user then there are chances that some of your credentials are leaked. So its time to perform incident response plan.
- Use repository scan. I will explain this point further.
A developer may sometimes commit a code which has some secrets (like password, access keys anything) hardcoded. You can perform some checks that detect any secrets uploaded to your repository.
You should know, there are some global scanners by the hacker and even Github has some, that scans code uploaded by everyone and checks for any kind of secrets uploaded by anyone.
Just try uploading your access key on a public repository and in some time you will receive mail from Github ;). Also if those keys are still active, in some time a hacker will create resources in your AWS account. Trust me I have seen this scenario. But thanks to AWS for helping.
- You can use AWS SSM parameter group to store configuration files if needed.
- Also, AWS KMS is one of the best solution. You can even manage who can encrypt (only!) and who can decrypt using specified keys.
So Stay Aware, Stay Safe.
We would love to receive a feedback. Let us know if you have some other things, I will update post with that.