AWS Security Blog
Make a New Year Resolution: Adhere to IAM Best Practices
As another new year begins, we want to encourage you to be familiar with recommended AWS Identity and Access Management (IAM) best practices. Following these best practices can help you maintain the security of your AWS account. You can learn more by watching the IAM Best Practices presentation that was given by Anders Samuelsson at AWS re:Invent 2014, or you can click the following links that will take you into the IAM documentation.
Do not use your AWS root account to access AWS. Instead, create individual IAM users for access to your AWS account. This allows you to give each IAM user a unique set of security credentials and grant different permissions to each user.
Apply fine-grained permissions to ensure that IAM users have least privilege to perform only the tasks they need to perform. Start with a minimum set of permissions and grant additional permissions as necessary.
Assign permissions to groups instead of to users to make it easier for you to assign and reassign permissions to multiple users at the same time. As people in your company change job roles, you can simply change which IAM group each IAM user belongs to.
Use conditions to add more granularity when defining permissions. The more explicitly you can define when resources are available and to whom, the safer your resources will be. Using conditions also can prevent your AWS users from accidentally performing privileged actions.
Enable logging of AWS API calls to gain greater visibility into users’ activity in your AWS resources. Logging lets you see which actions users have taken and which resources have been used, along with details such as the time and date of actions and the actions that have failed because of inadequate permissions.
Configure password expiration, strength, and reuse to help ensure that your users and your data are protected by strong credentials. For enhanced security, use a strong password policy together with multi-factor authentication (MFA)—see the ninth IAM best practice below.
Change your own passwords and access keys regularly, and make sure that all IAM users in your AWS account do as well. You can apply a password policy to your AWS account to require all your IAM users to rotate their passwords, and you can choose how often they must do so. If a password is compromised without your knowledge, regular credential rotation limits how long that password can be used to access your AWS account.
Generate and download a credential report that lists all IAM users in your AWS account and the status of their various credentials. Review the credential report to determine which credentials have not been used recently and can be removed. Removing unused credentials reduces your attack surface.
Supplement user names and passwords by requiring a one-time password during authentication. This allows you to enable extra security for privileged IAM users (users who are allowed access to sensitive resources).
Never share credentials! Instead, use IAM roles that allow you to specify whom you trust and what each role can do in your account. Also use IAM roles to delegate permissions across and within your accounts to both IAM and federated users.
Use IAM roles to manage credentials for your applications that run on EC2 instances. Because role credentials are temporary and rotated automatically, you don’t have to manage credentials. Also, any changes you make to a role used for multiple instances are propagated to all such instances, again simplifying credential management.
Adhere to IAM best practices to manage AWS users, groups, permissions, and credentials in order to make your AWS account as secure as possible. If you have questions or feedback about IAM best practices, please visit the AWS IAM forum.
– Craig