Root - Lock away your AWS account (root) access keys
Do not use AWS Root account which has full access to all the AWS resources and services including the Billing information. If you do not use the access keys, delete the Access keys. Permissions associated with your
AWS Root account cannot be restricted.
User - Create individual IAM users
Don't use your AWS root account credentials to access AWS, and don't give your
credentials to anyone else. Instead, create individual users for anyone who needs access to
your AWS account.
By creating Individual users you can give each unique credentials and grant different permissions
To start with create a User with Administrator role, which has access to all resources as the Root user except the Billing information
Groups - Use groups to assign permissions to IAM users
Instead of defining permissions for individual IAM users, create groups and define the relevant permissions for each group, and then associate IAM users to those
groups.
ll the users in an IAM group inherit the permissions assigned to the group
It is much easier to add new users, remove users and modify the permissions of a group of users.
Permission - Grant least privilege
Creation of a New user does not grant any permission to access any AWS resources or services. Users should be grant LEAST PRIVILEGE to perform a task.
Passwords - Configure a strong password policy for your users
Enable a strong password policy to define passwords requirements forcing users to create passwords with requirements like at least one capital letter, one number, how frequently it should be rotated.
MFA - Enable MFA for privileged users
Enable MultiFactor Authentication (MFA) for privileged IAM users, who are allowed access to sensitive resources or APIs.
Role - Use roles for applications that run on Amazon EC2 instances
Use roles for applications running on Amazon EC2 instances instead of creating user and hardcoding the credentials within that application. Hardcoding of Credentials can compromise the access and are also hard to rotate. Also, they may pose a problem in the creation of new EC2 instances through AutoScaling. With Roles, credentials are temporary are automatically rotated.
Sharing - Delegate by using roles instead of by sharing credentials
Allow users from same AWS account, another AWS account, or externally authenticated users (either through any corporate authentication service or through Google, Facebook etc) use IAM roles to specify the permissions which can then be assumed by them
Rotation - Rotate credentials regularly
Change your own passwords and access keys regularly and enforce it through a strong password policy. So even if a password or access key is compromised without
your knowledge, you limit how long the credentials can be used to access your resources
Access keys allows creation of 2 active keys at the same time for an user. These can be used to rotate the keys.
Track - Remove unnecessary credentials
Use the Credentials report that lists all IAM users in your
account and the status of their various credentials, including passwords, access keys, and MFA devices and how recently their credentials have been used. Remove IAM user credentials that are not needed.
Conditions - Use policy conditions for extra security
Define conditions under which your IAM policies
allow access to a resource. Conditions would help provide finer access control to the AWS services and resources
Auditing - Monitor activity in your AWS account
You can use logging features provided through CloudTrail, S3, CloudFront in AWS to determine the actions users have taken in your
account and the resources that were used. Log files show the time and date of actions,
the source IP for an action, which actions failed due to inadequate permissions, and
more.
Exam Scenario Questions
- Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which two IAM best practices should you consider implementing? Choose 2 answers
- Create individual IAM users for everyone in your organization (May not be needed as can use Roles as well)
- Configure MFA on the root account and for privileged IAM users
- Assign IAM users and groups configured with policies granting least privilege access
- Ensure all users have been assigned and are frequently rotating a password, access ID/secret key, and X.509 certificate (Must be assigned only if using console or through command line)
References