Enable CloudTrail Logging and Monitoring
For proper management of your account, you must need AWS CloudTrail. I will briefly describe the steps:
Developers must open the CloudTrail console and determine if an existing trail is configured, and if it has been set, they would need to verify that the logs are being sent to the location they have access to.
They also need to make sure to turn on CloudTrail’s optional security features, including encryption at-rest and even file validation.
Some fundamental metric alerts are also needed to be set up by developers for critical security activity within the account. Some other AWS security solutions that might be helpful are:
- AWS Security Hub
- Amazon GuardDuty
- AWS Config
- Amazon Macie
- Amazon Inspector
- Amazon Detective
Cleanup IAM Entities
IAM entities must be cleaned up often because it is imperative to get a handle on IAM. Even a single user or access key with access permissions can compromise the entire AWS environment. Goals must be set to clean up users that have not been used in a while and delete access keys whenever possible. The following steps are essential for the cleanup of IAM entities:
Developers need to download the IAM Credential Report for the account, which contains several essential details for each IAM user.
Isolating the easiest users to delete is one of the best ways to clean up IAM entities. This is because, those who have no password, neither access keys, nor attached certificates, practically they do not have any value.
Once this user has been deleted, it is time to move on to ones that do not have a password but might have access keys or attached certificates. After handling such users, next comes the users who do not have access keys but do have passwords that were used long ago. These users also need to be dealt with.
To handle the remaining users, some specific methods are used. These include:
- Sleuthing for users
- Preparing Account Policies
- Modifying Password Policies
- Contacting Users
- Tracking Down Access Keys
Monitoring and Migrating
As a developer, you must set your goals to migrate or deprecate services in your brand new user account as quickly as possible with the eventual goal of full termination. This might be a multi-year effort, but for services that need to remain in the firm, monitoring will be your only key.
You will only be able to reduce the attack surface and help protect your data if you can shift the majority of users and services to new accounts.
This will help ensure that any unintended activity is quickly detected with the help of proper alerts set by CloudTrail.
Since you can never get your AWS account into a so-called ‘perfect’ state, there is no other way other than getting a brand new account that is provisioned from scratch to adhere to your organization’s security policies.