AWS IAM Best Practices
To help secure AWS resources, AWS recommends the following AWSIdentity and Access Management (IAM) service – IAM Best Practices
Root Account -Don’t use & Lock away access keys
- Do not use AWS Root account which has full access to all the AWS resources and services including the Billing information.
- Permissions associated with your AWS Root account cannot be restricted.
- Do not generate the access keys, if not required
- If already generated and not needed, delete the access keys.
- If access keys needed, rotate (change) the access key regularly
- Never share your Root account credentials or access keys, instead create IAM users or Roles to grant granular access
- Enable AWS multifactor authentication (MFA) on your AWS account
User – Create individual IAM users
- Don’t use your AWS root account credentials to access AWS, and don’t share your credentials with anyone else.
- Start by creating a IAM User with Administrator role, which has access to all resources as the Root user except to the account’s security credentials
- Create individual users for anyone who needs access to your AWS account and give each user unique credentials and grant different permissions
Groups – Use groups to assign permissions to IAM users
- Instead of defining permissions for individual IAM users, create groups and define the relevant permissions for each group as per the job function, and then associate IAM users to those groups.
- Users in an IAM group inherit the permissions assigned to the group and a User can belong to multiple groups
- It is much easier to add new users, remove users and modify the permissions of a group of users.
Permission – Grant least privilege
- IAM user, by default, is created with no permissions
- Users should be granted LEAST PRIVILEGE as required to perform a task.
- Starting with minimal permissions and add to the permissions as required to perform the job function is far better then granting access all and trying to then tightening it down
Passwords – Enforce strong password policy for users
- Enforce user to create strong passwords and enforce them to rotate their passwords periodically
- Enable a strong password policy to define passwords requirements forcing users to create passwords with requirements like at least one capital letter, one number, how frequently it should be rotated.
MFA – Enable MFA for privileged users
- For extra security, Enable MultiFactor Authentication (MFA) for privileged IAM users, who are allowed access to sensitive resources or APIs.
Role – Use roles for applications that run on EC2 instances
- Use roles for applications running on EC2 instances instead of creating IAM user and hardcoding the credentials within that application.
- Roles do not have a permanent set of credentials associated with it but dynamically provide temporary credentials that are automatically rotated
- Hardcoding of credentials can compromise the access and are also hard to rotate. Also, they may pose a problem in the creation of new EC2 instances through AutoScaling and handling credential rotation.
Sharing – Delegate using roles
- Allow users from same AWS account, another AWS account, or externally authenticated users (either through any corporate authentication service or through Google, Facebook etc) to use IAM roles to specify the permissions which can then be assumed by them
- A role can be defined that specifies what permissions the IAM users in the other account are allowed, and from which AWS accounts the IAM users are allowed to assume the role
Rotation – Rotate credentials regularly
- Change your own passwords and access keys regularly and enforce it through a strong password policy. So even if a password or access key is compromised without your knowledge, you limit how long the credentials can be used to access your resources
- Access keys allows creation of 2 active keys at the same time for an user. These can be used to rotate the keys.
Track – Remove unnecessary credentials
- Remove IAM user and credentials (that is, passwords and access keys) that are not needed
- Use the Credential report that lists all IAM users in the account and status of their various credentials, including passwords, access keys, and MFA devices and usage pattern to figure out what can be removed
- Passwords and access keys that have not been used recently might be good candidates for removal.
Conditions – Use policy conditions for extra security
- Define conditions under which IAM policies allow access to a resource.
- Conditions would help provide finer access control to the AWS services and resources for e.g. access limited to specific ip range or allowing only encrypted request for uploads to S3 buckets etc.
Auditing – Monitor activity in the AWS account
- Enable logging features provided through CloudTrail, S3, CloudFront in AWS to determine the actions users have taken in the account and the resources that were used.
- Log files show the time and date of actions, the source IP for an action, which actions failed due to inadequate permissions, and more.
AWS Certification Exam Practice Questions
- Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which two IAM best practices should you consider implementing? Choose 2 answers
- Create individual IAM users for everyone in your organization (May not be needed as can use Roles as well)
- Configure MFA on the root account and for privileged IAM users
- Assign IAM users and groups configured with policies granting least privilege access
- Ensure all users have been assigned and are frequently rotating a password, access ID/secret key, and X.509 certificate (Must be assigned only if using console or through command line)
- What are the recommended best practices for IAM? (Choose 3 answers)
- Grant least privilege
- User the AWS account(root) for regular user
- Use Mutli-Factor Authentication (MFA)
- Store access key/private key in git
- Rotate credentials regularly