This blog will focus on Identity and Access Management best practices within Amazon Web Services (AWS)! Will be focusing on AWS Organizations in a subsequent blog post!
IAM Guidelines & Best Practices
When using the IAM service in AWS, there are a number of key guidelines to remember:
Do NOT use the root account except for AWS account set-up
One physical user = One AWS user
It is best to assign users to groups and assign permission to groups
Enforce the use of Multi Factor Authentication (MFA)
Create and use Roles for giving permissions to AWS services
Use Access Keys for Programmatic Access to AWS CLI and AWS SDK
Audit permissions of your account using IAM Credentials Report & IAM Access Advisor
NEVER SHARE IAM USERS & ACCESS KEYS
IAM Users & Groups
AWS IAM is a global service, which means this service is not region-specific. AWS IAM is one of 4 global services (Route 53, Cloudfront, Web Application Firewall, and IAM).
Root Account
created by default and should not be used or shared with anyone
Users
people within your organization.
can be grouped.
users can belong to multiple groups
Groups
only contain users
cannot contain other groups within them
IAM Permissions
Policies
JSON documents that can be assigned to Users or Groups
defines the permissions of the users
Least Privilege
a principle where you don’t give more permissions than a user needs to perform their job
IAM Policy Structure
Verison
policy language version
Ex: “2012-10-17”
Id
an identifier for the policy
optional field
Statement
one or more individual statements
required field
The statement field consists of:
Sid
an identifier for the statement
optional field
Effect
whether the statement allows or denies access
Allow, Deny
Principal
account, user, or role to which this policy is applied to
Action
list of actions this policy allows or denies
Resource
list of resoures to which the actions applied to
Condition
conditions for when this policy is in effect
optional field
Password Policy
Strong passwords provide higher security for your account. Therefore, it is very important to have a strong password policy for your users. In AWS, you can setup a password policy to:
set a minimum password length
require specific character types
uppercase letters
lowercase letters
numbers
non-alphanumeric characters
allow all IAM users to change their passwords
require users to change their password (password expiration)
prevent password re-use
Multi Factor Authentication (MFA)
It is important to ptotect your Root accounts and users. MFA is a great practice that combines something you know (password) with a device you own. The main benefit of MFA is if a password is hacked the account is not compromised.
Some MFA devices:
Google Authenticator
Authy
YubiKey
Hardware Key Fob MFA Device
Hardware Key Fob MFA Device for AWS GovCloud (US)