AWS — IAM Best Practices

Security Best Practices in AWS Identity and Access Management (IAM).

Awesome Cloud — AWS IAM Security Best Practices

TL;DR:

AWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions. IAM is a pillar of security and provides you with easy ways to secure AWS accounts and resources. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

IAM provides two essential functions that work together:

• Authentication (AuthN): It validates the identity of a user.
• Authorization (AuthZ): It defines the permissions and limits access to only specific resources for the permitted identities.

Read more about AWS IAM Overview

IAM Users Best Practices

• Ensure that all users have appropriate permissions. Create individual IAM users and assign fine-grained permissions, depending on the resources they need.
• Don’t use the root account user. Instead, create IAM user with administrative privileges.
• Use administrative users to create users, groups, and roles with suitable permissions. Once that’s done, use those identities to manage day-to-day operations.
• Don’t share access keys or credentials. Instead, create individual IAM users for employees that need to access AWS resources.
• Enforce a strong password policy for all AWS users.
• Rotate credentials and access keys regularly.
• Remove account access keys if not in use.
• Remove unused, stale, or unnecessary IAM users/credentials.
• Activate multi-factor authentication (MFA) on user accounts. Enable MFA at least for the root account.
• Disable/delete root account access keys.

AWS — IAM Account Root User Best Practices Overview

IAM User Groups Best Practices

• AWS recommends managing user access by creating groups that assign permission to the group. It is much easier to add new users, remove users and modify the permissions of a group of users.
• Assign policies to a group of IAM users or write inline policies when creating an IAM group. This streamlines the process of making changes to multiple user permissions and decreases the risk of accidentally giving individual users an unnecessarily high set of permissions.

IAM Roles Best Practices

• It is recommended practice to use IAM roles and generated temporary security credentials instead of storing keys in application code.
• For IAM users, create separate roles for specific job tasks and assume those roles for those tasks. Don’t use your IAM admin user for your everyday work.
• You can assume an IAM role by using AWS Security Token Service (STS) operations or switch to a role in the AWS Management Console to receive a temporary role session. This is more secure than using your long-term password or access keys. A session has a limited duration, which reduces your risk if your credentials are compromised.

When to create an IAM role (instead of a user): Application that runs on an Amazon EC2 instance and that application makes requests to other AWS services.

IAM Policy Best Practices

• Prefer to use AWS Managed policies over Customer managed policies whenever possible. AWS-managed policies cover common use cases and are well-aligned to common IT functions. Using AWS-managed policies reduces your operational overhead.
• Regularly review and monitor IAM policies to ensure they’re granting the least privileges.
• You should regularly review and monitor each of your IAM policies to improve the security of your AWS account.
• Validate your policies that are created for the intended purpose.
• Only prefer inline policies if you want to maintain a strict one-to-one relationship between a policy and the identity to which it is applied.
• Use customer-managed policies instead of inline policies (embedded in a user, group, or role). Managed policies provide the following features:
  - Re-usability between users, groups, and roles.
  - Central change management.
  - Easy versioning and rolling back.
  - Ease of delegating permissions management.

Policy conditions are especially useful when working with partners and third-party vendors who need access to your organization’s AWS resources. Below are some of the recommended conditions that should be employed:

• Use date/time conditions to limit access to resources such that IAM users are only able to access a resource during weekdays for the duration of their workday/shift.
• Set up conditions that whitelist IP addresses that are allowed to access AWS resources to ensure only trusted IP addresses are able to gain access to an AWS resource.

• Difference between SQS and SNS
• Difference between Application load balancer and Network load balancer
• Difference between Security Groups and NACL
• Difference between Amazon Aurora and Amazon RDS
• Difference between Internet Gateway and NAT Gateway
• Difference between Secrets Manager and Parameter Store

Happy Clouding!!!