Security best practices in AWS IAM
Best practices to deploy Identity and access management in AWS
To help secure your AWS resources, follow these recommendations for the AWS Identity and Access Management (IAM) service.
Lock away your AWS account root user access keys
- Don`t create programmatic access keys for Root account
- If you already have one delete it immediately, if you must have root api keys for your environment required, rotate often the keys and enable multifactor authentication for root user
Create individual IAM users
Use user groups to assign permissions to IAM users
- Create group for each functions and provide granular access
Grant least privilege
- When you create IAM policies, follow the standard security advice of granting least privilege, or granting only the permissions required to perform a task. Determine what users (and roles) need to do and then craft policies that allow them to perform only those tasks.
Get started using permissions with AWS managed policies
- The most secure way to grant least privilege is to write a custom policy with only the permissions needed by your team. You must create a process to allow your team to request more permissions when necessary.
- Adding permissions to any IAM identities, AWS managed policies are used and AWS managed policies cover common use cases and are available in your AWS account.
- AWS managed polices attached to any Identities
Validate your policies
- Validate the polices that created before implementing
Use customer managed policies instead of inline policies
- Recommended best practice is to use managed policies over inline polices. A key advantage of using these policies is that you can view all of your managed policies in one place in the console. You can also view this information with a single AWS CLI or AWS API operation. Inline policies are policies that exist only on an IAM identity (user, user group, or role). Managed policies are separate IAM resources that you can attach to multiple identities.
- If you are using inline policies that can be converted to Managed policies
Use access levels to review IAM permissions
- Policies should be reviewed regularly for any security breach and policies should have least privilege's required to perform particular task
Configure a strong password policy for your users
Use roles for applications that run on Amazon EC2 instances
- Applications that run on an Amazon EC2 instance need credentials in order to access other AWS services. To provide credentials to the application in a secure way, use IAM roles. A role is an entity that has its own set of permissions, but that isn't a user or user group. Roles also don't have their own permanent set of credentials the way IAM users do. In the case of Amazon EC2, IAM dynamically provides temporary credentials to the EC2 instance, and these credentials are automatically rotated
Use roles to delegate permissions
Do not share access keys
Rotate credentials regularly
Remove unnecessary credentials
Use policy conditions for extra security
- Define the conditions under which your IAM policies allow access to a resource. For example, you can write conditions to specify a range of allowable IP addresses that a request must come from. You can also specify that a request is allowed only within a specified date range or time range. You can also set conditions that require the use of SSL or MFA (multi-factor authentication). For example, you can require that a user has authenticated with an MFA device in order to be allowed to terminate an Amazon EC2 instance.
Finally, deploy continuous monitoring of AWS accounts
Data Center, Cloud and Security Consultant - Design, Architecting, Penetration testing and Review with hands on Python, Rust, PowerShell, Azure Automation, Ansible, Terraform, API and other tools