Lou (đ Open Up The Cloud âïž)In 2016 hackers compromised my personal AWS setup. Within a matter of hours I received an AWS bill for $3000 dollars đ±đ±đ±đ±
When youâre a Cloud Native Engineer one of the best ways we can learn is through experimenting directly on cloud platforms, like AWS. But, doing so can be fraught with difficulties if youâre not careful when you setup and use your cloud account. An incorrectly setup account is vulnerable to hackers and you could even end up with a massive bill!
By the end of this article youâll know all the steps to take before accessing your AWS cloud account so that you can experiment and learn about AWS.
Why setting up your cloud account is so important
The best way to show you how important it is to setup your cloud account is through telling you aforementioned tale of the $3000 AWS bill.
It was 2016 and I was getting charged for having too many private repositories on Github.
To try and cut back I decided to switch a handful of my private repositories back to public access.
But, in haste I forgot that a repository I made public had my private AWS credentials exposed.
I was feeling rather smug that I was saving an extra $7 a month. But within a few days I got a strange looking email that caught my eyeâŠ
Holy shit!
Up until this point Iâd been paying only a couple of pounds a month for my billing. And to make matters worse the enormous bill was accrued in a matter of hours. So with every hour that went by I was getting charged hundreds of pounds. Time was of the essence⊠I logged into my account and furiously started closing down resources. Some resources Iâd never even heard of!
By now you might be wondering: how exactly did my account get hacked?
Let me explainâŠ
There are automated tools that are scanning the web for leaked credentials. When the tool does find your credentials it uses them to make programattic API calls that launch as many resources as possible. My AWS account was now part of an extremely large, and very illegal botnet.
At the time I didnât even know such a thing was possible. And if youâre not careful you could be at risk, too.
But, donât worry itâs not all doom and gloom! There are ways that you can these types of hackers, and thatâs what weâve going to talk about today.
Iâm going to walk you through four simple steps that you should take before you start experimenting on your AWS account.
First upâŠ
1) Donât use your root credentials
The root credentials are the username and password that you used to sign up to AWS with. You should only use your root account credentials in emergencies.
Our root account has full access to all resources and all permissions on AWS. Which is what gave the hacker full rights in spinning up as many resources as they wanted. So the first thing you want to do when youâve got an AWS account is *stop using your root credentials. *
So when youâve signed up to AWS and have your account handy, follow the upcoming steps and then store your password away somewhere safe, and donât use it unless itâs an emergency. But, if Iâm telling you not to use the root account, how should you access and use AWS account?
Letâs cover this now!
2) Create an admin user
In the next two steps weâll be creating two users. But for now, letâs focus on the first, our admin user.
I imagine right about now youâre thinking: but why we need a new user? If itâs only one person accessing our account? Isnât this overkill?
Because the notion of a user gives us granularity when assigning permissions, even if the users are used by the same person. And with the users feature we can ensure that the user account weâre using day-to-day has as few permissions as possible.
The concept of restricted user access is known as the principle of least privilege. The reason the hacker who compromised my account was able to cause so much damage was due to the fact that I used my root account with full access. By creating new users we can limit the damage that could be caused if our account is compromised.
To create users weâll use the IAM service. The AWS IAM service is how AWS users and permissions are created and delegated. Donât worry about the service too much at this stage. Follow along and youâll be able to experiment once youâre setup properly.
Okay, so letâs look at the actual steps we need to perform to setup that first user:
- Add your user by going to: Services > IAM > Users > Add User and call this user admin .
- Create a group by going to: Services > IAM > Groups > Create New Group. Call this group admins and assign the policy AdministratorAccess.
- Assign your admin user to your new group
3) Create a developer user
Awesome, thatâs one user created!
Next, letâs create our developer user.
Weâll use our developer user for everyday use, and it will be assigned only the needed permissions.
- Add your first user by going to: Services > IAM > Users > Add User and call this user developer .
- Create a group by going to: Services > IAM > Groups > Create New Group. Call this group developers and assign the policy AmazonEC2FullAccess.
- Assign your admin user to your new group
These steps might seem heavy-handed but using this process weâre going to restrict the access that our developer credentials has.
If someone compromises the admin account the attacker will need your MFA device to login. But if someone compromises your developer the damages the the attacker can do will be limited by the permissions youâve assigned. So where possible keep these restrictions tight. If you need you can always remove permissions after youâve performed any kind of account creation type activity.
So, to summarise our new user setup and workflow, youâll haveâŠ
- A root account with a hidden password for use only in emergencies.
- An Admin user for logging into the console and delegating permissions to other users.
- A developer role for use with our AWS SDK via token access which we grant only the permissions we need.
4) Enable MFA
Previously I mentioned that our admin account would have MFA enabled. MFA stands for multi-factor authentication. Essentially when we enable MFA those who are using our account require both the password and another piece of information in order to log in. MFA is useful because if our password is lost a would be attacker still cannot gain access to our account.
So letâs go ahead and enable MFA for all three of the users we just created.
You can do so by going to *Services > IAM > Your User > Security Credentials > Manage MFA > Apply. * And choose an MFA method that makes sense for you. Iâm currently using the authenticator app on my phone, and all I need to do is scan a QR code and voila! Iâm up and running.
I probably should mention here that if you lose the MFA device youâll be able to recover your access by using your root account email or phone number. So ensure these are correct incase you were to lose your device!
Now youâre safe for experimentation
And thatâs it, your own personal AWS setup. In the next few days Iâll be putting up another post that explains how you can setup your keys on your local machine for ease of use and simplicity. So make sure youâre signed up to the newsletter and youâll get the post in your inbox soon! Follow these simple steps when setting up and using your AWS account. Avoid horrific AWS charges and experiment with AWS services with peace of mind!
Do you have a horror story from getting an account hacked? Let me know about it in the comments below!
The post Your personal AWS setup (and how to not get hacked) appeared first on The Dev Coach.
Join the community of cloud native software engineers just like you. Keep up-to-date with the latest in cloud tech and learn fundamental skills on core cloud engineering topics like: Docker. Serverless and Linux, and more.
Join us and get ahead!
