Security best practices in AWS IAM

Best practices to deploy Identity and access management in AWS


Gopi Narayanaswamy

2 years ago | 2 min read

To help secure your AWS resources, follow these recommendations for the AWS Identity and Access Management (IAM) service.

Lock away your AWS account root user access keys

  • Don`t create programmatic access keys for Root account
  • If you already have one delete it immediately, if you must have root api keys for your environment required, rotate often the keys and enable multifactor authentication for root user

Create individual IAM users

Use user groups to assign permissions to IAM users

  • Create group for each functions and provide granular access

Grant least privilege

  • When you create IAM policies, follow the standard security advice of granting least privilege, or granting only the permissions required to perform a task. Determine what users (and roles) need to do and then craft policies that allow them to perform only those tasks.

Get started using permissions with AWS managed policies

  • The most secure way to grant least privilege is to write a custom policy with only the permissions needed by your team. You must create a process to allow your team to request more permissions when necessary.
  • Adding permissions to any IAM identities, AWS managed policies are used and AWS managed policies cover common use cases and are available in your AWS account.
  • AWS managed polices attached to any Identities

Validate your policies

  • Validate the polices that created before implementing

Use customer managed policies instead of inline policies

  • Recommended best practice is to use managed policies over inline polices. A key advantage of using these policies is that you can view all of your managed policies in one place in the console. You can also view this information with a single AWS CLI or AWS API operation. Inline policies are policies that exist only on an IAM identity (user, user group, or role). Managed policies are separate IAM resources that you can attach to multiple identities.
  • If you are using inline policies that can be converted to Managed policies

Use access levels to review IAM permissions

  • Policies should be reviewed regularly for any security breach and policies should have least privilege's required to perform particular task

Configure a strong password policy for your users

Enable MFA

Use roles for applications that run on Amazon EC2 instances

  • Applications that run on an Amazon EC2 instance need credentials in order to access other AWS services. To provide credentials to the application in a secure way, use IAM roles. A role is an entity that has its own set of permissions, but that isn't a user or user group. Roles also don't have their own permanent set of credentials the way IAM users do. In the case of Amazon EC2, IAM dynamically provides temporary credentials to the EC2 instance, and these credentials are automatically rotated 

Use roles to delegate permissions

Do not share access keys

Rotate credentials regularly

Remove unnecessary credentials

Use policy conditions for extra security

  • Define the conditions under which your IAM policies allow access to a resource. For example, you can write conditions to specify a range of allowable IP addresses that a request must come from. You can also specify that a request is allowed only within a specified date range or time range. You can also set conditions that require the use of SSL or MFA (multi-factor authentication). For example, you can require that a user has authenticated with an MFA device in order to be allowed to terminate an Amazon EC2 instance.

Finally, deploy continuous monitoring of AWS accounts


Created by

Gopi Narayanaswamy

Data Center, Cloud and Security Consultant - Design, Architecting, Penetration testing and Review with hands on Python, Rust, PowerShell, Azure Automation, Ansible, Terraform, API and other tools







Related Articles