Identity security is one of the basic and also important consideration factors online. securing your cloud environment is just as important as the work you are doing on the cloud.
AWS IAM connects (who?) developers, SREs etc.. (can access).. permissions (what?).. resources e.g. EC2 instances, lambda functions etc…
If malicious actors are able to penetrate your cloud environment with ease a lot of damage is bound to happen but that can be prevented by enforcing the following AWS IAM security best practices.
- Require human users to use federation with an identity provider to access AWS using temporary credentials. why use an identity provider? Centralise user stores, reduce password fatigue, reduce the number of systems to secure, and ensure ease of auditing.
- Require multifactor authentication- MFA combines what you know(password) with what you have (device) Rotate access keys regularly for use cases that require long-term credentials, you should however never use access keys with the root account access.
- Safeguard your root user credentials and don’t use them for everyday tasks this is because root user credentials are long-term credentials and they also have full access to your AWS account
- Assign the least privilege -grant users and systems the narrowest set of privileges to complete required tasks.
- Regularly review and remove unused users, roles, permission policies and credentials -look at roles and IAM users and the services they had accessed and remove those which have not been used in a while and are no longer required.
- Rotate access keys regularly for use cases that require long-term credentials, you should, however, never use access keys with the root account access.
- create a new access key.
- update the app to use the new access key.
- validate all apps are up to date.
- mark old access keys as inactive.
- wait for some period of time and delete old access keys.
- require workloads to use temporary credentials with IAM roles to access AWS. This ensures limited lifetime and auto expiration, it also eliminates the need for credential distribution & storage, and apps request when they need them.
For workloads running either on-prem or on the hybrid cloud, you can use IAM roles anywhere which is a free solution.
- verify public and cross-account access to resources with the IAM access analyzer. inspect and verify external access enable access analyzer and AWS will continuously monitor and renew and generate findings for you to review.
- establish permission guardrails across multiple accounts -establish a data perimeter that ensures only trusted identities are granted access to change permissions, a data perimeter also ensures defence in depth and ensures you meet compliance requirements.