Top 5 Common Mistakes in AWS Cloud Account
In Botmetric, we have analysed thousands of AWS accounts for best practices audit and recommendations. What we have discovered during the process was that certain mistakes are common in over 90% of the accounts. We didn’t halt, we have also come up with appropriate recommendations that can help avoid these common mistake.
In this blog post, we have shared the top 5 common mistakes in AWS cloud account along with recommendations.
- Lack of MFA Protection
Most customers don’t enable MFA protection for root user account and IAM users. We strongly recommend you to enable multi factor authentication(MFA) for enhanced security as user name and password compromise shouldn’t cause single point of failure for your account access.
- No CloudTrail Logging
While CloudTrail is a relatively new feature, it is one of the critical requirements for any company to audit and review their AWS account usage from API, third-party applications and IAM users etc.
It is recommended to enable CloudTrail logs even in regions that don’t have instances so that you can know about the unauthorized access in those regions as well.
We highly recommend you to enable CloudTrail logging as it takes less than 2 minutes to setup. Follow this step-by-step guide to set it up.
- Using Root Account Access Keys
Many users in AWS accounts which are created prior to 2014 have a tendency to use root account access keys in the applications. We recommend you to remove all access keys under root account and use IAM roles with temporary access keys for any usage. Any compromise of root account access keys would expose your cloud infrastructure to malicious users.
- Unused EBS/AMI Resources
Many accounts have unused resources related to EBS, AMIs that are accumulated over a period of time. These unused resources have a direct impact on your monthly spend so we recommend periodic review for clean up of unused resources.
- Many EBS/RDS Snapshots
Most customers have a scripts for taking EBS/RDS snapshots but too many old snapshots are not deleted. It is better to have a policy based automation for EBS snapshots like the one provided in Botmetric to keep last 3 months or 30 days snapshots on rotation basis.
If you are using AWS then we recommend validation of your account for the above top 5 common AWS mistakes and many other best practices using a free trial of Botmetric.