momius - Fotolia

Avoid AWS access control mistakes to keep your cloud safe

If you get clumsy with AWS security, you can put your whole business at risk. Be wary of these common errors, and implement best practices to secure your workloads.

When you first start with AWS, you must understand how the cloud provider's shared responsibility model works and the security elements for which you are responsible. Amazon secures its global infrastructure and managed services, but you must manage AWS access control to protect your cloud data and workloads.

AWS offers a sandbox security environment for admins to design and control access to resources as they see fit. But organizations will still face stark consequences if they ignore security best practices. Many IT professionals, for example, fail to secure their accounts, even though it is of paramount importance.

Here are four common examples of AWS security mistakes that you should avoid.

Unnecessary permissions for users and resources

Administrators often grant unnecessary AWS user permissions. This approach is very risky, as someone with too many privileges can -- intentionally or unintentionally -- remove a crucial piece of infrastructure within an environment and potentially hurt your business.

Instead, admins should tailor AWS access control to meet the specific needs of each user or resource. Carefully create and manage roles for various resources so that, for example, you don't give -- or at least limit -- delete privileges for Lambda functions.

Lack of two-factor authentication

Most AWS accounts -- if not all of them -- should include two-factor authentication. This extra level of protection is especially crucial for roles with any kind of extra privileges, such as full access to Elastic Compute Cloud or permission to delete Simple Storage Service buckets.

In the case of a stolen password, two-factor authentication can be the difference between a slight inconvenience and a harmful situation.

Exposed AWS access keys

IT professionals often mistakenly upload AWS keys for programmatic access to Git. This happens so often that GitHub scans for these keys to prevent them from falling into anyone's hands. But, unfortunately, any GitHub user could scan for them as well. So, it's important to keep them safe.

When intruders possess these keys, they can access everything that the original keyholder could. If you don't have additional protections in place, such as regular key rotation, even two-factor authentication won't protect you.

Excessive use of the root account

The AWS root user has unlimited privileges within an account, and a compromised root can devastate your cloud environment and business.

You should only use the root account to create the initial admin users and then store it away. Also, don't have API keys for the root account, as this creates additional risk; if you have already generated or used these keys, delete them.

Dig Deeper on AWS management

App Architecture
Cloud Computing
Software Quality