AWS IAM Policies For Access Control – Part 229 Apr 2016
In part 1 of the AWS IAM Policies for Access Control series , we saw how IAM helps users in managing access controls. In this post, we will see AWS IAM best practices to be followed for AWS access control.
Keep your AWS account (root) access keys locked in
Every time you have to make programmatic requests to AWS, you need to use an access key that comprises of an access key ID and secret access key. It is highly recommended not to use your AWS account (root) access key as it provides full access to all your AWS resources. That includes your billing information as well. It can bring serious threats to your infrastructure as it is not possible to restrict the permissions linked to your AWS account access key.
For that reason, you should always protect your AWS account access key like. Here are some tips which can help you in protecting your account access:
If you do not have an access key for your AWS account, no need to make one except you utterly need to. Instead, what you can do is make use of your account email address and password to sign in to the AWS Management Console and generate an IAM user for yourself with all administrative privileges. Some of these privileges are explained in the next segment.
If you already have an access key for your AWS account, it is better to erase it. Even if you have to keep it, keep rotating them regularly. Visit “Security Credentials” page in the AWS Management Console to remove or turn around your AWS account access keys. There you just have to sign in with your account’s email address and password.
You should never share your AWS account password or access keys with anybody.
Always keep a strong password and change it regularly. This will keep your account protected and offer only account-level access to the AWS Management Console.
Make it possible to have AWS multifactor authentication (MFA) on your AWS account. This will provide additional security. This is a vital AWS IAM practice to follow.
Make individual IAM users
You should never use your AWS root account identifications to access AWS. Instead, you should always create individual users for anyone who needs access to your AWS account. Also, create an IAM user for yourself as well, and grant that user executive privileges. Use that AWS IAM user for all your work.
Use groups to assign permissions to IAM users
Try to use groups to assign permissions to AWS IAM users instead of defining permissions for individual IAM users. Creating groups is not only simple and more convenient but it also defines the applicable permissions. As employees and customers move around in your business, you can just use what IAM group their IAM user belongs to.
Allow least privilege
While creating IAM policies, you should allow least possible privileges to users. It is never required to grant them full access but just the access which is required to complete the task should be granted.
Try to start with providing a minimum set of permissions and grant further permissions if required. This will save you from getting too much exposed. Also, defining the correct set of permissions requires some time as you need to research about what kind of privileges is needed to complete the exact task, what actions a specific service supports, and what permissions are needed so as to carry out those actions.
Build up a strong password procedure for your users
Make your users understand the importance of keeping a strong password for every account. Also make sure that they keep changing their passwords regularly so that their accounts do not get hacked or compromised.
Allow MFA for privileged AWS IAM users
For added security, allow privileged AWS IAM users to have multifactor authentication (MFA). This can be done for the users who are allowed right of entry to sensitive resources or APIs. With MFA, users can have a device that will generate a unique authentication code like a one-time password every time they will access the account. For accessing, users must provide both their normal credentials like their user name and password as well as the one time password. The MFA device can either be any, or it can be a virtual device like any app and can run in smart phones and tablets. Not only this will provide increased security but user will enjoy this feature.
Use roles for applications that run on Amazon EC2 instances
All the applications running on an Amazon EC2 instance call for credentials so as to access other AWS services. At that time, IAM roles can be used to provide credentials to the application in a secure way. In the case of Amazon EC2, IAM vigorously provides provisional credentials to the EC2 instance, and these credentials are automatically rotated for you.
Hand over by using roles instead of by sharing credentials
Rather than sharing your security credentials, you can identify a role that state what permissions the IAM users in the other account are permissible, and from which AWS accounts the IAM users are allowed to presume the role.
Rotate credentials frequently
Always remember to change your own passwords and access keys regularly. In fact you should ensure that all AWS IAM users in your account rotate their credentials regularly. If it is done, account can be saved from being compromised.
Remove unnecessary credentials
The credentials which are not required anymore should be removed immediately. This can be easily done by generating and downloading the credential report that gives information about all AWS IAM users in your account and the status of their different credentials, such as passwords, access keys, and MFA devices.
Monitor activity in your AWS account
You should monitor activities going on in your account. For this, you can use logging features in AWS to establish the actions being taken in your account and get the idea about the resources that were used. The log files show the time and date of actions, the source IP for an action, which actions failed due to inadequate permissions, and more.
Logging features are available in the following AWS services:
- Amazon CloudFront
- AWS CloudTrail
- Amazon CloudWatch
- AWS Config
Amazon Simple Storage Service (Amazon S3)
Following these best practices, you can secure your AWS account. If you wish to refer to the a technical video guide which will help you understand IAM policies much better, watch our webinar video here. For more information of how you can secure your cloud infra for high performance and compliance, take up a 14-day Botmetric free trial. Run over 27 rigorous security audits and auto-fix the critical issues in seconds.
And if you wish to know more about security best practices, read our blog post on 21 AWS security Best Practices.
Do you agree that IAM is the future for managing cloud security? Tweet to us.