AWS IAM: Securing AWS Users
AWS User Management is Easier than On-Prem, but with Caveats
Securing user access with AWS IAM is a pleasant, simple experience that requires far less management than with on-prem data centers of the past. AWS IAM stands for “Identity and Access Management,” and AWS describes it as follows:
“AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.”
The fundamentals of user security with AWS IAM remain the same as on-prem- granting the least privilege. Following this principle, you grant only the permissions required to perform specific tasks. Determine what tasks a user (or app) needs to do, and then craft only the policies that allow them to do that task.
Getting Started with AWS IAM
To get started with AWS IAM, don't begin with broad permissions and narrow them down as you go. Allow a minimum set of permissions and add more permissions as necessary.
To help properly trim access up or down, use AWS Access Advisor/Organizations to gain insight into a user's access stats via "Last Accessed Information." CloudTrail, if enabled, will provide similar information. (Activity from CloudTrail can be used to generate a user-specific policy).
Protect Your Roots
Before securing individual user access with AWS IAM, it's wise to first secure the AWS root account. The root level privileges cannot be limited or restricted as other users. As such, it is an incredibly powerful user. The root access key can be used to access the root account. The root access key grants programmatic access to everything, including your billing information.
It is recommended to delete your AWS root access key. If that's not possible for your purposes, don’t login with the root access key. Create an AWS IAM user with admin privileges. You'll still have access to your root user through the AWS console. To keep this account secure:
- Use a strong password
- Rotate credentials regularly
- Never share your credentials
- Utilize Multi-factor Authentication
MFA: Your Sidekick in AWS IAM Security
Enabling Multi-factor Authentication (MFA) adds much to security. With MFA enabled, at login the user will be prompted for username and password as normal (first factor), but also from a time-cycled authentication code from an MFA device (second factor).
An MFA device can be:
- VIRTUAL, i.e., from an app that runs from your phone and generates a rotating unique six digit code
- HARDWARE, i.e., a physical device that generates a rotating unique six digit code
- U2F security key, i.e., a USB authentication device that is inserted and activated when requested
- SMS, i.e., a unique six digit code sent via SMS text message
AWS IAM is Free to Use, So There’s No Excuse for Poor User Security
These recommendations are easily set in Identity & Access Management (AWS IAM). IAM is a free-to-use AWS service that controls who is authenticated and who is authorized to use resources. Access lists are provided there and passwords set. It lists access key and password age. AWS IAM can easily enforce recommended security standards such as password length, password rotation after a preset amount of time, disallowing reuse of old passwords, and special character usage. Be mindful that the password policy applies to the whole of your AWS account, not just for specific users.
Managing Individual Users and Groups with AWS IAM
AWS IAM users can be managed at the individual user level, or at the group level.
When managing individual users, you have the finite controls to best utilize the ideal of least privilege. You can revoke a single individual at any time. It's much easier to audit than auditing collective groups of users, and it's much easier to attach a security policy to the individual user as needed and revoke just as quickly.
Instead of managing individual AWS IAM users, you could instead manage users via groups. Groups make it easier to assign a set of permissions in a team or department setting, i.e., Dev, Billing, Human Resources, etc. If you needed to enable the same policy to a preset list of individuals, this is much faster than adding the policy individually. To create a group, simply name the group, set permissions for that group, and add users. Be mindful that you can only attach up to 10 policies per user group.
AWS IAM Policies
Policies fall into three categories:
- AWS managed policies
- customer managed policies
- inline policies
Any of the three can be attached to multiple principle entities; that is- users, groups, or roles.
AWS managed policies are policies premade and managed by AWS. These are premade policies and thus save time for common use cases. These can be full access or partial access in scope. As they are predefined and managed by AWS, you cannot change the policy definitions.
As the manager of these policies, AWS may tweak the permissions for functionality, service changes or new products. This means you don't have to, and that saves time troubleshooting or updating these. Two good examples of AWS managed policies would be "IAMFullAccess" and "AmazonEC2ReadOnlyAccess."
Customer managed policies are the same as AWS managed policies, except you administer these vs AWS.
The third policy type is inline policies. These policies are baked into the principle entities upon creation. This is useful if you want to ensure that a policy is always in place and isn't ever altered to grant or refuse access to a specific service. As such and by design, inline policies are not as flexible as managed policies. Be mindful that whenever you delete a principle entity, these embedded policies are deleted as well. Inline policies may be sunsetted in the future by AWS.
AWS IAM is capable of offering a thoughtful oversight and review process via policy summaries. Policy can be sorted into three tables:
- policy summary
- service summary
- action summary
This can offer an even more detailed look into the policies in place. These summaries are useful in tracking down unexpected permission errors, and offer an avenue for rapid remediation.
While AWS IAM is free to use, it’s a complicated system that many find difficult to use. However, proper use is critical for protecting the security of your infrastructure. Get confident in your cloud security. Start a conversation with our AWS cloud experts and contact us.