IAM Best Practices on Amazon Web Services (AWS)
One of the first things we do when working with a new Amazon Web Services Account (AWS) is review their IAM policies and compare them to best practices.
It’s a scary situation. I can’t tell you how many times a client we’ve worked with has handed over their root AWS account credentials and told us to “go to town.”
This is an enormous security risk that many companies don’t even know they’re making. One of the easiest ways to get peace of mind as a business owner is by implementing IAM best practices on AWS.
What is IAM?
IAM stands for “Identity and Access Management,” and it’s one of the core principles you MUST understand when building out your AWS architecture.
Following these best practices will improve your security and decrease the chances that your business is at risk.
NEVER Use IAM Root Account Access Keys
When you first create an account with AWS, you are creating the “root” account. This is the key that has access to ALL resources in your AWS account.
Most non-technical people will create an account on AWS and then hand their credentials over to a developer or development team. An inexperienced team will not create the proper credentials and continue to use the root account, leading to serious security implications.
Require Strong IAM Passwords
AWS does not require a password policy out of the gate, and allowing team members to use insecure passwords can leave your business open to a breach. By enforcing a password policy, you’ll greatly decrease the risk.
Enable AWS Multifactor Authentication (MFA) Across All AWS Users
MFA requires more than one device to successfully sign in to an account. Using this method prevents someone who has the username and password of the IAM user from accessing the account. We recommend an application such as Authy to perform MFA.
Create Individual IAM Users
Every user on your AWS should access resources through their own IAM account. This allows you to easily revoke access in the event that they no longer require access.
Grant Least Privilege
Only give developers access to actions, operations or resources required to fulfill their tasks.
Assign Users to Groups
Privileges given to certain IAM users can be a complicated process. By creating groups, you can have predetermined resources that a type of user is allowed access to. For instance, you may have a group for billing, front end developers, back end developers, and executives. Ensure that least privilege is granted when assigning users to groups. It’s easy to get lazy. Regular audits will allow you to identify vulnerabilities and clean them up.
Regularly Review Policies
People get into a routine, and it’s easy to overlook some of these policies. Never under any circumstances share access keys. Regularly rotate credentials, and follow the above steps. You’ll find that your architecture will be more clean and you’ll be much less open to vulnerability.