December 5, 2018

The Ultimate Guide to Hardening Your AWS Setup

Our canonical step-by-step guide to hardening your AWS setup. This walks you through the fundamentals, teaching you how to do it right, and why. Creating your Org, setting up IAM, correctly starting the auditing services - and closing off the dangerous parts.

AWS is powerful. But, as Spiderman says, with great power comes great responsibility.

Setting up AWS wrong exposes you to a wide range of issues. Your infra might get compromised, you might leak data, you might spend too much. It's scary.

But don't worry! It's possible to drastically reduce those risks by setting up your accounts right. This isn't even too hard.

Follow through the steps here and you'll be much better off.

This also applies if you already have AWS accounts. These changes can be made at any time. They might not fix the past but you'll be better off in the future.


Account-Wide Config

There are a bunch of settings or AWS products which take effect at the account level. We'll turn them on first.

Almost all of these add some extra cost. We've found the increase in the AWS bill to be less than 0.5%, but it's worth keeping that in mind if the budget is really tight. In each item we call out where small amounts of cost can be saved.

There are some dependencies between these steps, so it's probably easiest to do them in order. That's not crucial though.

Most of these individual steps only take a few minutes when done manually. Click through the links to see detailed walk-throughs.

  1. Setup the AWS account settings.
  2. Create an admin IAM user.
  3. Create an AWS Organization.
  4. Create the fundamental S3 Buckets for auditing.
  5. Turn on CloudTrail.
  6. Set up logging on the auditing S3 Buckets.
  7. Turn on the AWS billing reports.