AWS Security Best Practices: Checklist

AWS Security Best Practices ChecklistAmazon Web Services ensure data security of in compliance with the so-called Shared Responsibility model. It is based on the following assumption: AWS does such operations like decommissioning of old storage devices in accordance to the latest industry standards and controls physical access to data centers, and the user takes care of securing his root credentials, assigns security groups, edits access control list policies and performs identity management. Therefore, the user takes full responsibility for any security breach on his/her side.

Use this checklist to find out if your account is in compliance with AWS security best practices to protect crucial data and ensure stable work for your resources.

Check the Security of Your AWS Account

According to AWS the user should fulfill the following requirements to ensure data security.

You’re not using root credentials. The Shared Responsibility model assumes that AWS users won’t provide root credentials to other users. In case something happens with your data, you won’t be able to track down the issue and identify the user who deleted or edited your files or configurations. Moreover, the user with root account has full authority to assign new users, who may also harm business privacy and data security.

You assign users via Identity and Access Management (IAM). This service allows users to create other users, user groups and roles (e.g. for servers and services) under their root account using their unique credentials. By assigning users through IAM you get an opportunity to set individual permissions for users to decrease the risk of data loss. You can also improve manageability of your IAM by assigning user groups. Learn how to manage Amazon IAM service.

You utilize IAM roles. AWS services, like Amazon EC2 instances, also can get specific permissions in accordance with the IAM role policy. Similar to configuring IAM users, use of IAM roles eliminates the need to use or store root credentials for each required service. IAM roles are fully compatible with AWS Command Line Interface and SDK and allow to easily disconnect any service by changing the role.

Amazon S3 Bucket Logging and AWS CloudTrail are enabled. Amazon S3 logging allows to ensure that only trusted users can edit or delete objects in the bucket. Even if you gave root account credentials to somebody, you will be able to monitor records of his/her activity (IP, performed operations, errors etc.) within the exact period of time. CloudTrail in its turn creates records of AWS API calls in Amazon S3 bucket and also allows to monitor users’ behavior. Learn how to enable and read Amazon S3 bucket logs and how to get started with AWS CloudTrail.

Password policy is configured. Password policy is a setting, which describes the conditions of password rotation between active users and deletion policy for old or inactive users. It’s usual for companies to stick to their current off-line password policy and set the password strength and the timeframe for password expiration in AWS accordingly. To protect the data, you should regularly re-use credentials with different users or delete them and set a new key pair.

Multi-Factor Authentication (MFA) is enabled. Enabling MFA for privileged users helps to ensure that nobody will use their credentials to access your data without informing the owner. The method is based on using an authentication tool in addition to the username (or email) and password. There are two types of MFA:

  • Virtual
  • Hardware

Both methods provide users with one-time code during the authentication, which confirms the ownership. Virtual MFA assumes using a tablet or a smartphone of any type if it’s able to run an application that supports open TOTP standard. Hardware authentication requires a special device (Hardware Key Fob, Hardware Display Card or SMS MFA Device), which costs $12.99 or $19.99 depending on the type. Find more details on enabling Amazon MFA here.


Use this checklist to ensure you’re in compliance with AWS Shared Responsibility model and limit access to your data, while AWS takes care of physical security. You can use Security Assessment report in CloudBerry Explorer for early detection of security issues in your Amazon S3 bucket configurations.