Wednesday, March 9, 2016

AWS - IAM Best Practices

Root - Lock away your AWS account (root) access keys
Do not use AWS Root account which has full access to all the AWS resources and services including the Billing information. If you do not use the access keys, delete the Access keys. Permissions associated with your AWS Root account cannot be restricted.

User - Create individual IAM users
Don't use your AWS root account credentials to access AWS, and don't give your credentials to anyone else. Instead, create individual users for anyone who needs access to your AWS account.
By creating Individual users you can give each unique credentials and grant different permissions
To start with create a User with Administrator role, which has access to all resources as the Root user except the Billing information

Groups - Use groups to assign permissions to IAM users
Instead of defining permissions for individual IAM users, create groups and define the relevant permissions for each group, and then associate IAM users to those groups.
ll the users in an IAM group inherit the permissions assigned to the group
It is much easier to add new users, remove users and modify the permissions of a group of users.

Permission - Grant least privilege
Creation of a New user does not grant any permission to access any AWS resources or services. Users should be grant LEAST PRIVILEGE to perform a task.

Passwords - Configure a strong password policy for your users
Enable a strong password policy to define passwords requirements forcing users to create passwords with requirements like at least one capital letter, one number, how frequently it should be rotated.

MFA - Enable MFA for privileged users
Enable MultiFactor Authentication (MFA) for privileged IAM users, who are allowed access to sensitive resources or APIs.

Role - Use roles for applications that run on Amazon EC2 instances
Use roles for applications running on Amazon EC2 instances instead of creating user and hardcoding the credentials within that application. Hardcoding of Credentials can compromise the access and are also hard to rotate. Also, they may pose a problem in the creation of new EC2 instances through AutoScaling. With Roles, credentials are temporary are automatically rotated.

Sharing - Delegate by using roles instead of by sharing credentials
Allow users from same AWS account, another AWS account, or externally authenticated users (either through any corporate authentication service or through Google, Facebook etc) use IAM roles to specify the permissions which can then be assumed by them
 
Rotation - Rotate credentials regularly
Change your own passwords and access keys regularly and enforce it through a strong password policy. So even if a password or access key is compromised without your knowledge, you limit how long the credentials can be used to access your resources
Access keys allows creation of 2 active keys at the same time for an user. These can be used to rotate the keys.

Track - Remove unnecessary credentials
Use the Credentials report that lists all IAM users in your account and the status of their various credentials, including passwords, access keys, and MFA devices and how recently their credentials have been used. Remove IAM user credentials that are not needed.

Conditions - Use policy conditions for extra security
Define conditions under which your IAM policies allow access to a resource. Conditions would help provide finer access control to the AWS services and resources
Auditing - Monitor activity in your AWS account
You can use logging features provided through CloudTrail, S3, CloudFront in AWS to determine the actions users have taken in your account and the resources that were used. Log files show the time and date of actions, the source IP for an action, which actions failed due to inadequate permissions, and more.

Exam Scenario Questions
  1. Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which two IAM best practices should you consider implementing? Choose 2 answers
    • Create individual IAM users for everyone in your organization (May not be needed as can use Roles as well)
    • Configure MFA on the root account and for privileged IAM users
    • Assign IAM users and groups configured with policies granting least privilege access
    • Ensure all users have been assigned and are frequently rotating a password, access ID/secret key, and X.509 certificate (Must be assigned only if using console or through command line)

References

10 comments:

  1. Amazon Web Services (AWS) BGP
    This video demonstrates how to configure the Amazon Web Services BGP to set up a VPN between a Check Point Security Gateway and Amazon VPC
    http://www.s4techno.com/blog/2015/12/24/amazon-web-services-aws-bgp/

    ReplyDelete
  2. Nice article, users are attracted when they see your post thanks for posting keep updating AWS Online Training

    ReplyDelete
  3. For instance, we'd have arrange our web site within the US, however we're getting 50% of our hits from Europe. This is great blog. If you want to know more about this visit here AWS Cloud Certification.

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete

  5. If you want to take a great deal from this post then you
    have to apply these strategies to your won blog.
    kajal agarwal hot

    ReplyDelete
  6. Enjoyed reading the article above, really explains everything in detail, the article is very interesting and effective. Thank you and good luck for the upcoming articles AWS Online Training

    ReplyDelete
  7. Great Article… I love to read your articles because your writing style is too good, its is very very helpful for all of us and I never get bored while reading your article because, they are becomes a more and more interesting from the starting lines until the end.

    aws training in chennai | aws training in annanagar | aws training in omr | aws training in porur | aws training in tambaram | aws training in velachery

    ReplyDelete