Security as an AWS administrator

An AWS administrator is in the position to decide the security structure of the account. They create users, roles, assign policies, and can use other services AWS offers.

This position offers great freedom to implement secure processes, but it’s also easy to disregard best practices.

Do not reuse credentials

As we’ve seen in the “IAM users” of the Principal lesson, users can have access keys for programmatic access to an account as well as a password to use the Console. Especially admins who are new to AWS are tempted to send the password to multiple people or embed its keys into multiple systems.

This defeats security logging as we have no idea who used the IAM user when we investigate an incident. Also, secrets, such as the password, or the Secret Access Key should be known only by the end-user, and sharing them increases the risk of disclosing them.

Instead, make sure an IAM user is only used by one person or one system. This makes it easy to see who can do what and the logs will point to the person involved in an incident. Also, it makes it easy to remove the credentials, such as when a person leaves the company.

Get hands-on with 1200+ tech skills courses.