In the previous blog of the series, I gave a brief introduction of an AWS root user and the security best practices involved therein.
Through this new chapter, I’ll try to provide some insights on the security best practices to be followed for an AWS IAM User.
What is an IAM User ?
An AWS Identity and Access Management (IAM) user is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. So, if you want other people to have access to your AWS Account, you simply need to create an IAM User.
Security best practices for an IAM User :
1) Restrictive Permissions :
- When you create IAM users for your account, ensure that you follow the **Principle of Least Privilege while assigning permissions to the users.
- Setup Permission Boundaries for IAM Users if necessary.
- Avoid directly attaching permissions to the users. Instead, create an IAM User Group, attach required permission to the Group and then add the IAM users to the Group.
By following these security practices, one can ensure that IAM Users do not have excessive and restricted privileges and thus no unauthorized access.
Also, assigning privileges at the group level reduces the complexity of access management as the number of users grow, and thereby reducing the possibility of an IAM User being granted excessive privileges.
Verifying IAM User permissions and adding them to IAM User Groups:
a) Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
b) In the left navigation pane, click Users and select the IAM User you wish to verify the permissions for.
c) Under the Permissions tab, you can see the list of Permissions attached and ensure the Principle of least privilege has been followed while assigning permissions. You can use the (x) symbol to remove unnecessary permissions.
d) Using the Set boundary feature, you can set a permissions boundary to control the maximum permissions the IAM User can have.
e) Further, to add User to a IAM Group, click on the Groups tab, and follow the below sequence of steps.
2) Securing the IAM User Access Keys:
- Ensure IAM User Access Keys are rotated periodically. ( after every 90 days or less )
- IAM User should not have more than one Access Key at a time.
Access keys are long-term credentials for an IAM user that can be used to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
Rotating access keys reduces the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Further, having only one access key at a time, reduces the possibility of a compromise.
Access Key rotation and ensuring one Access Key per IAM User:
a) On the IAM user screen, that we earlier navigated to, click on the Security Credential tab, and scroll down to Access keys section:
b) Here, ensure that the Access Key age is not greater than 90 days, by using the key create date, otherwise it is recommended to rotate the key.
What is Key Rotation and how to rotate the Access Key ?
Here, you can notice that there is no Key Rotation option available. In this case, Key Rotation is simply inactivating/deleting the existing key and creating a new one.
So, if you want to rotate the User’s Access Keys, you need to either inactivate the old key using the Make Inactive option or else delete it using (x) and then create a new key using the Create Access Key option.
Also, after doing so, make sure to update all the applications/tools that are using the AWS User’s Access Keys, with the latest one.
c) Also, if you see more than one Active Access Key for a User, either inactivate or delete one of the keys which is not in use.
3) Enable MFA for IAM Users with the AWS Console access:
Multi-Factor Authentication (MFA) is a security system that verifies a user’s identity by requiring multiple credentials. An MFA device signature adds an extra layer of protection on top of your existing IAM User credentials making it virtually impossible to penetrate without the MFA generated passcode.
Configuring MFA for IAM User and then accessing the AWS Console:
a) On the same Security Credentials tab that we navigated to earlier, navigate to the Assigned MFA device option and click Manage.
b) Install any authenticator app, from the list provided here, click Show QR Code, scan it in the installed authenticator app, and enter 2 consecutive MFA codes generated by the app and click on Assign MFA.
c) Once done, you can log-in into the AWS console using the MFA enabled IAM User as follows:
I hope all this simple information about the Security Best Practices for IAM Users was useful and would surely help you all enhance the security of the AWS Account.
Please feel free to leave your comments and suggestions …
