As a AWS Free-Tier user you are entitled for lot of free compute power.
This is AWS way of saying "Please experiment and learn".
But expirements go wrong sometimes. In this case they can go really bad if you are not carefull.
Here are the 4 things you need to do first after signingup for AWS Free-Tier subscription.
#1. Set billing alert.
#2. Enable MFA
#3. Delete root account access keys
#4. Bring IAM dashboard's "Security Status" to all Green 5/5
Ok, i will take you through each change and explain you why.
Change 1: SET BILLING ALERT
As i said earlier, as a Free-Tier subscriber you are entitled to lot of free stuff like:
a. EC2 instances with free-tier eligible AMIs.
b. 750 Hours of compute time on your EC2 instances.
c. Lambda functions and 1 million calls per month for free
d. S3 buckets with 5 GB data in it, 2000 put and 20,000 get requests per month.
e. 30 GB of EBS volume.
The list continues.
But as a free-tier user, you are not restricted in any way from using more than what you get for free.
This means you can even use services beyond your limits, provided you spend the your money.
So there is a high chance you may endup spending actual money even without doing or learning anything.
For example:
You may create a couple of EC2 instances and forgot it to turn them off.
So considering atleast 2 instances, you may run out of all the free time in just 15 days. Rest you are goig to pay from your pocket.
You may create an S3 bucket and its security (VPC) is open to public.
Some hackers may find it and use it beyond its permissable free quota. Worst of all they may use for illegal activities. Now you are held rsponsible for bill and possibly some prosecution.
So you need to setup a billing alert and when thing go wrong you can be infromed instantly so that you can control the damage.
Step 1:
Lets start with a SNS. Go to AWS Management console => Services => SNS (Simple Notification Service).
Click on "Topics" in left pane and click "Create Topic" button.
Enter Name and Display Name and leave remining things and finish creating the topic.
Now you will be taken to a screen where you can see details of the Topic and below a subscription list. It will be empty as of now. Click "Create Subscription" button. There in protocols dropdown you can choose email or SMS and give relevent value and finish the subscription process.
Step 2:
Now go to Services => Billing =>Billing Preference
Select the checkboxes Receive Billing Alerts. Save prefrences.
Step 3:
Now we will e creating a Cloud Watch Alarm.
Services => Cloud Watch => Click "Alarms" on left pane. => Click "Create Alarm" button.
Select "Metric" => choose "Billing" Metric => Choose "Estimated Charges" => Check USD
On the next screen, leave everything else same and in conditions you get to mention at what ammount u get alarm. As i am a Free-Tier user, i put it as 10 USD.
This doesnt mean that you are ready to spend 10 dollars, even when you spend 1 dollar the estimate charges will raise to 10 dollars based on exponential changes.
Next screen, you will get to choose which SNS topic you get to initiate a message. Choose the one we created in step 1.
Next screen Name the Alarm and give some meaningful description. and on final screen review and finish creating the Alarm.
So now you will be notified instantly to check up on your account even when you spend 1 dollar.
There are somany people who paid unnecesary expense by not configuring such alerts.
Change 2: ENABLE MFA
This is an additional layer of security to protect your self from unauthorized use of AWS resources under your account/tenant.
Got to AWS Console => Services =>IAM
On your IAM dashboard , under Security Settings expand "Actiavte MFA on your root account", and click "Manage MFA" button.
In next screen choose "Virtual MFA Device" option and continue. This will enable your phone as a MFA authnticator for root account access.
Now you will see a screen where a QR code is presented to you. You can use your smart phone on which any kind of MFA tolls are installed. I use Microsoft Authenticator on my smart phone.
Open Authenticator app on mobile => Add account => Choose "Other account (google,fb)" option.
Scan the QR code presented => Finish
Now the app will show the AWS root account with Auto generated MFA code.
Enter two consequtive MFA codes on above screen and click "Assign MFA" button. DONE!
Logout now and try login with your root credentials and this time after giving your root credentials , it will wait for MFA code confirmation from your mobile.
You need to do the same for your ADMIN User as well. I will talk more about ADMIN User in next Change.
Change 3: Delete root account access keys
We know the importance of root account and potential dangers of unauthorized access to your root account. We enable MFA and think we are secrure. NOPE
There are other ways of exploiting your AWS subscription using root account.
AWS services can be created/modified not only from console, but also from AWS CLI and AWS SDKs.
Form my earlier post AWS Lambda Basics, we know how to use Access Key and Secret Key to interact with AWS using CLI or SDKs. Remeber one thing :
ROOT ACCOUNT ACCESS CANNOT BE RESTRICTED, NOT EVEN AMAZON CAN.
So even after adhering to all the MFA security cautions, you are still exposed to danger if you keep on using your root account Acess keys in your developmental experiments.
Want to know how?
You are a beginer, you started using root access keys in your code.The code file might be hosted in S3 bucket. And as a beginer we might not have configured VPC properly and its exposed to public, now hackers can get into S3 bucket and do a recursive file read, and boom they can get root assess keys and the destruction continues.
So best practise is to delete the access keys for root account. You may never use root account keys for any programing.
Let me show you how.
Step 1:
Go to AWS Console as root account, on the right top click on your root account and go to "My Security Credentials". Now Expand the access keys section and delete the keys as shown below.
Make sure you never generate access keys for root account in future.
You may ask the question "If we delete root admin account, how do we manage all the administrative tasks from API?"
Answer: Using IAM Groups, IAM Users and IAM Policies.
Since we deleted access keys for root admin account, we may need to create a admin IAM user for any admin activities like logging into console, or automating some infrastructure level tasks.
Step 2:
Lets create a IAM Admin Group first.
AWS Management Console => Services => IAM
Click on Groups => Create Group => Name it Admin => Next page search for "AdministratorAccess" => Attach the Admin policy to the group=> Finish creating group.
Step 3:
Lets create Admin User. Give proper UserName and Credetails as you will use this for rest of your time with AWS management handling tasks like creating /modifiying stuff from AWS Management console.
Click "Users" on left pane = > Create User => Username and mark the checkboxes for programatic access keys and the password for login to console. Go to next page.
Next screen select assign it to existing group and select the admin group we created in step2.
Finish creating the admin user. Done.
Please donot forget to enable MFA for this ADMIN user following the same steps shown in Change 2.
You may ask "What is the point of deleting access keys for root admin account and then creating a new admin account with password and access keys for programatical acccess?"
Firstly anyone who can google AWS knows where to login "cosole.aws.amazon.com", provided that anyone is a hacker who got hands on your IAM User credentials can do anything. But once you delete root access keys and enable admin user, you will see a sign-in url which is unique to your tenant. Its not so easy to guess the sign in page url.
Secondly, Lets say i login to AWS console using my IAM Admin User and now went to billing section. Look what i see.
So AWS admin cannot perform certain critical tasks like change your support plan. Or even terminiate your account/tenant.
You can even control any kind of access by updating the AdministartorAccess policy and assign it to Admin group. You can set a universal policy that no one can delete major resources like S3 buckets and EC2 instances.
So its more secure to use IAM admin user credentials then using root admin credetails.
Change 4: Bring IAM dashboard's "Security Status" to all Green 5/5
Go to AWS Management Console => Services => IAM
On IAM Dashboard under Security Status section, you see 5 things strongly recommended as Best parctices for better security in AWS.
By performing Change 2, Change 3 we have addressed the top 3 concerns.
Now set the strong password standards for your IAM User creation.
AWS Console => Services => IAM => Account Settings in left pane.
There you see password restrictions where you can set rules for your passwords to keep them strong.
Lastly the fifth recommendation "Rotate your access keys". We all know we donot use User1 or User2 for programatic access in production scenarios. Usually the accounts used will be serviceaccounts used for communication between different modules or services.
Now lets say if you have a doubt that there is some unauthorized access for one of the service, you can delete the access keys and regenerate them for all the compramised accounts. Actually its a better standard to make this a regular practice to rotate the keys to avoid security leaks.
Thats it. These are the first 4 things you need to do not only with your Free-Tier, but also when you signup to an actual AWS PROD account/tenant.
No comments:
Post a Comment