Pages

Tuesday, March 1, 2016

Getting Ready for AWS Securely (1/4) - Your Account

(Part 1 of 4)

Although Amazon Web Services (AWS) make it really easy to jump in and get started, there are a few things worth thinking about before diving in head-first, especially in regards to the security of your account.

AWS accounts, at their core, are actually regular Amazon (shopping) accounts that, when associated with AWS, get some extra information (and, eventually, additional resources and expenses) attached.  As it turns out, you could very easily use your regular Amazon account to sign up with AWS.  (Alternatively, you could also do your online shopping under your AWS account!)

BUT, there's a very good reason to keep the two uses completely separate:  the potential ramifications of getting your AWS account hacked are much more serious than getting an Amazon store account hacked. With AWS, if you lose control of your account, you could discover that:
  • Very expensive compute resources were allocated.
  • Those resource were used for nefarious purposes.
  • Confidential information was shared with the world.
  • Irreplaceable information was simply erased.
Someone else getting control of your AWS account is a really big deal.

Because of this, the most important step you can take to safeguard your account is to have a super strong password, store it very securely, and use it rarely.
Note:  when I talk here about signing in to your account (using the primary email and the primary password) I'm really talking about the "root user", the master sign-in that gives absolute full-control to your AWS account.  But, as you might expect, AWS also provides for the creation of less privileged users (known as "IAM" users) that can only access the aspects of your account that you explicitly authorize.  As I'll explain later on, after the initial set up, almost all access to your account, either by you or by others you authorize, will actually be via IAM users.
Because the master sign-in to your AWS account root user will be intentionally unwieldy, you almost certainly will not want to use that same account for shopping as well.  However, since all Amazon accounts are uniquely identified by email, that raises the issue of having an additional email address, just for your AWS account.  Thankfully, there are quite a few free email providers out there - just make sure to use one that has a good track record for security, and ensure that you use a super strong password for it (because if someone gets control of your email account they may be able to leverage that to get control of your AWS account).
Note - some email providers, like Gmail, let you have additional addresses that deliver to a common in-box, by adding text to an address after a "+" (plus sign) but before the "@" (at sign).  E.g., with a main address of "example.name@gmail.com", anything addressed to "example.name+bunch.of.extra-stuff@gmail.com" will still be delivered to the main address.
(Jump to Part 2, Passwords)
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)