Skip to content

Best Practices

Account Isolation

Warden should be run in its own, isolated account. There should be a very limited number of individuals (think 5 or less) who have access into the account. Your security team should not more than viewer permissions (i.e. they should not be able to read api keys, Dynamo table content, or decrypt SSM parameters). Realistically, they should never need to access the account. Warden publishes events to EventBridge, which can be piped into your company's SIEM system for them to act on.

Hardware MFA

The Warden account should be put on a hardware MFA token or security key, which is stored in a safe at all times.