I have worked with hundreds of companies to improve their FinOps. It was more often than you would expect that…

• a former employee gained access to the AWS with malicious intent

• a bounty hunter found some private data trying to find your APIs and wants money

• a cyber criminal gains access to an AWS account, and begins running applications to mine Bitcoin

Securing your AWS Accounts and Infrastructure is one of the most important duties for the engineering teams. In today’s world, there are many bad actors that are trying to cause harm to your business in order to PROFIT from you. In this post, we will go over the best practices your engineering team should follow. Think of this as a checklist of items that should be followed to make sure you are doing the bare minimum to keep your infra secure.

6 Best AWS Security Practices

#1: Enable Multi-Factor Authentication: Sounds simple, and is easy. MFA requires users to access a second authentication factor in addition to user name and password sign-in credentials. You can enable MFA at the AWS account level for root and IAM users you have created in your account.

To enable Multi-Factor Authentication (MFA) on AWS, first navigate to the IAM console, select the user, go to the "Security credentials" tab, and click "Manage" under "Assigned MFA device" to set up a virtual (like using the Google Authenticator App) or hardware MFA device.

#2: Monitor Root
User Activity through CloudTrail: Monitoring root user activity is really critical for cloud security, as this superuser account has unrestricted access to all system resources. This makes this account a prime target for cyberattacks. Unauthorized access to the root user can lead to data breaches, system compromise, or downtime, costing organizations millions of dollars.

When you have root user within an AWS organization, you generally can do almost anything you can think of. Regular monitoring helps detect suspicious behavior early, preventing potential threats and ensuring the integrity of your AWS environment. Also, prioritizing root user activity tracking is a foundational step in safeguarding sensitive data and maintaining compliance with industry standards like GDPR and HIPAA.

What to do? Leverage AWS CloudTrail for Effective Root User Logging and Tracking.

 AWS CloudTrail is a powerful tool for logging and tracking root user activity, providing a detailed audit trail of all API calls and changes in your AWS environment. CloudTrail captures critical details of who accessed the root user, what actions were taken, and when enabling transparency and accountability. This AWS service is essential for identifying unauthorized changes, conducting forensic analysis after incidents, and meeting compliance requirements. By integrating CloudTrail into your security strategy, you ensure a robust defense against root user misuse in your cloud infrastructure.

Here’s a helpful video that goes over CloudTrail.

#3: Use Identity and Access Management (IAM): Identity and Access Management (IAM) is a tool that allows you to select who in your organization gets access to the right permissions/resoures at the perfect moment. You wouldn’t [usually] want to give a buisness intern root access to your entire production account, would you? IAM is like a clever lock system, sorting out who can unlock what, whether it’s for people, devices, or apps. With cool tricks like being able to have a single sign-on (one login for all), it keeps your digital space safe and easy to use.

It’s a straightforward way to block cyber threats while keeping work running smoothly. IAM also adds a bit of calm to your tech world. It keeps a record of who’s been where with audit logs, great for meeting rules like SOC 2, GDPR, or HIPAA. With remote work and personal devices popping up everywhere, IAM ensures everyone has just the access they need for their tasks, nothing more.

IAM Users vs IAM Role

IAM Users: permanent long-term credentials and is used to directly interact with AWS services
IAM Role: does not have any credentials

#4: Enforce encryption
in rest and transit: Enforcing encryption in rest and transit is critical for protecting sensitive data and strengthening cybersecurity in an era of escalating digital threats. It always feels like there are data breaches making the headlines, and therefore to keep data safe and customer trust strong, have robust encryption. This ensures the information stays secure whether it’s stored (at rest) or moving across networks (in transit).

Encryption at rest safeguards files, databases, and backups from unauthorized access, while encryption in transit prevents hackers from intercepting data during transmission. This dual approach not only builds customer trust but also meets compliance standards like SOC 2, GDPR, and HIPAA, giving brands an edge by highlighting reliability.

To implement this effectively, follow these steps:

1) Assess your data to identify what needs encryption—think customer info, financial records, or intellectual property

2) Use strong encryption standards like AES-256 for data at rest and TLS 1.3 for data in transit

3) Leverage tools like AWS KMS or Azure Key Vault for key management

4) Regularly update encryption protocols to counter evolving threats

5) Test your setup with penetration testing to spot vulnerabilities. Resources like the OWASP Encryption Cheat Sheet or NIST’s SP 800-53 guidelines offer actionable insights.

#5: Perform regular penetration testing: Regular penetration testing is a must to keep systems secure, vulnerabilities in check, and hackers at bay. Especially if your constantly updating your Web App and APIs.

Tips for Getting the Most Out of Penetration Testing:

1) Hire the Right Team: Look for certified professionals (e.g., CEH, OSCP, or CREST credentials) with experience in your industry. A good tester combines technical skill with creative problem-solving. Or work with a company like Assetnote, Wiz, or Ocra.

2) Test Realistically: Simulate actual attack scenarios your organization might face. If you’re an e-commerce site, focus on payment systems and customer data. Or find someone on upwork to test and earn a bug bounty for every bug / any data they can find. Or do all three types of testing at the same:

a) have your team test realistically
b) create a bug bounty program
c) use a service like Assetnote to do testinf for you

3) Involve Your Team: Share findings with your engineering and IT teams to foster a security-first culture. Training employees on phishing awareness can also amplify your defenses.

4) Don’t Just Check Boxes: Compliance is great, but the real goal is resilience. Use pen test results to drive meaningful improvements, not just to satisfy auditors.

#6: Secure your APIs: To protect them, start by implementing strong authentication, like OAuth 2.0, to ensure only authorized users gain access. Use encryption, such as TLS, to safeguard data in transit. Rate limiting and input validation can thwart abuse, like DDoS attacks or injection exploits. Regularly audit your APIs for vulnerabilities and keep them updated.

AWS Cost Explorer is a tool that empowers you to see where your AWS costs are coming from. You can filter by accounts, regions, usage type, resources, charge type, and a lot more. 

Hopefully this helps you understand how you can work to increase security within your AWS infrastructure! If you have any questions, please do reach out to us at [email protected], and have a wonderful day!

Yaddle Out.