1 00:00:06,809 --> 00:00:09,082 - Okay, so now let's review some best practices 2 00:00:09,082 --> 00:00:12,582 within AWS identity and access management. 3 00:00:14,722 --> 00:00:18,300 It's really important that we leverage groups, 4 00:00:18,300 --> 00:00:20,798 especially when we have a large number of users. 5 00:00:20,798 --> 00:00:23,018 It just makes life easier when you go to 6 00:00:23,018 --> 00:00:26,203 assign permissions to different groups of people. 7 00:00:26,203 --> 00:00:28,690 Grant lease privilege, meaning that, 8 00:00:28,690 --> 00:00:33,550 give a user enough permission to do what they need to do, 9 00:00:33,550 --> 00:00:36,213 but not so much that they can be dangerous. 10 00:00:36,213 --> 00:00:38,453 We need to implement strong password policies, 11 00:00:38,453 --> 00:00:40,584 including, allow them to be long. 12 00:00:40,584 --> 00:00:43,081 Make them use multiple types of characters, 13 00:00:43,081 --> 00:00:45,637 like numbers and special characters. 14 00:00:45,637 --> 00:00:49,264 Deny the last three passwords being reused. 15 00:00:49,264 --> 00:00:52,251 In a larger environment, it's also really helpful, 16 00:00:52,251 --> 00:00:54,129 and it adds that extra layer of security 17 00:00:54,129 --> 00:00:56,226 by leveraging multiple accounts. 18 00:00:56,226 --> 00:00:59,548 So divide your organization into multiple accounts. 19 00:00:59,548 --> 00:01:01,976 Whether it be development versus production, 20 00:01:01,976 --> 00:01:05,121 or one business unit and another business unit. 21 00:01:05,121 --> 00:01:07,360 It doesn't really matter, but leverage those 22 00:01:07,360 --> 00:01:09,557 multiple accounts, and leverage roles 23 00:01:09,557 --> 00:01:12,296 for cross-account access. 24 00:01:12,296 --> 00:01:15,689 If you want to add another additional layer of security, 25 00:01:15,689 --> 00:01:18,696 use deny statements, because again as we've talked about, 26 00:01:18,696 --> 00:01:22,099 deny statement, the way that the evaluation logic works, 27 00:01:22,099 --> 00:01:25,257 deny statement can not be overwritten by an allow. 28 00:01:25,257 --> 00:01:28,922 So using deny statements just means that you have 29 00:01:28,922 --> 00:01:31,182 extra guard rails, that no matter what, 30 00:01:31,182 --> 00:01:34,169 that user will never be allowed to do something 31 00:01:34,169 --> 00:01:38,062 unless you go in and remove that deny statement. 32 00:01:38,062 --> 00:01:40,281 Never share your credentials. 33 00:01:40,281 --> 00:01:43,826 When you create access keys, user names and passwords, 34 00:01:43,826 --> 00:01:47,195 don't share them, don't email them, don't print them. 35 00:01:47,195 --> 00:01:50,794 Don't put them into your code repositories. 36 00:01:50,794 --> 00:01:54,060 And again, leverage those multiple accounts. 37 00:01:54,060 --> 00:01:56,545 Now in regards to our master account, 38 00:01:56,545 --> 00:01:59,460 when you first create your AWS account, 39 00:01:59,460 --> 00:02:02,085 that initial email and password 40 00:02:02,085 --> 00:02:03,937 is going to be your master account. 41 00:02:03,937 --> 00:02:07,564 It's considered root, or if you're a windows user 42 00:02:07,564 --> 00:02:09,342 it's considered administrator. 43 00:02:09,342 --> 00:02:13,409 It has an implicit allow all that can not be changed. 44 00:02:13,409 --> 00:02:15,442 You have no control over the permissions 45 00:02:15,442 --> 00:02:16,432 of that root account. 46 00:02:16,432 --> 00:02:19,503 It's allowed to do anything on any resource 47 00:02:19,503 --> 00:02:21,932 at any time, from anywhere. 48 00:02:21,932 --> 00:02:25,371 So, it means that that account is incredibly powerful, 49 00:02:25,371 --> 00:02:29,760 and incredibly dangerous if that account is compromised. 50 00:02:29,760 --> 00:02:32,649 So, we need to protect that master account 51 00:02:32,649 --> 00:02:35,838 at all costs, and I say that because companies 52 00:02:35,838 --> 00:02:38,948 literally have gone out of business by allowing 53 00:02:38,948 --> 00:02:41,297 their master account to be compromised. 54 00:02:41,297 --> 00:02:45,274 Hackers have gone in and hijacked those credentials. 55 00:02:45,274 --> 00:02:47,744 They've asked for ransom in some cases, 56 00:02:47,744 --> 00:02:49,638 and in other cases they have deleted 57 00:02:49,638 --> 00:02:52,562 production resources to a degree that caused 58 00:02:52,562 --> 00:02:55,316 that business to go completely insolvent. 59 00:02:55,316 --> 00:02:59,333 So, never use it for day-to-day. 60 00:02:59,333 --> 00:03:03,183 The master account will come with default access keys. 61 00:03:03,183 --> 00:03:06,907 We want to delete those, so that they can't be compromised. 62 00:03:06,907 --> 00:03:10,193 We want to enable multi-factor authentication 63 00:03:10,193 --> 00:03:12,797 with a physical key fob, not a virtual one 64 00:03:12,797 --> 00:03:14,833 on your cell-phone or your smart phone, 65 00:03:14,833 --> 00:03:18,762 but a physical key fob that you then lock in a safe. 66 00:03:18,762 --> 00:03:20,163 And I'm not kidding on that point. 67 00:03:20,163 --> 00:03:23,768 It's so incredibly important to protect 68 00:03:23,768 --> 00:03:26,275 that master account at all costs. 69 00:03:26,275 --> 00:03:29,060 I do that with my own business, and I've done that 70 00:03:29,060 --> 00:03:32,329 for clients of mine by enabling MFA 71 00:03:32,329 --> 00:03:34,281 and locking it in a safe. 72 00:03:34,281 --> 00:03:35,696 Another thing that you should do, 73 00:03:35,696 --> 00:03:37,646 is go and read the security whitepaper. 74 00:03:37,646 --> 00:03:39,570 It's probably one of the most popular 75 00:03:39,570 --> 00:03:42,809 whitepapers available on the Amazon website, 76 00:03:42,809 --> 00:03:44,834 and you can see it here at the link. 77 00:03:44,834 --> 00:03:48,058 So again, protect that master account at all costs, 78 00:03:48,058 --> 00:03:51,662 and be sure to read the security whitepaper.