Amazon Web Service Identity and Access Management (IAM) is a free core web service commonly used to control access to AWS resources. IAM helps identify who is authenticated and authorized to use specific AWS resources or services. Initially, while creating a new AWS account you begin with single sign-in identity that comes with access to all AWS resources and services. This particular identity is called AWS account root user. To access this user you have to sign in with the same username and password that you used while creating the account. The IAM root user credentials should not be used for everyday tasks, even the administrative ones. Root user privilege should be used only while creating your first IAM user. After set up, it’s advisable to lock away the root user credentials securely and use them for account and service management tasks only.
IAM: Best security practices
In the fast-growing IT industry, cloud computing provides some similar functionalities as traditional IT security. Security includes protecting critical information from theft, data leakage, and deletion. Security in the cloud does not change the concept of how to achieve secure solutions that help you take proactive and corrective actions. However, it focuses on giving you similar results in a more agile manner.
Now, let’s dive into IAM to find out some best practices that can significantly boost your cloud security:
1. Avoid using or sharing AWS account root user credentials
Your AWS account root user gives full access to all the resources for all AWS services including your billing information. You use an access key that includes access key ID and secret access key to make programmatic requests to AWS. There is no way to reduce the permissions associated with the AWS account root ID. So it’s extremely important to protect your root user access key — and here are some ways to do so:
- Restrict the access to the root account to tasks that can only be done using the root account, such as creating the first admin account. For all other tasks, create an IAM user that has administrative privileges and use that account for everyday tasks.
- Delete your AWS account root user access key. If you have to keep it, then keep changing your access key regularly. To delete or change your access key, you just need to go to the My Security Credentials page and sign in.
- AWS management console account-level access should be highly password protected.
- Do not share your AWS account root user password or access key with anyone.
2. Use strong passwords for all AWS users
Most users will go for an easy-to-remember — and therefore easy-to-guess —password despite the security risks. In this scenario, a hacker can easily hack one of the accounts without making many efforts. Users can easily create highly secure passwords by taking the following measures to ensure that IAM credentials are safe:
- 14 characters should be the minimum length of a password.
- Always include at least one special character, one uppercase alphabet, and non-alphabet characters.
- Avoid using dictionary words as passwords.
- Use a password expiration policy and avoid reusing the same passwords.
- Use password-generation tools rather than trying to come up with passwords on your own.
3. Using third-party tools to enhance security
For better results, an admin sometimes has to look beyond the service itself. For instance, logging tools such as AWS CloudTrail help a lot in keeping track of API requests. Other tools like Chalice can help automate IAM policy creation, which can save a lot of administration time. Although these tools help with eliminating risks and accelerating some management tasks, they lack flexibility and should be monitored by admins constantly. To ensure these tools are efficient and don’t become ineffective, they should be regularly updated along with regular AWS updates.
4. IAM permissions review using access levels
All IAM policies should be regularly monitored and reviewed to ensure efficient security. The policies should grant the least possible permissions that are needed to perform specific actions as per the requirements. Policy summary can be used to review a policy that gives details about the access level for a specific service. There are five access levels: list, read, write, permissions management, and tagging.
You can provide access as per-task requirements. The policy summary is included on the policies page for managed policies and users page for the policies that are attached to a particular user.
5. Using multifactor authentication
All IAM users should have multifactor authentication to enhance security. With MFA, a response will be generated on a user’s device as a part of the authentication process. The sign-in process will require both the user’s credentials as well as the response generated on the user’s device. By doing so, if in any user’s password is compromised, the account resources are still secure due to MFA.
The response could be generated in one of the following ways:
- For hardware or virtual devices, a response code will be generated on your device, which you will have to enter during the sign-in process whenever required.
- U2F security keys generate a code by itself once you tap on the device. Users do not have to enter the code manually on the screen.
Tools like Okta and Ping Identity can be used to achieve multifactor authentication.
6. Remove unnecessary credentials
It is always a good security practice to regularly audit user credentials and remove all those that are not active anymore. AWS provides an amazing “credential report” that helps in keeping track of the lifecycle of passwords and access keys. This report includes user details, date of creation, when the password was last used, and when the password was last changed. Also, in case you are using some password-rotation policy, this will remind you when you should change your password. These details are quite helpful when it comes to auditing and deleting unnecessary credentials. An auditor can be assigned the task of downloading the credential report and performing further tasks as per the requirement.
Credential reports can be generated every four hours. AWS IAM internally checks by itself when the last report was generated and decides whether to generate a new one or not.
7. Rotate credentials regularly
Keep changing your passwords and access keys regularly and make sure all IAM users are doing the same. In this case, even if your password is compromised somehow there will be only a limited time till when your resources will be available under that password. To make it easy you can use a password policy and also decide how frequently you want IAM users to change their passwords.
8. Use AWS managed policies to assign permissions
Amazon provides a predefined set of policies that are completely managed by AWS and customers are not allowed to edit these permissions. These policies are designed to provide some common access rules making it easier for users as they don’t have to define a policy from the beginning.
9. Never share AWS account credentials
Under any circumstances, avoid sharing your AWS account credentials. You can instead create IAM users for anyone who needs to access AWS resources. In this way, you can assign permissions to a different set of users as per their requirements.
10. Monitor user activities
All organizations should monitor AWS activity alongside all other cloud services to get a full view of all cloud activities. This can help in finding any threats and also provide insight into cross-cloud threats that would be missed by simply looking at cloud services one by one. A cloud access security broker (CASB) provides cross-cloud visibility to support activity monitoring and threat protection.
IAM: A foundational security building block
Identity and Access Management is a free service by AWS and is a foundational building block to secure your cloud resources. Practices like MFA, where more than one channel is required to access the system, deleting unused credentials with timely audits helps in reducing any security threats. If you are not yet ready to define your own policies, AWS-defined policies are best to adopt as they are suitable for most IT functions. These practices can help you access and use your cloud resources in a secure way.
Images: Pixabay
Don’t share security credentials between accounts to allow users from another AWS account to access resources in your AWS account. Instead, use IAM roles. You can define a role that specifies what permissions the IAM users in the other account are allowed. You can also designate which AWS accounts have the IAM users that are allowed to assume the role. To learn whether principals in accounts outside of your zone of trust (trusted organization, OU, or account) have access to assume your roles, see What is IAM Access Analyzer? .