The AWS Web management console is the access – and the control panel – for all actions performed by administrators using Amazon’s infrastructure. If you have access to it, you have the keys to the data center kingdom and its resources. One company, Code Spaces, along with all of their customers, unfortunately found out just how painful that can be if the wrong person gets access to it. The company has suddenly closed up shop following someone obtaining unauthorized access to its Amazon Web Service account who subsequently deleted most of the customer data there. Read the full story.
There are a lot of innovative companies doing some very cool things because infrastructure is easily available and elastic. This incident is not going to slow down that innovation, but it should be viewed as a not–so-subtle reminder that security controls to monitor and manage privileged access need to be taken seriously. At a basic level it means limiting access to only those that need it, and further that the tasks admins can execute – things like Create, Copy, Start, Delete, Clone, etc – should be limited to just those they need to perform their given job function.
One approach to the access issue is implementing AWS guidance on multifactor authentication. By requiring admins to access the AWS console using something they know (their password) and something they have (their mobile device) you are going to increase security for the account and the resources being managed. It’s available today and it’s free when you use it in conjunction with your existing mobile device.
Now, what about the ongoing monitoring and privileged commands that can be executed by a given admin? This is something we’ve been working on for quite some time and are having several conversations with customers about. Some customers are interested in monitoring all console activity from developers and admins. This includes behavioral based monitoring for suspicious activity. Others need to be able to show who made changes, including changes to security settings. And, virtually all want to be able to implement some level of separation of duties by controlling the actions of what individual admins can do.
With great power comes great responsibility. The good news is with some planning and effort you can achieve both. You can secure admin access to appropriate individuals and enforce privilege management controls for your AWS console that is lightweight, and effective.