AWS Security Blog

Make a New Year Resolution: Adhere to IAM Best Practices

As another new year begins, we want to encourage you to be familiar with recommended AWS Identity and Access Management (IAM) best practices. Following these best practices can help you maintain the security of your AWS account. You can learn more by watching the IAM Best Practices presentation that was given by Anders Samuelsson at AWS re:Invent 2014, or you can click the following links that will take you into the IAM documentation.

  1. Create and use IAM users instead of your root account.

Do not use your AWS root account to access AWS. Instead, create individual IAM users for access to your AWS account. This allows you to give each IAM user a unique set of security credentials and grant different permissions to each user.

  1. Grant least privilege.

Apply fine-grained permissions to ensure that IAM users have least privilege to perform only the tasks they need to perform. Start with a minimum set of permissions and grant additional permissions as necessary.

  1. Manage permissions with groups.

Assign permissions to groups instead of to users to make it easier for you to assign and reassign permissions to multiple users at the same time. As people in your company change job roles, you can simply change which IAM group each IAM user belongs to.

  1. Restrict privileged access further with policy conditions.

Use conditions to add more granularity when defining permissions. The more explicitly you can define when resources are available and to whom, the safer your resources will be. Using conditions also can prevent your AWS users from accidentally performing privileged actions.

  1. Enable AWS CloudTrail to get logs of API calls.

Enable logging of AWS API calls to gain greater visibility into users’ activity in your AWS resources. Logging lets you see which actions users have taken and which resources have been used, along with details such as the time and date of actions and the actions that have failed because of inadequate permissions.

  1. Configure a strong password policy.

Configure password expiration, strength, and reuse to help ensure that your users and your data are protected by strong credentials. For enhanced security, use a strong password policy together with multi-factor authentication (MFA)—see the ninth IAM best practice below.

  1. Rotate security credentials regularly.

Change your own passwords and access keys regularly, and make sure that all IAM users in your AWS account do as well. You can apply a password policy to your AWS account to require all your IAM users to rotate their passwords, and you can choose how often they must do so. If a password is compromised without your knowledge, regular credential rotation limits how long that password can be used to access your AWS account.

  1. Remove unused security credentials that are not needed.

Generate and download a credential report that lists all IAM users in your AWS account and the status of their various credentials. Review the credential report to determine which credentials have not been used recently and can be removed. Removing unused credentials reduces your attack surface.

  1. Enable multi-factor authentication (MFA) for privileged users.

Supplement user names and passwords by requiring a one-time password during authentication. This allows you to enable extra security for privileged IAM users (users who are allowed access to sensitive resources).

  1. Use IAM roles to share access.

Never share credentials! Instead, use IAM roles that allow you to specify whom you trust and what each role can do in your account. Also use IAM roles to delegate permissions across and within your accounts to both IAM and federated users.

  1. Use IAM roles for Amazon EC2 instances.

Use IAM roles to manage credentials for your applications that run on EC2 instances. Because role credentials are temporary and rotated automatically, you don’t have to manage credentials. Also, any changes you make to a role used for multiple instances are propagated to all such instances, again simplifying credential management.

Adhere to IAM best practices to manage AWS users, groups, permissions, and credentials in order to make your AWS account as secure as possible. If you have questions or feedback about IAM best practices, please visit the AWS IAM forum.

– Craig