DEV Community: Hatice

Identity and Access Management (IAM) Best Practices for Security

Hatice — Wed, 05 Apr 2023 09:56:20 +0000

Identity and Access Management (IAM) is crucial to every cloud security strategy, but it often flies under the radar. IAM ensures that only the right, authorized people and job roles in your organization (identities) have access to your cloud resources. Ultimately, it helps manage a range of identities, including users, software, and hardware.

To give it a bit of perspective, IAM brings two core advantages; security and productivity.

Security:

Traditional security revolves around users and their passwords which can quickly get exposed, making organizations vulnerable to attacks. IAM services narrow down attack vectors, complicate the potential hacking process, and backstops to catch mistakes earlier.

Productivity:

Once employees log in to the main IAM portal, they no longer need to worry about typing in the correct passwords or having the right access level to complete their tasks. Their access and permissions can easily be managed as a group or role instead of going through each individually.

Don’t ever say, “we’ll cross that bridge once we get to it.” There’s no shortcut for security, so today is the day you’ll learn IAM best practices.

For a quick, all-cards-on-the-table summary, the top 10 IAM best practices include:

Adopt the principle of least privilege
Enforce multifactor authentication (MFA)
Periodically rotate access keys
Use temporary security credentials
Regularly audit logs
Grant permissions by roles
Deprovision unused IAM accounts
Leverage Separation of Duties
Properly manage administrator credentials
Safeguard root user account

Let’s dive deeper.

“What we should actually be doing is thinking about what are our key controls that will mitigate the risks. How do we have those funneled and controlled through the team that we have, how do we work through that in a well-formatted, formulated process, and pay attention to those controls we have chosen? Not a continual, add more, add more, add more.” — Dr. Chris Pierson, CEO, Binary Sun Cyber Risk Advisors, at SecureWorld Charlotte.

Top 13 Security Best Practices in IAM

1. Adopt the principle of least privilege

One of the basic IAM best practices you should adopt is being extra stingy when handing out privileges. There’s even a principle for that. The Principle of Least Privilege restricts granted user privileges to only what’s necessary to complete a given task. It states that a user or program should operate with the least privileges possible. The primary goal is to limit potential damages from an accident or error.

If a user doesn’t need access to complete the task, they shouldn’t have the privilege. This principle helps DevOps and security teams substantially reduce the blast radius of a vulnerability or attack by cutting down on the permissions linked to an account.

So, the IAM cloud best practice is to grant only the exact amount of privileges required to perform a task. To take it a bit further with a better approach, continuously maintain the least privilege and get alerted when a change occurs.

2. Enforce multifactor authentication (MFA)

Multifactor authentication adds an extra layer of protection against cyber threats by complicating the hacking process. Therefore, it’s the cornerstone of security at a fundamental level.

With MFA enabled, even if a malicious actor steals an account’s credentials, they won’t be able to verify a valid identity without a physical or virtual MFA token. As a general rule of thumb and cloud IAM security, activate MFA for all your cloud accounts.

AWS IAM best practice: When you configure MFA for the root user, it applies to only root user credentials. Since IAM users in your account are distinct identities with different credentials, each has its own MFA configuration.

Also, see the GCP uniform MFA enforcement doc.

3. Periodically rotate access keys

Users in a cloud account should regularly rotate access tokens as an IAM security best practice. Rotating Identity Access Management (IAM) credentials significantly minimize the risk of compromising credentials. Rotation shortens the activeness period of an access key, making it expire within the designated schedule.

The process involves:

Creating new access tokens.
Changing the old tokens used by your applications.
Deleting the old tokens.

Like changing credentials, periodically changing API tokens also limits the damage an exposed API token can cause.

*How often should you rotate access keys? *

You should rotate your access keys every 90 days or less, like 45 days. A cyber asset security solution can automate the process for you and continuously check the rotation status of your tokens.

Source: CloudTweaks

4. Use temporary security credentials

Another Identity Access Management best practice is using temporary security credentials instead of long-term access to your cloud environment. You should use temporary credentials whenever and wherever possible.

This can be achieved with IAM roles, which grant access to your cloud account through short-term credentials. Authorized identities can this way assume roles to make a request.

5. Regularly audit logs

As an IAM cloud best practice, you should regularly audit your logs to identify anomalies in time and prevent potential attacks or exposure. Typically, cloud providers provide specific ways to audit logs. Google Cloud users, for example, can Cloud Audit Logs to regularly audit changes. AWS users, on the other hand, can monitor the account activity of specific IAM users, roles, and AWS access keys by using either of the following solutions:

AWS CloudTrail event history
Amazon Athena queries
Amazon CloudWatch Logs Insights

6. Grant permissions by roles

We briefly mentioned assuming roles under Using Temporary Credentials, but it’s worth underlining. As opposed to using an administrator identity to perform regular tasks, designate new roles for different tasks that can be assumed when needed.

Assuming roles require tokens or sessions which are temporary and can be revoked. Therefore it’s less risky than giving out long-term credentials to just anyone. You know, caution is parent to safety.

7. Deprovision unused IAM accounts

Ultimately, it’s best to de-provision all identities when you no longer need them. Some identities, for example, might never be used or belong to a former employee. These dormant IAM accounts lead to attack surface expansion and serious vulnerabilities like ticking bombs ready to explode if spotted by a threat actor.

8. Leverage Separation of Duties (SoD)

Another identity access management best practice to avoid security or privacy incidents is to separate duties. Let’s dig into what that means. The separation of Duties (SoD) concept ensures that no user has enough permissions to misuse. It could be an action such as accessing and decrypting data that should not normally be available to that user.

Ultimately, segregation of duties requires breaking down tasks into multiple tasks or having more than one person complete the tasks. It can be enforced in the following ways:

Statically: i.e., by defining conflicting roles or roles that can’t be performed by the same person
Dynamically: i.e., by enforcing the control at access time

It might be challenging to achieve with limited staff. Still, it surely has benefits like prevention of abuse, fraud, or error as well as detection of control failures such as security breaches.

9. Properly manage administrator credentials

As one of the access control best practices, ensure that administrator credentials strictly belong to the administrators and no one else. Give each admin their own admin account to log in to the Admin console instead of using the same account. Otherwise, you wouldn’t be able to tell who is responsible for a certain activity even though you see the activity in the audit log.

10. Safeguard root user account

The root user account has access to and control over everything in a cloud environment, even your billing information. Unlike Identity and Access Management users and groups, it’s not possible to reduce an AWS root user’s permissions or restrict access. Therefore, it’s imperative that you protect AWS root user keys at all costs. If a malicious user has access to your root user credentials, such as a disgruntled employee or contractor, they can cause irreversible damage.

Do not create access keys for the root user unless it’s definitely required.
Instead, use the account email and password to open the Management Console, create an IAM user for yourself, then grant it admin privileges.
If you still choose to keep the root user access key, you should rotate it every 90 days or less.
Ensure the root user account complies with cloud security best practices like activating MFA.

11. Secure user access keys

Access keys are long-term credentials for IAM users or AWS account root users. These keys provide programmatic sign-in requests to a cloud environment. As an IAM best practice, it’s recommended that you use temporary credentials, a.k.a. IAM roles, instead of long-term ones like access keys.

Do not generate access keys for the root user account.
There might be access keys that were created and forgotten about. If you use access keys, make sure to put automation in place to detect and delete unused and inactive keys.
Regularly rotate the access keys.
Do not provide access keys to any third parties.

12. Adopt a zero-trust policy

Zero Trust relies on these core principles “never trust, always verify.” Adopting a Zero-Trust security strategy goes hand in hand with IAM best practices because Zero Trust architecture’s foundational rule applies least-privilege access.

13. Continuously audit cloud IAM security

Last but not least, Identity and Access Management best practice is acknowledging that security at all levels requires continuity. You should be able to tell if your cloud environment follows these IAM best practices whenever anything goes sideways. This can be done with a third-party cyber asset attack surface management tool like Resmo.

Cloud IAM security FAQ

1. What are the best practices for IAM?

IAM best practices include:
Adopting the Principle of Least Privilege.
Separation of Duties.
Enforcing MFA.
Protecting your root user account.
Securing access keys.
Using temporary credentials.

2. What is the best practice for IAM authorization?

Use temporary security credentials, such as granting access through IAM roles, instead of giving long-term credentials, which can easily be used as an attack vector.

3. What are the 4 components of IAM?

The 4 main components of IAM are:

Access Management
Privileged Account Management
Identity Administration
Access Governance

Introduction to AWS Config: Simplified Cloud Monitoring

Hatice — Mon, 16 May 2022 13:58:15 +0000

Modern cloud environments are ever-changing, and so is the nature of cloud computing. The growing cloud assets accompany the attack surface expansion problem for organizations, which unveils the need for visibility of cloud resources. AWS Config addresses that exact demand. It can be challenging to understand resources within your infrastructure like:

Seeing what resources you have
Understanding your current configurations
Knowledge of configuration changes and change histories
Assessing if your resources are compliant with specific governance controls
Having accurate and up-to-date audit information

Depending on the size of your AWS resources or deployment, overcoming these challenges and obtaining this information can become time-consuming and budget-intensive unless you use a resource visibility and auditing tool like AWS Config.

This blog aims to get you started with AWS Config and understand its basic concepts, advantages, and disadvantages. Let's dive in with an introduction.

What is AWS Config?

AWS Config is an AWS service that allows you to audit, assess, and evaluate your AWS resource configurations. The service records and evaluates the configurations of your AWS resources against desired configurations, a set of rules, or conformance packs. It's an optimal service for cloud auditing and asset visibility.

In terms of visibility, Config also enables you to view configuration histories, which streamlines change management, operational troubleshooting, and security analysis.

Here's a breakdown of what Config offers for cloud auditing:

Configuration history of AWS resources and software
Customizable rules
Conformance packs
Tracking resource relationships
Configuration snapshots
Governance dashboard
Integrations with other AWS services

Get started with Bite-Size Key Concepts

AWS Resources

AWS resources are entities that are created and managed within the AWS Management Console or using the AWS Command Line Interface (CLI), SDKs, or AWS partner tools. For example, Amazon EC2 instances, VPCs, and Elastic Block Store are resources. See the current list of supported resource types.

Configuration Items

A configuration item, or CI, is a point-in-time view of a supported resource. It comprises a JSON file holding the resource configuration information, relationship information, or related metadata as a point-in-time snapshot. So, Config forms a CI every time a resource configuration change takes place. Config records directly related resources as well to ensure they aren't affected by the changed configuration.

Configuration Stream

A configuration stream is a list of all your configuration items for the resources being recorded by Config. The list is automatically updated every time a resource is created, modified, or deleted. This configuration stream operates by using Amazon Simple Notification Service (SNS) topic. It helps to be aware whenever a change occurs.

Configuration History

As the name gives away, a configuration history is a collection of your configuration items for a given resource over a specific time period. It enables you to understand, for example, how the resource has been configured over a period when the resource was created or what configuration changes took place at a specific time.

Configuration Snapshots

A configuration snapshot refers to a complete, point-in-time picture of the resources that Config is recording and their configurations. Additionally, configuration snapshots can be sent to an S3 bucket.

Configuration Recorder

The AWS Config configuration recorder stores the configurations of supported resources as configuration items. You can start, restart, and stop the recorder at any time.

Resource Relationships

AWS Config enables you to discover AWS resources and map their relationships. For example, you can find out if an EBS volume is attached to an EC2 instance associated with a security group.

Managed and Custom Rules

Config offers a set of predefined rules and the ability to create custom ones. An AWS Config rule refers to your desired configuration settings for a specific resource or your entire AWS account. Once you activate a rule, Config compares resources against the conditions of a particular rule. This process can be triggered either when a change occurs or periodically based on the frequency of your choice (e.g., every 24 hours).

How Does AWS Config Work?

(Source: AWS)

Once switched on, AWS Config starts discovering the supported AWS resources in your account and generates a configuration item for each resource. It also creates configuration items whenever a resource configuration changes. It records and holds the historical records of your resources from the time you start the recorder until you stop it.

AWS Config keeps track of configuration changes and examines them periodically or based on rule triggers. If you use AWS Config rules, it continuously evaluates your resources and compares them against desired settings. If a resource violates a rule you set up, Config flags it as non-compliant. Subsequently, when the compliance status changes, the service delivers a notification to your Amazon SNS topic.

Note: AWS Config's supported resource types cover many Amazon services, including CloudFront, CloudWatch, DynamoDB, EC2, CloudTrail, Elastic Beanstalk, and Lambda Function. It provides 200+ predefined rules and custom ones with limitations.

Advantages AWS Config Brings

The ultimate benefit to reap from AWS Config is the ability to discover AWS resources and track configuration changes without a doubt. In addition, we can expand on the benefits, including:

Continuous monitoring and recording of configuration changes across your AWS resources
Change management: Ability to observe historical configuration changes
Continuous cloud resource auditing and compliance assessment
Operational troubleshooting with AWS CloudTrail
Multi-account and multi-region data aggregation

AWS Config Disadvantages

(Source: AWS)
While AWS Config is a good service to monitor AWS resources, we can also point to its disadvantages for a more accurate and objective view of the service.

The more configuration items it generates, the costlier it becomes.
While it supports third-party services, the service is best for AWS resources. That means multi-cloud users and organizations that seek configuration visibility for SaaS assets will need additional tools.
Config lacks full coverage for AWS services. In 2019, it supported 26 services and 72 resource types. It supports 45 AWS services and 200+ rules at the time of this writing. However, even for its own services, the coverage still falls behind what other services offer.
It poses usability issues. AWS Config is a regional service; that is to say, you need to set up the service in all regions for all your AWS accounts. This translates into an excessive effort for those with a considerable number of AWS accounts. And this is only one possible situation where it would demand a lot of effort on your part.

Wrap-Up

AWS Config is a practical service to audit AWS cloud resources and gain asset visibility, which is invaluable for organizations to avoid misconfigurations, understand and secure resources, and faster troubleshooting.

Depending on your deployment size within AWS, it might be best to use Config. However, for expanding digital assets dispersed across multi-cloud environments and SaaS toolchains, you may want to replace Config with an alternative service like Resmo. It would be much more profitable in the long run. Resmo offers:

SQL querying across multiple clouds and SaaS resources, including many AWS Config rules, a heap of ready-to-use queries, rules, and room to create custom ones
Configuration change histories in relation to who did the change, when the change occurred, the change date, etc.
Collecting compliance evidence faster and using compliance packs
Setting up integrations in minutes and aggregating assets with ease

Know what needs to be detected in real-time, secure your digital landscapes. That's all! Hope you enjoyed this article.