IAM is an AWS service that provides user provisioning and access control capabilities for AWS users. AWS administrators can use IAM to create and manage AWS users and groups and apply granular permission rules to users and groups of users to limit access to AWS APIs and resources (watch the intro to IAM video below). To make the most of IAM, organizations should:
- When creating IAM policies, ensure that they’re attached to groups or roles rather than individual users to minimize the risk of an individual user getting excessive and unnecessary permissions or privileges by accident.
- Provision access to a resource using IAM roles instead of providing an individual set of credentials for access to ensure that misplaced or compromised credentials don’t lead to unauthorized access to the resource.
- Ensure IAM users are given minimal access privileges to AWS resources that still allows them to fulfil their job responsibilities.
- As a last line of defence against a compromised account, ensure all IAM users have multifactor authentication activated for their individual accounts, and limit the number of IAM users with administrative privileges.
- Rotate IAM access keys regularly and standardize on a selected number of days for password expiration to ensure that data cannot be accessed with a potential lost or stolen key.
- Enforce a strong password policy requiring minimum of 14 characters containing at least one number, one upper case letter, and one symbol. Apply a password reset policy that prevents users from using a password they may have used in their last 10 password resets.
Unrestricted or overly permissive user accounts increase the risk and damage of an external or internal threat. Application administrators should limit a user’s permissions to a level where they can only do what’s necessary to accomplish their job duties.
