IAM best practices including root account

In this article, we will discuss the best practices in managing IAM, Root and creating a new user account in AWS. AWS provides many services and managing the access to the service can be difficult.

Best practices for managing IAM Account

  • Apply the principle of least privilege (POLP).
    • While creating a new account, assign the least permission the account needs. POLP is a security measure which recommends limiting the access to what is required only
  • Analyse CloudTrail log for any suspicious activity.

View IAM Login Attemps using CloudTrail

  • Enforce a strong password requirement. By asking users to enter a password with at least one uppercase, lowercase or number the chances of the passwords being guessed reduces
  • When it comes to creating inline policy or managed policy, each has their own advantages. But, the managed policy provides more flexibility. If a managed policy is modified, the changes are applied to all the users associated with that policy compared to an inline policy which needs to be modified per user.
  • Create an individual user account. For example: if you have team developers create an account per developer but assign all to a single group. It is much easier to revoke access in case a developer leaves the company
  • Prevent the use of old passwords. You can control how frequent old passwords can be used in the IAM Management dashboard.
  • Set the minimum password length to be at least 8. A study by NIST recommends password length should be at least 8.
  • Require passwords with combinations of uppercase, lowercase, number and non-alphanumeric characters.

AWS IAM Management Dashboard with modified password policy



Root Account Management

The root account is the one that was used to create the AWS account. It has access to all the resources. Securing this account is very important!

Best practices for managing the root account.

  • Enable Multi-Factor authentication (MFA). MFA will make it harder for a hacker to get access to your account
  • Lock the account by saving the password in a secure location with access to limited users only (KeyPass, LastPass is an excellent software to save passwords)
  • Use a distribution group email address while creating the AWS Account. for example instead of creating the account under an employee email create it under a group email (web_admin_909@example.com )
  • Best not to use it for daily use

Conclusion:

It is best to apply the recommendation to the root account at the earliest time as unauthorized access to it can cause serious damages.

Enabling MFA is an extremely strong security measure that hardens important accounts.

If you are interested in knowing more, please watch the video below.

 

Are you planning to take the AWS Solution Architect 2018 Exam? We have written a summary of key points to revise before the exam 🙂