(Part 2 of 4 - see previous post if you missed it)
The overall security of your AWS account requires a super strong root password. (When considering Password Strength, the quick answer is that "longer is better"; adding length is far more important than sprinkling in special characters.)
Your AWS root password must also be guarded very carefully. If you write it down, ensure the piece of paper is stored in a secure location away from prying eyes.
If your root password is saved in your web browser, make sure it's encrypted on the file system (otherwise the saved passwords can easily be extracted if your laptop or backup drive is stolen): if your browser provides it, use the Master Password feature; or use a reliable Password Manager to store the password; or, if you're truly paranoid, enable Full Disk Encryption.
Note - in the above cases, your AWS root password is being protected via some other software that has its own "master password". It should go without saying that, to be effective, the other master password should be as strong, or even stronger than, the secrets it is trying to protect.Also ensure that your email account and password are carefully guarded, since that can be a way to gain access to your AWS account (via Amazon's "Forgot your password" function). Of course, all the above precautions about password strength and encryption apply to your email password as well (far more than for than a "casual" email account).
If you access that email account on a mobile device, make sure you use a password on your lock screen, and use the longest password your device will allow (since modern, well-behaved apps will take advantage of it to make sure the email passwords are stored in encrypted form, e.g., with the KeyChain API on Android), otherwise a stolen phone could mean a stolen AWS account.
One more thing about all these passwords: they must be completely unrelated to each other and to the things they guard. Any patterns or similarities will be exploited by malicious people that hack AWS accounts for fun and profit. Lest you think all of this might be overkill for "just a password", keep in mind that some even advocate the extreme measure of throwing away your AWS root password, to make it plainly impossible to accidentally expose it. (Although, even in this case, having the throw-away password be super strong is still absolutely required.)
(Jump to Part 3, Multiple Factor Authentication)
No comments:
Post a Comment