Best Practices for enhancing IAM security: AWS Articles

Image by Pete Linforth from Pixabay

Suppose you are starting a new project with a team that consists of people who will perform different roles. Considering the popularity and wide usage of the AWS cloud, you have decided to set up your project infrastructure on AWS. Let’s assume you have 4 developers, 2 cloud engineers, 1 software tester and 1 project manager in your team.

All of these users would access various services inside the AWS cloud depending on their job roles and requirements. Some may need higher levels of access such as admins, while others would need fine-grained access controls in specific services such as a developer.

To achieve this goal of providing access and controlling the privileges each user has in the AWS cloud we have the IAM service in AWS. Basically, IAM stands for Identity Access and Management which provides the functionality to create users, user groups, access policies, roles, etc. IAM gives a centralised system for the management of users and access level each user has in your AWS account.

For example, if you want to make the cloud engineers in your team the administrators of the AWS account, you can simply attach the AdministratorAccess managed policy to them using the IAM console or using the aws cli. Similarly, you can create a custom policy for the developers and grant them access to the services they need and you can put rules in the policies as fits in your use case. You can check my article “How to restrict users to access AWS services in a specific region” where you will get to see the usage of custom policies and rules. For more details about the IAM services you can also refer to the AWS documentation as well — https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html

We are now well aware about the IAM service and its functionalities. Let’s understand how important IAM is from the perspective of cyber security and why it is important to secure IAM.

“If any user’s IAM credentials gets compromised and a malicious intruder logs into the system it would pose a very high risk to your application, users and data. The attacker can delete your servers, databases, storage buckets, etc. The data of your users can also be compromised. Furthermore, if the credentials are for your root account the attacker can fully hijack the account and can perform various actions which can cause huge loss for you and your organisation.”

The above pointers that I mentioned above could happen in case of an IAM account compromise and can lead to financial loss, damaged reputation of the organisation and valuable data compromise as well. A few examples of Security Breaches due to IAM compromise are -

1. Capital One Data Breach (2019)
2. Tesla Cloud Hack (2018)
3. Uber Data Breach (2016)

It’s important to secure IAM accounts and roles with the best practices in place as much as possible. Let’s look at a few practices for improving the security of your IAM users and roles -

1. All users including the root account should have MFA (Multi-Factor Authentication) enabled. This would ensure one extra layer of security for the IAM accounts.
2. Incorporate the least privilege principle when designing policies to grant access to the services required by any user. The principle of least privilege means granting users the minimum level of access required to perform their job functions.
3. Avoid generating any unnecessary access key pairs for your users and also ensure that no such credentials are posted openly on the internet such as on any forum, github repository, etc.
4. Try using roles instead of access key pairs to grant privileges to applications or services which need to access other services wherever possible.
5. Create IAM Groups based on user roles, attach required policies to the group and add users in the group. Avoid attaching policies directly to the IAM user.
6. Enforce strict password policies and users must create new credentials after activating their IAM account.
7. Perform regular audits of IAM users and policies. You can use an IAM Access Analyzer as well.
8. Each user must have a separate IAM user account and multiple users should not share a single IAM user.

The above practices would help us design a better IAM management process in our Organisation and also enhance the security of the IAM users and roles in the AWS account. You can also look further to enhance ease of management of IAM accounts with practices like Single Sign On and Federated Identity Management.

I hope this was a good read for you.