Setting up a new AWS account with out-of-the-box settings is an excellent start for your cloud journey. This guide identifies best practices when setting up a new AWS account or applying to an existing account.
Top 10 Best Practices:
- Use a distribution/group email address to register for the account.
The email used to create the AWS account has complete control of all AWS resources. Consider creating an account with a group/distribution email address with all the people who should have root access.
If you have already registered for an account with an individual email, you can update the root user name with a distribution list. - Enable Multi-Factor Authentication (MFA) on the Root Account
All root accounts should enable Multi-Factor Authentication (MFA) as a best practice. Configure using a virtual MFA device like Microsoft or Google Authenticator.
You can take a screenshot of the QR code and save it in a secure location or as an attachment in your password manager. - Create a password policy.
Customize your password policy that aligns with your organizational password policies. Ensure that
– Increase the password length to at least 14 characters
– Require at least one upper case alphabet, number, and a symbol
– Disallow password reuse and set the password reuse to 24. - Create IAM Users with Console Login
Avoid using the root account for day-to-day operations. Create IAM users with admin access for all administrative privileges. Assign users to groups rather than assigning permissions directly to the users.
Enable Multi-Factor authentication for all console users. - Activate IAM user access to billing information.
AWS billing information is available only to the root user. Activate billing information access to IAM users so that admins can access the billing dashboard.
– Sign in to the AWS Management Console with your root account credentials.
– In the top navigation bar, choose an account name, and then select My Account
– Click on Edit Next to IAM User and Role Access to Billing Information
– Select ‘Activate IAM Access’ and click ‘Update.’ - Monitoring Infrastructure Costs with AWS Billing Alarm and CloudWatch
AWS bills add up quickly if you do not keep a tab on the services you provisioned. AWS billing alerts leverage CloudWatch to provide proactive alerting and alarms on your total AWS charges. You can set the alarm if your bill exceeds a specific amount. - AWS Support Plan
Subscribe to get business or enterprise support plans for accounts running production workloads. You can run complete checks with a trusted advisor and 24/7 support over the phone, email, and chat access to AWS cloud engineers. - Review AWS Trusted Advisor Settings
The Trusted Advisor monitors your AWS environment and provides recommendations to align with the AWS well-architected framework. The trusted advisor offers guidance in the following five categories.
– Cost Optimization
– Performance
– Security
– Fault Tolerance
– Service Limits
It is recommended to have at least business support to leverage the full features of the trusted advisor. - Enable AWS Config
The first step to securing your environment is to create an asset inventory. AWS Config enables you to assess, audit, and evaluate configurations of the AWS services deployed in the account. AWS Config continuously monitors and records your AWS configurations. You can get a count of all the resources across the account. - Enable CloudTrail
CloudTrail creates an audit trail of all the actions performed on your account. The primary use of CloudTrail is Governance, Compliance, and Security controls, and CloudTrail logs all success and failure events of all requests from the AWS Console, CLI, and SDK.