AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
IAM News 2018: Detail and Delegation
Yubikey MFA on AWS
The ever-popular Yubikey can now be used for MFA on your AWS accounts through either a single key being used for multiple IAM users and root users or on an individual basis. As MFA is spreading as a security necessity, this physical key will no doubt help to ensure you are following best practices effortlessly.
In the summer, AWS released a great IAM feature to encourage delegation for scale in your business. You are now able to grant your most trusted employees the ability to create and manage IAM permissions by setting them permission boundaries, enabling the business to migrate and run workloads quicker.
Clearer Access Key Info
Back in May, AWS introduced timestamps, region and the service last accessed within IAM using GovCloud (US). This more detailed picture helps users to rotate keys and identify inactive users quickly and confidently.
Higher Spec Access Control
AWS released a new, optional condition key (AWS:PrincipleOrgID) so all IAM principles accessing your resources would need to have an AWS account in your organization. For example, for a specific S3 bucket, you can restrict access to only users within a specific AWS account in your organization using the condition element.
Going right back to basics to sanity check you’re really using IAM as you should for the best security.
Access Keys vs IAM Users
Unless you have one already or it’s absolutely imperative, avoid creating root user access keys and instead opt for IAM user roles. Should your access key credentials get into the wrong hands, you will be allowing full access to all your AWS resources for all AWS services. By assigning IAM users and roles into groups, you’re able to manage access more easily and efficiently.
Permissions and Policies
AWS have their own Defined Policies to help assign permissions, which benefits from AWS maintaining and updating them as new services and features are released. If you create your own IAM policies, start with granting the least privilege first in order to complete the work needed and build up from there.
For all credentials — passwords and access keys — it’s critical they are changed and rotated regularly. Password policies can be applied on your account so all users are regularly prompted to change them and this is especially important for those with Access Keys. By doing this, you are limiting the amount of time access is given if security were to be compromised.
Cloud Conformity’s Golden Top Tip
We have 50 rules for IAM but my favourite is Root Account Usage — if someone logs in to one of my company’s accounts as Root I like to receive a text message immediately. The only occasion I can think of for logging in as Root is when you submit a request to conduct Penetration Testing or when an account is first created.