Managing access and permissions in AWS is critical for maintaining the security and integrity of your cloud environment. IAM is a strong framework designed by aws, and you are responsible for making good use of it and keep your project safe from hackers.
1. Create IAM groups to separate access
IAM groups are collections of IAM users. Instead of assigning policies directly to each user, you can attach them to a group. Users in the group inherit the group's permissions, making it easier to manage access at scale.
In this image, you have the flexibility to assign custom privileges specifically to Nick. Additionally, you can grant extra custom privileges to any other user within any group as needed.
2. Principle of least privilege
Grant users, roles, and services only the permissions they need to perform their tasks. Avoid using overly permissive policies like Administrator Access or * permissions.
Instead of this policy:
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
Use short permissions for specific actions and resources:
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::example-bucket/*"]
}
3. Use multi-factor authentication (MFA)
Enable MFA for all users, especially for high privileged accounts like root user or admin users who has AdministradorAccess policy. MFA provides an additional layer of security by requiring a second factor, you can use your mobile or an external device.
There are some Apps that you can download in app Store like google authenticator (my preferred), authy.
4. Avoid using root account for daily operations
The root account has unrestricted access to all resources in your AWS environment. Use it only for initial account setup and specific administrative tasks. Create individual IAM users or roles for daily operations.
5. Configure the password policy for your users
Access keys and passwords should be rotated periodically to reduce the risk of unauthorized access.
You can configure this in:
IAM > Account Settings > Edit password policy
Align with industry standards or your company policies.
My opinion about this:
Aws is responsible for everything that they do, for example their infrastructure, their network security and the vulnerability analysis of the services they offer.
But regarding IAM, you are responsible for creating your own Users, groups, roles, policies, monitoring, for enabling MFA to the accounts, rotating your keys often, analysing the access patterns and review given permissions to groups/users/roles.
Never forget these concepts because it can lead to security breaches for your organization, I hope I helped you somehow!
Top comments (0)