AWS offers a number of tools to help secure your account. Many of these measures are not active by default, and you must take direct action to implement them. Here are some best practices to consider to help secure your account and its resources:

Safeguard your passwords and access keys

The two main types of credentials used for accessing your account are passwords and access keys. Both types of credentials can be applied to the root account or to individual IAM users. You should safeguard passwords and access keys as you would any other confidential personal data, and never embed them in publicly accessible code (i.e. a public Git repository). For added security, frequently rotate or update all security credentials.

If you use GitHub for document or code versioning and sharing, consider using git-secrets, which can scan for AWS credentials and other sensitive information, helping you avoid committing code or documents that contain any sensitive information.

Set up a multi-factor authentication (MFA)

device to protect access keys that only have API access and fine-tune which API commands require an MFA token to proceed.

If you suspect that a password or access key pair has been exposed, immediately rotate and delete the exposed credentials, and see My AWS account may be compromised.

Limit root user access to your resources

Root account credentials (the root password or root access keys) grant unlimited access to your account and its resources, so it's a best practice to both secure and minimize root user access to your account.

Consider the following strategies to limit root user access to your account:

• Use IAM users for day-to-day access to your account, even if you're the only person accessing it.

Audit IAM users and their policies frequently

Consider the following best practices when working with IAM users:

• Ensure that IAM users are given the most restrictive policies possible, with only enough permissions to allow them to carry out their intended tasks (least privilege).
• Create different IAM users for each set of tasks.
• When associating multiple policies with the same IAM user, keep in mind that the least restrictive policy takes precedence.
• Frequently audit your IAM users and their permissions, and delete any unused IAM users or keys.
• If your IAM user needs access to the console, you can set up a password to allow console access while limiting the user's permissions.
• Set up individual MFA devices for each IAM user with access to the console.

You can use the AWS Policy Generator to help you define secure policies. For examples of common business use cases and the policies you might use to address them, see Business Use Cases.

Monitor your account and its resources

You can contact AWS Support with questions you might have about your account's activity. However, for privacy and security reasons, AWS doesn't actively monitor your usage and uses limited tools to investigate issues. It's best to actively monitor your account and its resources to detect any unusual activity or access to your account. Consider one or more of these solutions:

• Enable CloudWatch billing alerts to receive automated notification when your bill exceeds thresholds you define.
• Enable CloudTrail logging services to track what credentials were used to initiate particular API calls and when, to help you determine if the usage was accidental or unauthorized, and take the appropriate steps to mitigate the situation.
• Enable resource-level logging (for example, at the instance or OS level).

Note: If possible, as a best practice, enable logging for all regions, not just the ones you regularly use.