Security as an AWS administrator

Learn how to secure an AWS account from the administrator's perspective.

We'll cover the following

Do not reuse credentials
Minimize the number of policies
Use separate accounts via organizations
Implement least privilege
Minimize transitive permissions
Use monitoring and logging

An AWS administrator is in the position to decide the security structure of the account. They create users, roles, assign policies, and can use other services AWS offers.

This position offers great freedom to implement secure processes, but it’s also easy to disregard best practices.

Do not reuse credentials

As we’ve seen in the “IAM users” of the Principal lesson, users can have access keys for programmatic access to an account as well as a password to use the Console. Especially admins who are new to AWS are tempted to send the password to multiple people or embed its keys into multiple systems.

This defeats security logging as we have no idea who used the IAM user when we investigate an incident. Also, secrets, such as the password, or the Secret Access Key should be known only by the end-user, and sharing them increases the risk of disclosing them.

Instead, make sure an IAM user is only used by one person or one system. This makes it easy to see who can do what and the logs will point to the person involved in an incident. Also, it makes it easy to remove the credentials, such as when a person leaves the company.

Get hands-on with 1200+ tech skills courses.

Introduction

Access Control Basics

User Management using IAM

IAM Policies

Request Evaluation Flow and Examples

Role Management Using Identity and Access Management (IAM)

How to Secure an AWS Account

Conclusion

Appendix

Security as an AWS administrator

Do not reuse credentials