In my free time I regularly browse online communities like Reddit and Stackoverflow. It's a good source to learn what problems people face and what the community offers as solutions. Of course I try to put in my 2 cents as well.
Unfortunately, and you'll know this if you're a regular at one of these communities, many threads fall under the same category: "Help, my AWS account is hacked" or "My AWS bill is $34.534 and I'm ruined".
Without fail, these people have been affected by one of the many ways that you can open your AWS account to malicious actors. In this article, I'll try to teach you what avenues of attack there are and how you can secure your AWS account.
In general, there are 3 ways to access an AWS account. The root user, an IAM user and an IAM role. Each have their own story. In this 4 part series, we'll cover each of these access methods, as well as some other ideas to turn up security all the way up to 11.
Part 1 - The root user
When you created your AWS account, you had to choose an email address and a password. These are used to create the root user for your AWS account. I'm going to start off with the golden rule; Don't use the root user for anything. There are obviously some exceptions, but they are few, so the rule stands except when the AWS docs say otherwise.
Since the root account has all permissions in your AWS account and can not be limited in it's permissions in any way*, it's best to never use it at all. After all, if you leak your username and password, a pair of access keys or access to your mailbox, a malicious actor will have access to your whole AWS account, and can possibly even lock you out by changing your credentials.
We'll start by going through the motions of securing the root AWS user and preventing account takeover, and close this first part by setting up an alert.
*Exception: Service Control Policies, will be covered in part 4.
Step 1: Use a strong password and enable MFA
First, reset the root user password by going to the account settings page and pressing edit at Account Settings, then edit again next to password. I would suggest using a password manager like 1Password or Lastpass to generate a strong password.
Second, go to My Security Credentials and expand Multi-factor authentication (MFA). Follow the steps there to configure MFA. If you're using a password manager like mentioned above, it probably supports virtual MFA, which is a pretty good option. Other virtual methods include Google Authenticator or Microsoft Authenticator. Hardware MFA like a Yubi key are supported as well and add a layer of physical security, which can be preferred.
Step 2: Delete all IAM Access Keys and X.509 certificates.
Many tutorials teach bad practice and tell you to create access keys, and you can't blame them. Tutorials need to focus on the content that they are trying to teach, and IAM access keys, especially the ones for the root user, are a robust and well known way to access AWS services. We will delete them, and more importantly, never use them again.
Access the My Security Credentials page again and expand Access keys (access key ID and secret access key). If there are any access keys there; delete them.
In the same screen, expand the X.509 certificate pane, and delete any certificates listed. X.509 certificates are used for some legacy authentication methods; I've yet to spot them in the wild.
Step 3: Configure your contact information and secure your mailbox.
People lose their passwords and MFA devices. That's why AWS has a process in place to reset them. Those methods rely on the contact information AWS has on hand, so it's very important to keep this information up to date.
Browse to the account settings page and enter your contact information on both the Contact information and Alternate Contacts panes.
Additionally, you can choose set up the Configure Security Challenge Questions method as well, so AWS should ask some personal or hard to guess questions in these scenario's.
The last part of this step is simple: access to your mailbox means access to your AWS account. Since AWS has a password/MFA reset method available that relies on your email address, make sure your mailbox also requires MFA. All modern platforms support this nowadays and it's good practice to use this even if you don't use AWS.
Step 4: Red Alert!
Since use of the root user is an exception, you want to be alerted when the event does occur. AWS has some good example code that you can set up as a basic alert. Since in this part of this tutorial you're probably still using the root user, it's a good time to test the alert. Once the alert is active, find part 2 of this series to set up your IAM user for use in your daily tasks.
The end, don't log off yet!
I hope these 4 steps have helped you secure the AWS root user and helped you understand why it's so important to do so.
There are many ways to leak credentials and anybody with a good understanding of the inner workings of IAM can use these root user credentials to do whatever they want on your AWS account. It is also non-trivial for any attacker to set up "back doors" for when you eventually do secure the root user credentials after your AWS bill did skyrocket. We'll go through the methods of finding these back doors in the next part of this series.