Best Practices for Preventing Hackers from Hijacking Your AWS Account
Question
Your CTO is very worried about the security of your AWS account.
Which of the following options is the most appropriate to prevent hackers from completely hijacking your account?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - C.
Multi-factor authentication can add one more layer of security to your AWS account.
Even when you go to your Security Credentials dashboard, one of the items is to enable MFA on your root account.
Option A is incorrect because you need to have a good password policy.
Option B is incorrect because there is no IAM Geo-Lock feature.
Option D is incorrect because you should delete the root access keys rather than the root account password.
For more information on MFA, please visit the below URL:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html
Option C, which is to use MFA on all users and accounts, especially on the root account, is the most appropriate to prevent hackers from completely hijacking your AWS account.
MFA (Multi-Factor Authentication) adds an extra layer of security to the authentication process, requiring users to provide two or more forms of authentication before they can access the AWS resources. This ensures that even if an attacker has obtained a user's password, they cannot access the account without the additional authentication factor.
In the case of the root account, MFA is especially important as it has unrestricted access to all resources in the account. By enabling MFA on the root account, even if an attacker gains access to the root account password, they will not be able to access the account without the additional authentication factor.
Option A, which suggests using a short but complex password on the root account and any administrators, is not the best option as it still relies solely on a password for authentication. A complex password can make it more difficult for an attacker to guess or crack the password, but it is not foolproof.
Option B, which suggests using AWS IAM Geo-Lock and disallowing anyone from logging in except for in your city, is also not the best option as it can be easily circumvented by attackers using VPNs or other methods to make it appear as if they are logging in from an allowed location.
Option D, which suggests deleting the root account password, is not a viable option as it will prevent any legitimate users from accessing the account. While IAM roles and policies can be used to restrict access to resources, the root account is still necessary for certain account-level tasks, such as billing and managing IAM users and roles.