• Lock Away Your AWS Account (Root) Access Keys
  • Create Individual IAM Users
  • Use AWS Defined Policies to Assign Permissions Whenever Possible
  • Use Groups to Assign Permissions to IAM Users
  • Grant Least Privilege
  • Use Access Levels to Review IAM Permissions
  • Configure a Strong Password Policy for Your Users
  • Enable MFA (multi-factor authentication) for Privileged Users
For extra security, enable multi-factor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or APIs).
With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP) 
Eg. g. Use Google Authenticator app on iPhone which will generate OTps for you.
You can enable MFA - Go user in IAM console, Security Credentials tab and Assign MFA device, download google app, scan code..

  • Use Roles for Applications That Run on Amazon EC2 Instances
  • Delegate by Using Roles Instead of by Sharing Credentials
  • Rotate Credentials Regularly
  • Remove Unnecessary Credentials
    Determine when a password or access key was last used by using these IAM APIs:

    ListUsers (AWS CLI command: aws iam list-users)
    GetUser (AWS CLI command: aws iam get-user)
    GetAccessKeyLastUsed (AWS CLI command: aws iam get-access-key-last-used)

 

  • Use Policy Conditions for Extra Security
  • Monitor Activity in Your AWS Account

Logging features are available in the following AWS services:

Amazon CloudFront – Logs user requests that CloudFront receives.

 AWS CloudTrail – Logs AWS API calls and related events made by or on behalf of an AWS account.

Amazon CloudWatch – Monitors your AWS cloud resources and the applications you run on AWS. You can set alarms in CloudWatch based on metrics that you define.

AWS Config – Provides detailed historical information about the configuration of your AWS resources, including your IAM users, groups, roles, and policies. For example, you can use AWS Config to determine the permissions that
belonged to a user or group at a specific time.

Amazon Simple Storage Service (Amazon S3) – Logs access requests to your Amazon S3 buckets.

Basically do the following 5 Steps.

aws-iam1.PNG

Source :-

http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html