Focal Points for Managing Access to your AWS Management Console

by [Published on 9 March 2016 / Last Updated on 9 March 2016]

A secure AWS Management Console means secure data and applications. In this article we will consider a few fundamental areas which will assist in ensuring your management console is better secured.

Introduction 

Amazon publishes large amounts of support material that everyone can access easily online. The documentation is by no means lacking, if anything it can be challenging for some, especially new users, to get their heads around. If you can aim to have a general understanding of the functioning and best practices then carefully filter through to place focus on the details and fundamentals to be carefully applied, this is a good place to begin. Through focusing on one area at a time and making sure you understand the fundamental points should help to simplify the AWS journey.

The AWS Management Console is the door to all aspects of your AWS account. Access to the Console allows access to all your AWS resources, as the Console interfaces with all these resources. It is scary to think the damage that can be done within the wrong hands. The simplicity of use and functionality as a central point for management of your accounts and resources is great however if not governed in the correct manner, as with leaving your front door open for all to come in, it could have potentially unfavourable consequences.

Through the Console the user can manage their cloud computing, cloud storage and all resources running on the AWS infrastructure. Accounts can also be managed (setting up users for example), control your expenditure; manage your security credentials, as well as the applications running on the infrastructure-everything is accessible through here. 

Amazons approach to security is a shared security responsibility model (we have detailed this in a previous article), whereby both Amazon and the user share the responsibility for security. One of the areas that you need to make sure you have proper control over is the access to your apps and data via the Management Console. It is the user’s responsibility to ensure that they properly manage access to the AWS resources, thus properly managing and securing the Management Console is the first step to securing your resources, data and applications/software etc. running on the AWS infrastructure. 

 Fundamentals for managing access to your AWS Management Console 

It cannot be emphasised enough the importance of securing your AWS Management console. This is one aspect that must be done correctly. A few fundamental areas stand out and should be carefully considered and applied correctly to assist in securing the AWS Management Console. 

Identify who has access rights 

This is very important. The access rights might vary occasionally or even more frequently depending on how you function within your organisation, however it is essential that you are able to identify who has access rights at any given time. The degree of access should also be specifically known. Previously authorised access rights that are not needed should be cancelled immediately.

Only admins that require access should be given it and this should be strictly regulated. Employees change, new people are employed and people leave, external people may be given temporary access (contractors or partners etc.), all of this should be documented and regulated so that you know who has access, whose access should be revoked and you don’t find yourself in the unfortunate predicament where individuals have access but shouldn’t, internal and external to the company, and you are none the wiser. This is a potentially dangerous situation to be in.

Sometimes people exploit access for malicious intent but a lot of the time harm is caused unintentionally through needless access privileges; both must be prevented at all costs. Through proper control of access rights, access to your resources, data and applications running on the AWS infrastructure is more easily distinguishable and security improved. 

Accurate Management of Access

Access should be managed at user and the device level. We are in a compute age where it is commonplace to be using mobile devices for business function, be it a business owned device or part of a BYOD scheme. These devices will be used to connect and will be utilised when using AWS resources. Security must be such that this type of activity is protected appropriately. Security Policies should accommodate implementation at various levels (user, device and department). These policies must be enforced; it is of no use setting the security policies to manage actions if they are not essentially being enforced. 

The importance of the Management Console security settings 

There is plenty material and best practice recommendations published by Amazon on how to go about configuring the Management Console so that it is most secure. Someone not knowledgeable of the configurations may find it all quite intimidating at first view. It is important to get the Console configured correctly as this is your user responsibility and applying the required settings correctly is essential to not only achieving a secure Management Console but will also be required to comply with security standards and regulations (ISO, HIPAA, PCI DSS etc.). Be sure that you are knowledgeable of this particular area and how the particular configurations you choose to apply or not apply affect your organisational security and/or compliance responsibilities so that everything aligns, as it should.

Utilise Two-factor authentication 

Two-factor authentication is probably a best practice worthwhile taking note of. It is very important that your credentials remain secure to avoid any form of security breach and by enforcing the utilisation of two-factor authentication this can help to achieve this. Two-factor authentication is another way to better secure the credentials and thus the AWS Management Console and control access to it. 

Monitor and manage configuration changes well 

Changes to the configurations of the Console should be properly monitored. AWS admins exercise pronounced control and thus this is an essential area to carefully consider. Changes in Console configurations, like security changes, should not be done at a whim and when undertaken the correct outlined and pre-determined procedure should be followed for precautionary measures.

It is a good idea to test the security of your AWS instances on a periodic basis and independently to ensure that the integrity of the solution has not been compromised.

Real-time notification of changes and alerting is important and a log of changes should also be retained for audit purposes and compliance. Individual responsibilities should be demarcated clearly so that only certain individuals have the ability to make such changes so that this area is more easily managed. Not everyone should be given the power to make these changes. 

Conclusion 

The AWS Management Console is the gateway to all your AWS resources, your data and your applications. It allows for simplified management and utilisation of the resources that you utilise. It is essential that you properly manage the access to your AWS Management Console to ensure you can better secure your resources running on the AWS infrastructure. Keep the door securely locked and allow access with caution.

Often people rely on technology to keep them safe, but reliance on the user, configuration, updating, patching and policies and procedures are still required to ensure that the systems are being used as they should and that gaps don’t creep in and cause a possible compromise.

There are many best practices to follow, support documents to study and multiple ways to manage this securely. Focusing on the fundamentals and applying them correctly can assure that you are off to a good start. 

Always keep in mind that Amazon utilises a shared responsibility model regarding security. Know your responsibilities, make sure you do your part, as relying solely on AWS security will not suffice.

See Also


The Author — Ricky M. & Monique L. Magalhaes

Ricky M. & Monique L. Magalhaes avatar

Ricky M Magalhaes is an International Information Security architect, working with a myriad of high profile organizations. Monique is an international security researcher, she holds a BSc Degree (Cum Laude). Previously she has focussed on research and development at leading enterprises in the Southern hemisphere.