Creating an AWS Account: Beyond the Basics

Transcription

1 Creating an AWS Account: Beyond the Basics Best practices to build a strong foundation for enterprise cloud adoption Updated August 2016 Aaron Wilson

2 Table of Contents Introduction... 3 Before You Begin Have a Strategy... 3 Create an AWS Account Begin Account Creation Use an Distribution List Complete Login Credentials Set Contact Info Configure Payment Method Validate Your Identity Choose a Support Plan Sign In to the Console Choose an IAM Alias Configure Alternate contacts Configure Security Questions and Answers (optional) Enable IAM User Access to Billing Add Multi-factor Authentication (MFA) Switch to IAM Navigate to the IAM console Create New Users Create a Group Next Steps Leverage Automation Switch to IAM Keep Your Root Credentials Safe Conclusion ScaleSec. All rights reserved. Page 2 of 20

3 Introduction Amazon Web Services (AWS) offers a simple, five-step process for creating an AWS account that lets you create and manage resources in the cloud, along with a short video to explain this process. These low-friction guides are great for new users who want to get started quickly and are appropriate for learning and experimenting with AWS, or for single-account environments. Organizations migrating production workloads to AWS or looking to take advantage of the full breadth of AWS services usually need more than one account, and will benefit from a more thorough guide. Working with customers over the past few years as a cloud security architect, I've found that organizations using a well-documented, consistent account creation process from the outset are more likely to avoid problems in the future. They are also better positioned to scale their operation across multiple AWS accounts, simplifying governance, cross-account access, billing, and support. This guide is the culmination of documented AWS best practices and practical guidance from field experience suitable to help organizations scale to support any size of infrastructure. The steps below will explain the process of creating an AWS account, explain how to avoid common pitfalls, and will include references to documentation for further reading. Before You Begin 1. Have a Strategy Before diving in, you should spend time planning your strategy for adopting AWS, including the design, hierarchy, and ownership of AWS accounts. You should understand how many accounts you will have and the objectives you are meeting by creating another separate account. While the AWS account boundary provides a strong level of resource segregation, other solutions 1 exist that may be suitable for your organization's needs. AWS has published some guidance on selecting methods to segregate your environments. Also, in a large enterprise, it is not uncommon to discover that one or more teams are already using AWS. Before you create your own account(s), coordinate your efforts with your team and others. In most organizations, endeavors of substantial size usually run smoother with high-level sponsorship. At a minimum, you may avoid work duplication by adopting existing standards. 1 For team-level resource segregation, consider AWS Service Catalog ScaleSec. All rights reserved. Page 3 of 20

4 Create an AWS Account 2. Begin Account Creation Once you've got the green light, it's time to create an AWS account. Browse to the AWS website: and click "Create an AWS account" or "Create a Free Account" -- either of these links will lead you to the same next step. Note: If you have already accessed an AWS account with the computer you're using, you may see "Sign In to the Console", as shown in the screenshot on the right. Figure 1: Sign-In for New Users Figure 2: Sign-In for Returning Users 3. Use an Distribution List Choose "I am a new user". When providing an address, be sure to use a corporate distribution list instead of an individual's address. This practice avoids complications when an individual goes on vacation or leaves the company. Root Account Credentials 2016 ScaleSec. All rights reserved. Page 4 of 20

5 In these first few steps, you are creating the "root account credentials" that will be associated with the account. This login has full access to everything in the AWS account. This access is complete, and cannot be limited. After using these credentials to set up and configure the account, they must be carefully protected and restricted to only a small group of trusted administrators. In the physical world, you could think of root account credentials as a physical key to a lock. 4. Complete Login Credentials a. Re-Enter the Distribution List Retype the distribution list address you used on the previous screen. b. Name the Account For the "My name is:" field, use a name that describes the purpose of the account rather than your own name. The value for this field can contain spaces. This value is shown at the top of the AWS Management Console, and is also useful later to recognize the account in the Consolidated Billing console, as shown below: c. Choose a Strong Password Password strength is a hotly contested topic, but most experts concur that complex characters makes for a sufficiently strong password 2. Amazon requires at least 6 characters, but complexity is not enforced. Make sure the password you are using meets or exceeds the requirements of your organization's password policy. 2 In a few steps, we'll also be adding multi-factor authentication to protect our account ScaleSec. All rights reserved. Page 5 of 20

6 5. Set Contact Info Complete the required Contact Information. You should use a team name and address here, and it doesn't need to be the same address associated with the credit card you're about to use in the next step. a. Complete Security Check Enter the dynamically created characters to prove you are a human. This is a fraud prevention measure. b. Review the Agreement You also need to read and accept the AWS Customer Agreement to continue. 6. Configure Payment Method On the next screen you need to enter your credit card information. You are able to reuse the address you entered on the previous screen, or specify a new address ScaleSec. All rights reserved. Page 6 of 20

7 7. Validate Your Identity On the next screen, the system will call you to verify your information. Follow the instructions to enter the PIN provided on this screen. If you have trouble completing this step, some other options will be presented to you (like providing a different phone number). If those steps don't work, AWS Support can help. 8. Choose a Support Plan The next screen allows you to choose a support plan. Business or Enterprise support is recommended, especially for security conscious organizations, as these plans allow for better coordination and communication during attacks against your AWS environment 3. 3 AWS Best Practices for DDoS Resiliency, p ScaleSec. All rights reserved. Page 7 of 20

8 9. Sign In to the Console The initial setup is now complete. You have now created the root account credentials, configured billing for your account, and verified your identity. You can now sign into the AWS Management Console. Click "Sign In to the Console" and enter the username and password you created during the registration process. After entering your root account credentials, you will be signed in to the AWS Management Console. Note that the name we specified during Step 3 of the registration process is shown in the top right-hand corner of the browser ScaleSec. All rights reserved. Page 8 of 20

9 Some might argue that the very next step should be to add a multi-factor authentication (MFA) device to the root account credentials. I agree that this is an important step to secure the account, but in practice you should first set an IAM Alias. It's also a good idea to set up secret questions/answers to make sure you can regain access to your account should something go wrong. 10. Choose an IAM Alias When your account was created, it was assigned a unique, automatically generated 12-digit account number. You can also create a friendly alias for your account, which simplifies operations like: Logging in as an IAM User Switching roles in the console Identifying virtual multi-factor authentication tokens. I'll explain this scenario shortly. In the AWS Management Console, choose Services -> IAM. You'll see the dashboard, which includes the IAM users sign-in link, as shown below. Click "Customize", and enter an alias you'd like to use. This field can contain only digits, lowercase letters, and hyphens, but cannot begin or end with a hyphen. This alias becomes part of the URL your users need to log into the AWS Management Console as IAM users. You can change the account alias, but remember that this alias is used to construct a unique URL that you distribute to your cloud team so that they can log in using their IAM credentials (e.g. This means that if you modify the alias, you'll also need to notify your users that the URL has changed ScaleSec. All rights reserved. Page 9 of 20

10 About the IAM Alias and Virtual MFAs As the AWS website indicates, hardware multi-factor authentication (MFA) devices have a higher level of security than virtual MFA devices. Virtual MFAs are usually installed on a phone or tablet. These more complicated multi-purpose devices have a variety of attack vectors and a history of vulnerabilities, which means they have a larger attack surface than a dedicated hardware token. But they are very convenient when compared to a bag of hardware tokens. Contact your security and/or risk management team to help make the right choice for your situation. If you're using a virtual MFA, make sure to specify an IAM alias for account prior to attaching the MFA because the account number is used to identify the virtual MFA. If you end up having more than a few accounts, it will be easier to identify them by name instead of memorizing account numbers. Below is an example illustrating the difference using the Google Authenticator app. When you have dozens, hundreds, or thousands of accounts, you'll appreciate the time you spent developing an intuitive naming convention. vs. 11. Configure Alternate contacts From the top right-hand dropdown, choose "My Account" to configure settings. Scroll down to Alternate Contacts. Keeping these contacts up to date is important when AWS teams need to reach your team. For example, the AWS Abuse team (the ones who watch over the cloud) may need to inform you of suspicious or anomalous behavior associated with your AWS resources. In this case, you must have the right recipients specified for the Security contact. Again, use distribution lists here to avoid problems with vacations or departures ScaleSec. All rights reserved. Page 10 of 20

11 12. Configure Security Questions and Answers On this same page, we'll configure security challenge questions. AWS Support uses security challenge questions to prove your identity, which is useful in the event that you are unable to access your account ScaleSec. All rights reserved. Page 11 of 20

12 The customized (.e.g "Security Challenge Response n") questions are ideal because: Using questions & answers that are publicly or even semi-publicly discoverable, such as your childhood phone number, weakens your security posture. In an enterprise, an AWS account is used by a team or the whole company, so specifying an individual's information would not be useful to others as a recovery mechanism. Keep Q&A Info Separate from Credentials I decided to use a password generator to create the answers to my secret questions. If I lose access to my AWS account, the most likely scenario is some problem related to my password manager. As these are to be used only for recovery, I will print the answers on a piece of paper, insert them in an envelope labeled with the AWS account number, seal the envelope, and place it in the company safe. It might seem like a lot of work, but you'll likely (hopefully) only need to do this one time per account. 13. (optional) Enable IAM User Access to Billing Before you leave the account settings page, consider enabling IAM Users the ability to access billing pages for this account including Account Settings, Payment Methods, and Report pages. As stated in the text in this section of the page, you can then apply more granular access policies with AWS IAM to restrict access as needed ScaleSec. All rights reserved. Page 12 of 20

13 14. Add Multi-factor Authentication (MFA) Now we will add MFA to the root credentials. In the top right-hand menu, choose your account name, and then choose "Security Credentials". Expand the "Multi-Factor Authentication (MFA)" dialog box, and then choose "Activate MFA". Hardware MFA tokens may be purchased at Until you receive your hardware token, you should activate a virtual MFA to protect your new account 4. On the next screen, you'll be presented with a screen with a QR code similar to the one shown below. 4 Choose from the Virtual MFA apps listed at: ScaleSec. All rights reserved. Page 13 of 20

14 You can scan this QR code, or click "Show secret key " and manually enter this key into your Virtual MFA app. Before you proceed any further, copy that secret key to store in a safe place 5. You'll need this code in the event that something happens to your Virtual MFA app. Sometimes phones go swimming or get laundered and they don't come back. Once you have copied the secret key, provide two sequential authentication codes and click "Continue". Switch to IAM Now it's time to create one or more IAM users with administrator permissions. Best practice dictates that you keep this to a small number of users, perhaps two or three. In a large enterprise it is common to then have several groups for administration of specific aspects of the accounts, such as network administrators (VPC), DevOps teams (EC2, S3, RDS, etc.), as this practice helps enforce segregation of duties - a core security tenant. AWS IAM AWS Identity and Access Management (IAM) is a service that provides administrators the ability to create users and groups with limited access to specific resources, similar to many role-based access control systems. Admins can create groups with permissions, and place users into those groups to provide least privilege access to groups of resources like EC2 instances, S3 buckets and objects, and so on. In this way, IAM shares some functional similarities with popular directory services like Microsoft Active Directory or SAMBA. In the physical world, the functionality of IAM credentials is comparable to that of an employee badge that might be issued for access to certain buildings in a corporate campus. 5 Don't store the MFA secret key with your login credentials. If your storage method is compromised, an adversary will have everything they need to take over your account ScaleSec. All rights reserved. Page 14 of 20

15 15. Navigate to the IAM console From the AWS Dashboard, select "Identity & Access Management". 16. Create New Users Click "Users", then "Create New Users". a. Create IAM Users with API Keys Notice that you can create all of your administrators at once. Enter a few usernames to have them created. Make sure to also check the box for "Generate an access key for each user", and then click "Create" ScaleSec. All rights reserved. Page 15 of 20

16 b. Securely Capture and Distribute Credentials Now you will be given the option to either display the API keys, or download them into a CSV file. Use your organization's approved method of securely capturing, storing, and distributing these API keys to the users. About AWS API Keys API keys are used to manage AWS resources programmatically, such as through the AWS Command Line Interface (CLI) or one of the many available AWS software development kits (SDKs). API keys can be created and assigned to long-term or short-term IAM credentials. API keys consist of an access key ID (AKID) and a secret access key. API keys should be protected like credentials because they are usually associated with one or more access policies that permit you to control AWS resources. They can be rotated, but you don't want them falling into the wrong hands. Follow AWS best practices to keep them safe. 17. Create a Group Next, we'll create a new group that will be used to assign permissions to these users. This is recommended over assigning access policies to individual users, as it enables you to easily make permission changes in one place. In the navigation menu, choose "Groups", and then click "Create New Group". This begins the group creation wizard ScaleSec. All rights reserved. Page 16 of 20

17 a. Name the Group Name this group "FullAdmin", or similar, then click "Next Step". b. Assign Permissions AWS conveniently provides a managed policy named "AdministratorAccess" that provides full access to the account. If this policy doesn't suit your organization's requirements, you can select from other managed policies or create your own. Once you have chosen a policy, click "Next Step". a. Review and Create 2016 ScaleSec. All rights reserved. Page 17 of 20

18 Take a look at the Review screen and make sure yours is similar to the screenshot below. When you're satisfied, click "Create Group". b. Add Users to the Group Now that the group is created, we need to add the users we created. Select the group and click "Add Users to Group". Select the users we created earlier, then click "Add Users" to add them to the group ScaleSec. All rights reserved. Page 18 of 20

19 Next Steps You have completed the manual configuration of your AWS account. From here, you should continue configuring the account to meet your organization's baseline. 18. Leverage Automation These remaining account setup tasks should be completed using automation to ensure that they are done consistently and efficiently. There are many tools to accomplish this objective including AWS CloudFormation, the AWS Command Line Interface (CLI), and AWS SDKs. If you're not sure where to start, here are some recommendations: Enable and configure AWS CloudTrail, in every region 6 Create CloudWatch alarms for CloudTrail logs Configure an IAM password policy Allow IAM users to rotate their own credentials Grant IAM users to AWS Support access Configure identity federation Set up logging and aggregation for AWS services (e.g. S3 access logs) 19. Switch to IAM From this point forward, lock your root account credentials (and MFA, if applicable) in a safe, and use IAM or federated access for daily operations. Allows you to attach access policies to IAM users, groups, and roles, thereby supporting the standard security principle of least privilege Provides nonrepudiation which prevents plausible deniability Prevents credential sharing Facilitates easy de-provisioning when employees leave Additionally, some features only work with IAM users, such as password policy, group membership, and the ability to use cross-account roles. 6 Even the regions you don't use. See ScaleSec. All rights reserved. Page 19 of 20

20 20. Keep Your Root Credentials Safe Remember to keep your root account credentials safe in case you need to: Coordinate a vulnerability scan or penetration test 7 Change root account credentials (and ) Modify the AWS account name 8 Manage IAM User access to billing information Create/modify Amazon CloudFront key pairs View the AWS Account Canonical User ID 9 Change your AWS Support plan Close the account Conclusion Setting up AWS accounts with a standardized approach will help your team scale to support very large IT infrastructures while minimizing frustrations. The very first steps of creating and configuring an AWS account must be done manually, which is why this paper was written. This guide includes steps to continue account configuration and use using automation. This foundation will enable you to scale by iterating across multiple accounts for tasks like resource management, billing, inventory, auditing, access control, and more. Even you did not set up your account(s) for team-wide use and growth over time, you should be able to reconfigure them to support both of these goals - so long as you still have access to the root credentials and MFA. Cloud Security Solutions ScaleSec is a security-first Amazon Web Services consulting partner that helps enterprise organizations create or enhance security and compliance cloud programs by offering hands-on architecture, implementation, automation, integration, and proof-of-concept services. Headquartered in Southern California, ScaleSec offers certified, qualified AWS expertise for the most complex and difficult cloud security challenges. Find out more at ScaleSec. All rights reserved. ScaleSec is a trademark in the U.S. and other countries. THE INFORMATION HEREIN IS PROVIDED ON AN "AS IS" BASIS, WITHOUT ANY WARRANTIES OR REPRESENTATIONS, EXPRESS, IMPLIED OR STATUTORY, INCLUDING WITHOUT LIMITATION, WARRANTIES OF NONINFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE Remember, this is not the same as the IAM account alias. 9 Used for S3 access control list (ACL). See ScaleSec. All rights reserved. Page 20 of 20