Amazon Web Service Identity and Access Management (IAM) is a free core web service commonly used to control access to AWS resources. IAM helps identify who is authenticated and authorized to use specific AWS resources or services. Initially, while creating a new AWS account you begin with single sign-in identity that comes with access to all AWS resources and services. This particular identity is called AWS account root user. To access this user you have to sign in with the same username and password that you used while creating the account. The IAM root user credentials should not be used for everyday tasks, even the administrative ones. Root user privilege should be used only while creating your first IAM user. After set up, it’s advisable to lock away the root user credentials securely and use them for account and service management tasks only.
In the fast-growing IT industry, cloud computing provides some similar functionalities as traditional IT security. Security includes protecting critical information from theft, data leakage, and deletion. Security in the cloud does not change the concept of how to achieve secure solutions that help you take proactive and corrective actions. However, it focuses on giving you similar results in a more agile manner.
Now, let’s dive into IAM to find out some best practices that can significantly boost your cloud security:
Your AWS account root user gives full access to all the resources for all AWS services including your billing information. You use an access key that includes access key ID and secret access key to make programmatic requests to AWS. There is no way to reduce the permissions associated with the AWS account root ID. So it’s extremely important to protect your root user access key — and here are some ways to do so:
Most users will go for an easy-to-remember — and therefore easy-to-guess —password despite the security risks. In this scenario, a hacker can easily hack one of the accounts without making many efforts. Users can easily create highly secure passwords by taking the following measures to ensure that IAM credentials are safe:
For better results, an admin sometimes has to look beyond the service itself. For instance, logging tools such as AWS CloudTrail help a lot in keeping track of API requests. Other tools like Chalice can help automate IAM policy creation, which can save a lot of administration time. Although these tools help with eliminating risks and accelerating some management tasks, they lack flexibility and should be monitored by admins constantly. To ensure these tools are efficient and don’t become ineffective, they should be regularly updated along with regular AWS updates.
All IAM policies should be regularly monitored and reviewed to ensure efficient security. The policies should grant the least possible permissions that are needed to perform specific actions as per the requirements. Policy summary can be used to review a policy that gives details about the access level for a specific service. There are five access levels: list, read, write, permissions management, and tagging.
You can provide access as per-task requirements. The policy summary is included on the policies page for managed policies and users page for the policies that are attached to a particular user.
All IAM users should have multifactor authentication to enhance security. With MFA, a response will be generated on a user’s device as a part of the authentication process. The sign-in process will require both the user’s credentials as well as the response generated on the user’s device. By doing so, if in any user’s password is compromised, the account resources are still secure due to MFA.
The response could be generated in one of the following ways:
It is always a good security practice to regularly audit user credentials and remove all those that are not active anymore. AWS provides an amazing “credential report” that helps in keeping track of the lifecycle of passwords and access keys. This report includes user details, date of creation, when the password was last used, and when the password was last changed. Also, in case you are using some password-rotation policy, this will remind you when you should change your password. These details are quite helpful when it comes to auditing and deleting unnecessary credentials. An auditor can be assigned the task of downloading the credential report and performing further tasks as per the requirement.
Credential reports can be generated every four hours. AWS IAM internally checks by itself when the last report was generated and decides whether to generate a new one or not.
Keep changing your passwords and access keys regularly and make sure all IAM users are doing the same. In this case, even if your password is compromised somehow there will be only a limited time till when your resources will be available under that password. To make it easy you can use a password policy and also decide how frequently you want IAM users to change their passwords.
Amazon provides a predefined set of policies that are completely managed by AWS and customers are not allowed to edit these permissions. These policies are designed to provide some common access rules making it easier for users as they don’t have to define a policy from the beginning.
Under any circumstances, avoid sharing your AWS account credentials. You can instead create IAM users for anyone who needs to access AWS resources. In this way, you can assign permissions to a different set of users as per their requirements.
All organizations should monitor AWS activity alongside all other cloud services to get a full view of all cloud activities. This can help in finding any threats and also provide insight into cross-cloud threats that would be missed by simply looking at cloud services one by one. A cloud access security broker (CASB) provides cross-cloud visibility to support activity monitoring and threat protection.
Identity and Access Management is a free service by AWS and is a foundational building block to secure your cloud resources. Practices like MFA, where more than one channel is required to access the system, deleting unused credentials with timely audits helps in reducing any security threats. If you are not yet ready to define your own policies, AWS-defined policies are best to adopt as they are suitable for most IT functions. These practices can help you access and use your cloud resources in a secure way.
Traditional VPNs are showing their age in the modern cloud-powered workplace. That’s why software-defined perimeter solutions are in your future.
Should you disallow NUMA spanning in your Hyper-V architecture? There are two sides to this story, and you’ll get both…
Coding may not be the No. 1 job duty for cloud admins, but it is often a part of the…
Believe it or not, Hyper-V virtual machines can be configured to use a dedicated physical hard disk, which is referred…
Using Azure automation accounts to start and stop your VMs may just save you enough time to kick back, relax,…