Updated: Jul 23, 2021
Lock away your AWS account root user access keys: Do not use your AWS account root user access key. The access key for your AWS account root user gives full access to all your resources for all AWS services, including your billing information. You cannot reduce the permissions associated with your AWS account root user access key. Therefore, protect your root user access keys as a sensitive secret. Rotate root account credentials at regular interval & enable MFA on your root user account.
Create Individual IAM Users: Create individual IAM users for anyone who needs access to your AWS account.
Grant Least Privilege: Grant only the permissions required to perform a task. Grant additional permissions as necessary. It is easier to relax than to tighten up. Also it gives more granular control.
Use Access Levels to Review IAM Permissions: To improve the security of your AWS account, you should regularly review and monitor each of your IAM policies. Make sure that your policies grant the least privilege that is needed to perform only the necessary actions.
Enable MFA for privileged users such as root user, administrator, etc for extra security.
Rotate Credentials Regularly so that, even if a password or access key is compromised without your knowledge, you limit how long the credentials can be used to access your resources.
Remove Unnecessary Credentials: Remove IAM user credentials (that is, passwords and access keys) that are not needed.
Use Policy Conditions for Extra Security: Define conditions under which your IAM policies allow access to a resource. Example 1 - You can write conditions to specify a range of allowable IP addresses that a request must come from. You can also specify that a request is allowed only within a specified date range or time range. You can also set conditions that require the use of SSL or MFA (multi-factor authentication). Example 2 - You can require that a user has authenticated with an MFA device in order to be allowed to terminate an Amazon EC2 instance.
Monitor Activity in Your AWS Account: You can use logging features in AWS to determine the actions users have taken in your account and the resources that were used. The log files show the time and date of actions, the source IP for an action, which actions failed due to inadequate permissions, and more.
Use Roles for Applications That Run on Amazon EC2 Instances: Applications that run on an EC2 instance need credentials in order to access other AWS services. To provide credentials to the application in a secure way, use IAM roles.
Delegate by Using Roles Instead of by Sharing Credentials: You might need to allow users from another AWS account to access resources in your AWS account. If so, don't share security credentials, such as access keys, between accounts. Instead, use IAM roles.
For your convenience this article is also available in video format at:
For AWS certification / AWS trainings needs contact us.