AWS IAM Best Practices

With the help of AWS Identity and Access Management(IAM), you can specify who can access what resources in AWS. So, this basically helps us to keep our access secure. The best practices are some guidelines suggested by AWS so that we can secure access to cloud and the data.

Below are few suggested guidelines given by AWS:-

Use temporary credentials

AWS suggests that instead of giving long-term access, we can use temporary credential( such as AWS Security Token Service). Also, we can provide federated access to AWS accounts by assuming IAM?roles, which provide temporary credentials.

Example: Suppose we need to provide a developer Admin access for a project which is of 20 days. So, we can give the access for 20 days and then it will automatically expire.

For more information, see IAM roles.

Require multi-factor authentication (MFA)

Multi-factor authentication is an extra layer of security other than username and password. It can be a text message, phone call or App based code. Also, we have an option of hard token.

Example: It's like when we pay somewhere using our Debit card or Credit card we receive an One-Time Password(OTP).

For more information, see Using multi-factor authentication in AWS.

Rotate access keys regularly for use cases that require long-term credentials

As mentioned above AWS suggests that we should go for short-term credentials, but in some scenarios a user might need long-term credentials. Access keys are like passwords for systems and services, and they should be rotated (changed) often to prevent misuse.

Example: It's something that we do very often, like changing our company provided desktops passwords after every 2 or 3 months, according to company's policy.

For more information, see Rotating access keys.

Safeguard your root user credentials and don't use them for everyday tasks

Root-user is the boss of all accounts. It has all the admin access and few access you can't even restrict. So, its best not to use them for daily tasks. Also, ensure to enable MFA for this account.

Example: It's the master key of the house. It has access to all the rooms in the house. So, keep it safe.

For more information, see Best practices to protect your account's root user.

Grant least privilege

Principal of Least Privilege(PoLP) it basically, means give the user access only for the job they need to do, no more, no less.

Example: If I am a Data Analyst looking for data in S3( storage service in AWS) and my job is only to look at the data and create visual graphics, so I shouldn't be given access to edit the data.

For more information, see Access management for AWS resources.

Get started with AWS managed policies and move toward least-privilege permissions

If you are especially new to AWS, it might be difficult for you to understand and create policies. So, AWS has it's managed policies for specific job cases. It might not provide least privilege but you can customize it according to your use cases by using customer managed policies.

Example: For example, the AWS managed policy called ReadOnlyAccess provides read-only access to all AWS services and resources. And for Customer managed we can create for specific use cases.

For more information, see AWS managed policies. For information about AWS managed policies that are designed for specific job functions, see AWS managed policies for job functions.

Regularly review and remove unused users, roles, and permissions

It simply remove anything unnecessary from the account. Delete or change anything in the account which is no longer needed. This will help us to achieve least-privilege permissions.

Example: Delete the account if someone has left the firm.

For more information, see Refining permissions in AWS using last accessed information.

Use IAM conditions in policies to further restrict access

This simply means you can specify conditions or rules that allows actions to take place only under certain condition.

Example: You can access an object in S3 only if you are connected to office network.

For more information, see IAM JSON policy elements: Condition.

Use IAM Access Analyzer to generate least-privilege policies based on access activity

Access analyzer is a great tool. It generates policies based on the recent activities in the AWS CloudTrail.

Example: If a developer has performed certain tasks in the AWS account. We can use access Analyzer to generate a policy template that can give help us with least privilege.

For more information, see IAM Access Analyzer policy generation.

Verify public and cross-account access to resources

When we are allowing access between cross account or from a public account, we need to be extra careful regarding the permissions that we are allowing. Here also, access analyzer can help us a lot in granting least privilege.

Example: If someone from IT account needs access to finance account, only grant access to specific data.

For more information, see Previewing access with IAM Access Analyzer APIs.

Use IAM Access Analyzer to validate your IAM policies to help ensure secure and functional permissions

Access analyzer can help us to validate the policies that we create, so that we can follow IAM best practices. It has multiple policy checks and also provides recommendations.

Example: If we create any customer managed policy in JSON, Access Analyzer can help us to stick to the parameters set by AWS.

For more information, see IAM Access Analyzer policy validation.

Set permissions guardrails across multiple accounts

If we are using multiple accounts, then we can separated and managed by using AWS organization. We can attach policies to these account to set a clear boundary.

For more information, see AWS Organizations, accounts, and IAM guardrails.

Delegate permissions management within an account by using permissions boundaries

Permission boundaries are the maximum permission that an identity-based policy can grant to an IAM role.

Example: You might want to allow solution architects to create and manage roles for their workloads.

For more information, see?Permissions boundaries for IAM entities.

These are few basic guidelines provided by AWS to the user. Please refer links for better understanding. Hope this helps.