How IAM Health Cloud Helps You Manage AWS IAM Even When You Have Multiple Accounts

By Joseph Williams, Sr. Technical Account Manager – AWS

MOTON Consulting

MOTON Consulting began transitioning into the cloud space in 2014 to keep pace as digital business infrastructures became more complex with new cloud assets and network devices.

MOTON’s transition has been instrumental in aiding security teams to ensure their organization’s posture is secure even while releasing control over some key technology. MOTON has successfully assisted business teams to continue to predict and manage costs amid transferring from on-premises data centers or legacy infrastructure to the cloud.

The ideal solution for companies that run multiple Amazon Web Services (AWS) accounts is to add them to an AWS Organization. Unfortunately, this is not always possible in practice. Mergers and acquisitions, poor planning, and simply lack of time can all contribute to this failure.

MOTON Consuting developed IAM Health Cloud to address this challenge. IAM Health Cloud is a software-as-a-service (SaaS) solution available in AWS Marketplace; it enables continuous and central collection and analysis of all AWS Identity and Access Management (IAM) data for determining a company’s IAM posture across any number of AWS accounts.

The inspiration for IAM Health Cloud came from observing too many companies spending  lots of money and still waiting months for third-party auditors to collect, compile, and analyze the same data that IAM Health Cloud provides in mere minutes. IAM Health Cloud can also be configured to support data residency requirements.

In this post, I will demonstrate how to use IAM Health Cloud to gain near real-time centralized insight of all IAM assets across multiple AWS accounts, even if they are independent or part of fragmented AWS Organizations. At the end, I will show you how to subscribe via AWS Marketplace and get started using IAM Health Cloud in your environment.

Easy-to-Understand Dashboards

IAM Health Cloud provides compliance analytics to easily identify and evaluate users and accounts according to Center for Internet Security (CIS) best practices. The information is pushed directly to Amazon CloudWatch dashboards for authorized users to quickly understand the content at a glance.

The IAM Health Cloud dashboard contains quick and important facts across all of your accounts. It shows metrics such as how many accounts you have:

• Unrestricted access policies.
• Inadequate password policies, such as:
  • Policies that allow re-use of any of the last 24 passwords.
  • Passwords don’t expire after 90 days.
  • Password minimum length is too small.
  • Password does not demand lowercase letters, uppercase letters, or symbols.
• Root account access without virtual multi-factor authentication (MFA).

Figure 1 – IAM Health Cloud account view.

Access Reviews

IAM Health Cloud automatically generates up-to-date and detailed access reviews for every user and role. This shows an administrator very clearly what access any role or user has and the last time that each permission was used.

Figure 2 – Access review data (single file).

The figure above shows how an access review file is formatted, and Figure 3 below depicts the access review file naming convention. The access review files are formatted and named in a way that can easily be parsed using automation.

Figure 3 – IAM Health Cloud access review files.

Downloadable CSV Reports

IAM Health Cloud provides pre-parsed CSV reports with detailed information about users, accounts, policies, and roles which include a compliance and risk analysis for each.

Figure 4 – IAM Health Cloud roles CSV sample report.

Historical Data and Change Tracking

IAM Health Cloud keeps track of all recent and historical changes to AWS IAM assets, allowing for easy auditing. Instead of focusing on a mass of data, an administrator can spot the changes and ensure each change matches the organization’s security policies and develop automated countermeasures to mitigate risks based on this data.

Figure 5 – IAM Health Cloud change log.

IAM Health Cloud provides near real-time centralized granular details that show exactly what changes were made to your IAM assets, and ranks them based on risk to reduce the signal to noise ratio. The image above is a snippet of the change_log.

Health Scores and Risk Scores

As part of assisting organizations to find and resolve issues rapidly, IAM Health Cloud furnishes health scores and risk scores for each account, role, and user as well as a company-wide score.

The scores are obtained by running a risk analysis on each user, role, and account in near real-time, then displaying the results in the dashboard. Using this feature, companies are able to gauge the overall health of their IAM security posture, as well as compare their posture anonymously with data provided by other companies in the same or similar sectors.

The IAM health score and risk score are a number of 0 to 1,000 and each is a direct inverse of the other. For example, if the health score is 600, then the risk score will be 400. Examples of the IAM health and risk scores are shown below.

Figure 6 – IAM health and risk scores.

User and Account Risk Maps

The dashboard provides insight into which user accounts pose a risk for some of the following reasons:

• User has AWS console access and no MFA option set up.
• User’s access keys are older than 90 days.
• User’s password is older than 90 days.
• User has IAM policies directly attached.
• User has unrestricted access.

Figure 7 – IAM Health Cloud user risk map.

Parsing IAM Health Cloud Reports into JSON

For users who wish to generate more detailed insights than that provided by the dashboard, or to drill down into more granular data, IAM Health Cloud’s reports are fully parsable into JSON. This was designed to be a reliable source of data for company-specific automation.

The original IAM Health Cloud reports are made up of many small JSON documents concatenated together and separated by JSON comments. Each JSON comment describes the JSON document located immediately below.

Figure 8 – JSON report concatenated by comment in between.

Each report could contain tens of thousands of such concatenated documents, depending on the number of accounts you manage.

Accessing the data as JSON is as simple as splitting the JSON documents using the comments as the separator. Below is sample code of how this can be done in Awk, although it can also be done in any popular programming language or through many external text-parsing tools.

Figure 9 – Parsing IAM Health Cloud into JSON using Awk.

Getting Started with IAM Health Cloud

To start using IAM Health Cloud in your business, simply subscribe to it on AWS Marketplace. You will be redirected to the IAM Health Cloud website to activate your subscription.

If you are not yet registered, click the Sign Up button.

Figure 10 – IAM Health Cloud on AWS Marketplace.

After signing up, you will receive an email with a link to verify your email address.

IAM Health Cloud will need read-only access to your AWS account to be able to pull the required data from it on a regular basis. To grant this access, IAM Health Cloud will make use of the AWS IAM-Read-Only IAM Managed Policy.

To implement this policy, make sure you are logged in to your AWS account. Then, deploy the IAM Health Cloud template via AWS CloudFormation. This creates the read-only role in your account that is needed for IAM Health Cloud to query IAM resources, and it must be done in each one of your AWS accounts or enforced at the organizational level.

Figure 11 – IAM Health Cloud CloudFormation permissions.

Make sure you log in to each one of your AWS accounts and deploy the IAM Health Cloud CloudFormation stack by checking the box to allow the creation of the IAM Health Cloud read-only role, and then clicking Create stack.

Once you have deployed the IAM Health Cloud stack in all of your AWS accounts, email a comma-delimited list of your AWS account numbers to register@iamhealthcloud.com.

The first account number in the list should be the account you plan to use to access your IAM data stream. The subject of the email should be “REGISTER.” You must use the email that you used to register with IAM Health Cloud.

Figure 12 – IAM Health Cloud registration email.

Once you have emailed the above information, the IAM Health Cloud Registration team will contact you with the details needed to access your IAM data stream once your account setup is complete. This is usually completed within 4-6 hours but can sometimes take up to one business day.

Conclusion

In this post, I discussed why IAM Health Cloud is an ideal solution for companies with multiple AWS accounts that require out-of-the-box centralized visibility of all AWS IAM assets. I also reviewed how IAM Health Cloud securely and continuously delivers updates across multiple accounts simultaneously to ensure that fresh, relevant, and valid IAM data is provided for security, governance, risk, auditing, monitoring and compliance.

In addition, IAM Health Cloud can be configured to support your data residency requirements. Finally, I provided step-by-step instructions for how you can subscribe to IAM Health Cloud in AWS Marketplace and gain centralized visibility of all of your IAM assets today.

.

.

MOTON Consulting – AWS Partner Spotlight

MOTON Consulting is an AWS Partner and global IT services and products provider to government, commercial institutions, entities, and enterprises.

Contact MOTON Consulting | Partner Overview | AWS Marketplace