Securing your account

Controls and recommendations in this section help keep your AWS account secure. It emphasizes using AWS Identity and Access Management (IAM) users, user groups, and roles (also known as principals) for both human and machine access, restricting the use of the root user, and requiring multi-factor authentication. In this section, you confirm that AWS has the contact information necessary to reach you regarding your account activity and status. You also set up monitoring services, such as AWS Trusted Advisor, Amazon GuardDuty, and AWS Budgets, so that you are notified of activity in your account and can respond quickly if the activity is unauthorized or unexpected.

This section contains the following topics:

• ACCT.01 – Set account-level contacts to valid email distribution lists
• ACCT.02 – Restrict use of the root user
• ACCT.03 – Configure console access for each user
• ACCT.04 – Assign permissions
• ACCT.05 – Require multi-factor authentication (MFA) to log in
• ACCT.06 – Enforce a password policy
• ACCT.07 – Deliver CloudTrail logs to a protected S3 bucket
• ACCT.08 – Prevent public access to private S3 buckets
• ACCT.09 – Delete unused VPCs, subnets, and security groups
• ACCT.10 – Configure AWS Budgets to monitor your spending
• ACCT.11 – Enable and respond to GuardDuty notifications
• ACCT.12 – Monitor for and resolve high-risk issues by using Trusted Advisor