AWS takes the security of its services and resources very seriously, providing customers with robust access control services. IAM (Identity and Access Management) service allows customers to manage users, groups, roles, and permissions. How to correctly configure IAM to meet security requirements is entirely up to AWS customers. This article collects and organizes best practices for using IAM securely for readers' reference and practice.
Root Account Protection
Limit the Use of AWS Root AccountWhen you register an account on AWS, the initial user account created is called the root account. This account has full access to all AWS resources (including billing information), making it the most privileged user account. Since root account credential permissions cannot be restricted, it is recommended to limit root account access to tasks that can only be performed using the root account (such as creating the first administrative account). For all other tasks, create an IAM user with administrative permissions and use that account for daily AWS environment management.
Rotate Root Account Access Keys
Regardless of how many times the AWS root account is used, it is strongly recommended to periodically rotate account access keys using the security credentials page.
Enable Multi-Factor Authentication (MFA)
We recommend using virtual MFA authentication. A virtual MFA device is a software application that runs on a mobile phone or other mobile device, generating a six-digit code based on a time-synchronized one-time password algorithm. In addition to using username/password, users must also provide MFA supported by AWS when logging in, enhancing account security.
IAM User Management
Never Share AWS Account Credentials
Create individual IAM users for employees who need access to AWS resources, rather than sharing AWS accounts. This will allow you to assign a unique set of permissions to different users based on their job requirements.
Use AWS Managed Policies to Assign Permissions
Amazon provides a set of predefined policies that are fully managed by AWS, and customers are not allowed to edit permissions. These policies are designed to serve common use cases while making it easier to implement access policies than creating them from scratch. An important advantage of using these policies is that you can view all managed policies in one location in the console. You can also view this information using a single AWS CLI or AWS API operation. Inline policies are policies that only an IAM identity (user, group, or role) has. Managed policies are standalone IAM resources that can be attached to multiple identities.
Use Groups to Assign Permissions
Define permissions associated with each group. Finally, assign IAM users to these groups. All users in an IAM group will inherit the permissions assigned to that group. This way, you can change everyone in the group in one location. When company personnel are transferred, you only need to change the IAM group to which the IAM user belongs.
Grant Least Privilege
When creating IAM policies, follow the standard security advice of granting least privilege, or only granting the permissions needed to perform tasks. Determine what actions users (and roles) need to perform, and then create policies that allow them to perform only those tasks.
Enforce Strong Password Policy
When left to their own devices, most users will choose an easily guessed password, despite security risks. According to Skyhigh data, the top 20 most common passwords account for 10% of all passwords, with popular passwords like "123456" and "password" accounting for more than 5% of all passwords. This means that hackers can compromise one in twenty user accounts using just these two passwords without any brute force attacks. However, creating highly secure and easy-to-remember passwords is feasible. Taking the following steps can ensure IAM credentials are protected:
- Define a minimum password length of at least 14 characters
- Require non-alphabetic characters, at least one uppercase letter and one symbol
- Set password expiration policy and prohibit password reuse
- Discourage privileged users from using dictionary words in passwords
Enable Multi-Factor Authentication (MFA)
Organizations should assume that at least some of their cloud service user credentials have been compromised. Because employees tend to reuse passwords across different services, enabling MFA should be not only an AWS requirement but also a requirement for any cloud service being used in the organization.
Rotate Credentials Regularly
Regularly change your own passwords and access keys, and ensure that all IAM users in the account do the same. This way, if a password or access key is leaked without your knowledge, you can limit how long the credentials can be used to access resources. You can apply a password policy to your account to require all IAM users to rotate their passwords. You can also choose the time interval at which they must rotate passwords.
Best Practices
Use IAM Roles for Applications on EC2
Any application that needs to access other AWS services to work properly needs its own credentials. As a security best practice, use IAM roles to provide credentials to applications. Roles can have their own set of permissions without needing to be attached to any user/group.
When users first launch an EC2 instance, they can determine the role for that instance, and then any application deployed on that EC2 instance can use that role's credentials to access other AWS resources.
Use Roles to Delegate Permissions
Do not share security credentials between different accounts to prevent users from another AWS account from accessing resources in your AWS account. Instead, use IAM roles. You can define roles to specify what permissions IAM users in other accounts are allowed to have. You can also specify which AWS accounts have IAM users allowed to assume that role.
Use Policy Conditions as Additional Security Measures
Use date/time conditions to limit access to resources so that IAM users can only access resources during workdays/shifts.
Set conditions for whitelisting IP addresses allowed to access AWS resources to ensure that only trusted IP addresses can access AWS resources.
For contract employees/partners, set date conditions to block access to AWS resources after the contract termination date.
Regularly Review IAM PermissionsAs a security best practice, it is important to regularly review your organization's AWS IAM policies to ensure they grant least privilege. Each policy comes with a policy summary, which is a good starting point for auditing IAM policies.
Delete Unnecessary IAM Users/CredentialsTo minimize the risk of IAM user credentials being stolen, access permissions for all unnecessary IAM users should be terminated. Employees who no longer work for an organization or have moved to other departments that don't require AWS access should not have AWS access. Organizations should audit their IAM user activity to see which users haven't logged into AWS for at least 90 days and revoke their permissions.
Monitor User Activity
Monitor user activity across all cloud services (including IAM user activity) to identify anomalous activity from compromised accounts or malicious/negligent internal employees. Amazon supports AWS activity monitoring through AWS CloudTrail.
For how to view and track account activity history for specific IAM users, roles, and AWS access keys, refer to the following URL:
https://amazonaws-china.com/cn/premiumsupport/knowledge-center/view-iam-history/
For further assistance or services, please leave a message. Taiyue Cloud Business will provide automated tools and professional services.