Securing AWS IAM in a scalable cloud such as AWS is an important task to do.
When we first create our account, the initial component we interact with is IAM (Identity and Access Management). Given the importance of IAM, applying the best practices gives us the confidence that our account management is secure and is following industry recommendations.
In this blog post, we are going to cover the top action points you need to take for a better account secure posture.
Best practices for managing AWS IAM Accounts
- Apply the principle of least privilege (POLP).
- While creating a new account, assign the least permission the account needs. POLP is a security measure which recommends limiting the access to what is required only.
- Always ask what the user wants to do, prior assigning wider permission.
- Analyse CloudTrail log for any suspicious activity. CloudTrail logs can be shipped to CloudWatch or a third party service for better monitoring and alerting.
- Enforce a strong password requirement. By asking users to enter a password with at least one uppercase, lowercase or number the chances of the passwords being guessed reduces.
- When it comes to creating inline policy or managed policy, each has their own advantages. But, the managed policy provides more flexibility. If a managed policy is modified, the changes are applied to all the users associated with that policy compared to an inline policy which needs to be modified per user.
- Create groups and assign users to the correct group. A group can be for finance or engineers where users are assigned to.
- Prevent the use of old passwords. You can control how frequent old passwords can be used in the IAM Management dashboard.
- Apply CIS Benchmark 1.4 to your AWS account through IaC such as a Terraform module. While CIS Benchmark has many good recommendations if you find one that doesn’t meets your compliance, have a log of it and revisit it later on.
- Enable key AWS Security services:
- AWS Security Hub.
- AWS GuardDuty
- AWS Config
- Investigate Critical severity on Security Hub.
- Utilise AWS SSO, with SSO integration you can leverage your current authentication mechanisms with AWS. This can be Azure Entra, Google, OKTA or any other SAML providers.
- Perform a monthly audit on the policy assigned.
- Leverage IAM Access Analyzer.
- Create a SNS notification to monitor the followings:
- Password resets
- Failed logins
- Logins without MFA
- Access Key creation
- Create a secondary role which users need to assume if you lack AWS SSO integration. This is an industry good practice to reduce the chances of accidentally deleting or modifying resources. By default when user logins they only have assume role permission, they would need to assume another role to carry on their interaction.
Root Account User Management
Root account is the email address which you register the AWS account. This account has the ultimate power and can perform any action, including closing the AWS account!.
Best practices for managing the root user.
- Enable Multi-Factor authentication (MFA). MFA will make it harder for a hacker to get access to your account
- Lock the account by saving the password in a secure location with access to limited users only (KeyPass, LastPass is an excellent software to save passwords)
- Use a distribution group email address while creating the AWS Account. for example instead of creating the account under an employee email create it under a group email (email@example.com )
- Use a hardware MFA and secure it in a safe place. Industry practice is the following:
- Password for the email is known to only one individual.
- Access to the MFA is known to one user
- In this case, credentials are secret to each other.
- Configure monitoring on the Root account activity. Do not just send e-mails. Send e-mails and SMS. While e-mails are used most often, sometimes they might end in the spam folder.
- If you do not have access to a hard-ware MFA, enable virtual MFA.
- Create a workflow where it needs to be followed if the root account access is required and record the session.
- Certain tasks can only be managed by the root user credentials. For these tasks always have a ticket and plan it accordingly.
- Do not create root account access keys!
Securing access to your AWS account account is important. Always follow the best practices and keep the monitoring in place. Pay attention to the root account activity, and use it only in extreme rare cases.