While we support our customers about the hosting issue such as deploying the new site to their host or configuring the database on the cloud. The most popular cloud service is Amazon, which is also the service I am using for my works for four years. We have no problem with Amazon services but most of our clients have, the most critical issue is they were careless of their account such as:
- The weak password, the password is shared easily to among the group users. In almost case, the shared account has the administration right.
- The API keys in the application have the broad permission. For instance, they only need the API key to access the S3 service, but this API key can add/remove EC2 instances, and do a lot more.
- The server instances are out-of-date. The server administrator has not updated the new software version, or even they have not accessed the server for a long time, just let the developers upload the new source codes and do the deployment. The older software may have the security vulnerable such as the older SSL resolver leak etc.
- Their instances could be accessed everywhere.
Prevention is better than cure
We should prevent any security vulnerable soon to prevent it becomes the real issue. I have seen the billing cost from a customer from the 200 USD/month increased to more than 3000 USD/month; Fortunately, I proved to the Amazon agent that is not the intention, and they are kind enough not to charge this amount money at the first time mistake. In all cases, you should spend the effort to keep your site more secure, and the cost to do so is much smaller than you spend to resolve the issue. Below are some tips could be done for the non-technical site admin to manage your Amazon account better.
Request all users have the strong password
The password such 123456, or your name + birthday, etc. are the weak one. Even the famous people accounts are hacked like Jack Dorsey or Mark Zuckerberg; The hacker may steal your account as well. I usually use the service Strong password to generate a seldom password and keep all my passwords safety at somewhere. It helps my account safer and you should request all users in your organization should do the same at least for their accounts in works.
Create individual users and assign the specific roles to them
When there is a problem, you must know where is the source of the problem. Did Alice do the false action? Or did hacker use Brian’s account? Give the user their specific permissions let them more active to keep their account safety and not give them more permissions than their needs.
The common issue is the site administrator do not update the user list, permissions when their employees left the company. They can remove the users in the employee tables, but they do not remove them in Amazon user database; this is also the security hole as well.
Limit the resource access
If your offices locate in German, and all of the employees in the German then you should not access any people from elsewhere access your Amazon Cloud resources. To prevent the strange access to my Amazon server instances, we configure the permission groups that only the IPs in my office can use the SSH to remote access the server.
This approach prevents no one can access your server resources outside your allowance networks.
Update the new software versions and check your site security
The software vendor always recommends the site administrator to upgrade their software regularly. If you are using Windows, you can do update the system after you login to the server. The update process in Unix/Linux is easy too, just run the command
sudo yum update or
sudo apt-get update. Some administrators prevent to update the software versions because they scare the compatibility version may break the running applications.
Some administrators prevent to update the software versions because they scare the compatibility version may break the running applications, but they must resolve the compatibility issue rather than let the system is out-of-date.
Update the software is not enough! You should update the software configuration to remove the obsolete protocols, applying the new best practices. For an example, that is what we do after upgrading the Nginx server and re-configure Nginx to remove the obsolete SSLv1,2,3 protocols.
All such above actions will keep your Amazon Cloud account safer, it is applied to all cloud services as well. Try to make the life of black hacker more difficult and hopefully they withdraw to attack your sites 🙂