Set up AWS account security

This guide shows how to set up your AWS account to receive notifications when your resources are compromised, and to allow specific AWS account users to access it. To secure your AWS account and track your resources, complete the following steps.

Delete your account’s access keys

You can allow programmatic access to your AWS resources from the AWS Command Line Interface (AWS CLI) or with AWS APIs. However, AWS recommends that you don’t create or use the access keys associated with your root account for programmatic access.

If you still have access keys, we recommend that you delete those and create a user. Then, grant that user only the permissions needed for the APIs that you're planning to call. You can use that user to issue access keys.

For more information, see Managing Access Keys for Your AWS account in the AWS General Reference guide.

Enable multi-factor authentication

Multi-factor authentication (MFA) is a security capability that provides a layer of authentication in addition to your user name and password.

MFA works like this: After you sign in with your user name and password, you must also provide an additional piece of information that only you have physical access to. This information can come from a dedicated MFA hardware device, or from an app on a phone.

You must select the type of MFA device that you want to use from the list of supported MFA devices. For a hardware device, keep the MFA device in a secure location.

If you use a virtual MFA device (like a phone app), think about what might happen if your phone is lost or damaged. One approach is to keep the virtual MFA device that you use in a safe place. Another option is to activate more than one device at the same time, or use a virtual MFA option for device key recovery.

To learn more about MFA, see Enabling a Virtual Multi-Factor Authentication (MFA) Device.

Related resources

• Getting Started with Multi-Factor Authentication

• Securing Access to AWS Using MFA

Enable CloudTrail in all AWS Regions

You can track all activity in your AWS resources by using AWS CloudTrail. We recommend that you turn on CloudTrail now. This can help AWS Support and your AWS solutions architect troubleshoot a security or configuration issue, later.

To enable CloudTrail logging in all AWS Regions, see AWS CloudTrail Update – Turn On in All Regions and Use Multiple Trails.

To learn more about CloudTrail, see Turn On CloudTrail: Log API Activity in Your AWS account. To learn how CloudTrail monitors Nimble Studio, see Logging Nimble Studio calls using AWS CloudTrail.

Set up Amazon GuardDuty and notifications

Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following:

• Data sources

• Amazon VPC Flow Logs

• AWS CloudTrail management event logs

• CloudTrail S3 data event logs

• DNS logs

Amazon GuardDuty identifies unexpected and potentially unauthorized and malicious activity within your AWS environment. Malicious activity can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IP addresses or domains. To identify these activities, GuardDuty uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning. For example, GuardDuty can detect compromised Amazon EC2 instances serving malware or mining bitcoin.

GuardDuty also monitors AWS account access behavior for signs of compromise. This includes unauthorized infrastructure deployments, like instances deployed in an AWS Region that has never been used. It also includes unusual API calls, like a password policy change to reduce password strength.

GuardDuty informs you of the status of your AWS environment by producing security findings. You can view these findings in the GuardDuty console or through Amazon CloudWatch events.

Set up an Amazon SNS topic and endpoint

Follow the instructions in the Setup an Amazon SNS topic and endpoint tutorial.

Set up an EventBridge event for GuardDuty findings

Create a rule for EventBridge to send events for all findings that GuardDuty generates.

To create an EventBridge event for GuardDuty findings

1. Sign in to the Amazon EventBridge console: https://console.aws.amazon.com/events/

2. In the navigation pane, choose Rules. Then choose Create rule.

3. Enter a Name and Description for the new rule. Then choose Next.

4. Leave AWS events or EventBridge partner events selected for Event source.

5. In Event pattern, choose AWS services for the Event source. Then GuardDuty for the AWS services, and GuardDuty Finding for the Event type. This is the topic that you created in Set up an Amazon SNS topic and endpoint.

6. Choose Next.

7. For Target 1, select AWS service. Choose SNS topic in the Select a target dropdown. Then choose your GuardDuty_to_Email topic.

8. In the Additional settings section: Use the Configure target input dropdown to choose Input transformer. Select Configure input transformer.

9. Enter the following code into the Input path field in the Target input transformer section.

   {
       "severity": "$.detail.severity",
       "Account_ID": "$.detail.accountId",
       "Finding_ID": "$.detail.id",
       "Finding_Type": "$.detail.type",
       "region": "$.region",
       "Finding_description": "$.detail.description"
   }

10. To format the email, enter the following code into the Template field.

    "AWS <Account_ID> has a severity <severity> GuardDuty finding type <Finding_Type> in the <region> region."
    "Finding Description:"
    "<Finding_description>. "
    "For more details open the GuardDuty console at https://console.aws.amazon.com/guardduty/home?region=<region>#/findings?search=id=<Finding_ID>"

11. Choose Create. Then choose Next.

12. (Optional) Add tags if you're using tags to track your AWS resources.

13. Choose Next.

14. Review your rule. Then choose Create rule.

Now that you've set up your AWS account security, you can grant access to specific users and receive notifications when your resources are compromised.