Amazon Web Services suggests a number of AWS IAM best practices to help secure your resources via the Identity and Access Management (IAM) service. However, monitoring these best practices can be time-consuming unless you use a platform such as CloudHealth to make light work of IAM administration.
The AWS Identity and Access Management (IAM) service allows you to control who has access to your AWS account, what specific services they have access to, and what actions they can perform. Like most account authentication services, the IAM service requires users to sign in with a username and password, and each username/password combination determines the user’s level of permission.
In theory, administering the IAM service should be straightforward. However, mistakes happen. If the wrong level of permission is assigned to the incorrect user, your AWS account could be exposed to security and compliance issues. Amazon Web Services (AWS) suggests a number of AWS IAM best practices to avoid mistakes being made. These include, but are not limited to:
Lock Away AWS Account Root User Access Keys
Root user access keys are the keys to the kingdom as far as your AWS account is concerned. It’s in your best interest to review all valid access keys and their use cases, and disable as many keys as you can. Most scenarios in which users might need access keys are covered by the capabilities of the IAM service, and temporary solutions such as the AWS Temporary Security Token service can cover the others.
Create IAM User Groups to Simplify Administration
Each authorized user with access to your AWS account should have an IAM identity with defined permissions. There will likely be multiple users with the same role, you can simplify IAM administration by creating user groups, defining the permissions for each group, and assigning users to groups so that each individual user inherits the permissions assigned to the group.
Grant Least Privilege to Users and Resources
The concept of granting least privilege is another way of saying you should only give your users the minimum permissions they need to get the job done. Granting least privilege not only applies to IAM users, it should also apply to resources. So, if a Lambda function only needs to read/write one file in an S3 bucket that should be all the access permission the function gets.
Create a Strong Password Policy for Users
Strong password policies force users to create passwords with a minimum number of characters and with specific character types. You can also prevent users from reusing passwords they’ve used before and, if you feel it’s necessary, set password expiration periods so users are forced to change their passwords periodically. Unfortunately, it isn’t possible to apply “lock-outs” to IAM user passwords.
Enable Multi-Factor Authentication for All Users
AWS IAM best practices recommend enabling multi-factor authentication for privileged users, but until you’re able to apply “lock-outs” to IAM user passwords (which prevent brute force attempts to hack a user’s password), it’s more appropriate to enable multi-factor authentication for all users.
Managed Policies and Policy Conditions
The best practice about applying pre-configured “managed policies” saves time creating individual access policies for each user or user group. For example, the default billing managed policy gives users/user groups permission to access resources relating to billing, costs, payment methods, budgets, and reports. The preconfigured policies can be copied and modified as necessary to meet each business’s individual requirements.
One of the most security-conscious AWS IAM best practices is to apply policy conditions to a user or group that only allows them to access resources at certain times of the day, from an allowable range of IP addresses, and/or when using multi-factor authentication. However, please be aware that using the AWS Console to apply policy conditions can be complicated if you don’t have a global tagging strategy because some of the values required to apply policy conditions are case sensitive.
Monitoring Activity on Your AWS Account
The last of the AWS IAM best practices relates to monitoring activity on your AWS account to identify anomalies and make changes where required. AWS recommends using a mixture of Amazon CloudFront, AWS CloudTrail, Amazon CloudWatch, AWS Config, and Amazon S3 logs to observe the dates and times of users’ actions, the source IP of specific actions, and which actions failed due to inadequate permissions. The logic behind this degree of monitoring is to review user permissions and remove unnecessary credentials.
This area can be particularly time-consuming and prone to errors if an attempt to manually correct an anomaly is made without a full understanding of the consequences. As much as IT professionals with a thorough understanding of networking, operating systems, and operational controls may be able to determine and execute the most appropriate course of action, ask yourself this - could such a highly qualified IT professional’s time be put to better use elsewhere?
How to Make Light Work of AWS IAM Best Practices
CloudHealth is a cost-effective and time-saving solution to this issue. he same policy-driven automation used to maintain an optimized infrastructure can also be utilized to monitor AWS IAM best practices. For example, you can apply CloudHealth policies that:
- Notify you when an IAM user is not assigned to a group.
- Alert you to an account with a non-compliant password.
- Warn you when multi-factor authentication has been disabled.
CloudHealth makes light work of AWS IAM best practices by monitoring activity on your AWS account and telling you when an anomaly occurs - rather than you spending time searching for one that might not exist. The options to disable access keys and revoke account access can be particularly valuable if your network has been accessed without authorization, or if you have a rogue employee operating inside your business.