DEV Community

Cover image for AWS IAM - Security practices you should consider [100]
Josset Gutierrez
Josset Gutierrez

Posted on • Edited on

AWS IAM - Security practices you should consider [100]

The Root Account is not meant for daily tasks

The Root Account is not intended for daily tasks, constituting the most insecure practice for two critical reasons. Firstly, the root account possesses unrestricted access to all AWS resources within the account, including the ability to delete the AWS account itself. Compromising these credentials could result in the compromise of all created resources.

Moreover, utilizing the root account across various users presents challenges in monitoring activities within the AWS account. As a best practice, individual users should be established with specific permissions. Instead of relying on the root account, it is recommended to create IAM Users and assign them to an IAM group with administrative permissions in the console.

Best practices related to root user account in AWS
¿Which exclusive tasks can a root user do?

Multi-Factor Authentication for all the IAM users

MFA provides an additional layer of protection for each user within the AWS account. While it is primarily utilized for accessing the AWS Console, it can also be enabled for API calls initiated through the AWS CLI.

Available MFA Methods
Example of using MFA with the AWS CLI

Define a plan for Access Keys rotation

Access keys are long-term credentials associated with IAM users that are used to make programmatic requests to AWS services. Access key rotation is a security practice that helps us to minimize the risks associated with unauthorized access and potential misuse of AWS resources. It's recommended to rotate credentials every 90 days.

Principle of Least Privilege access

Grant only the essential permissions required for users and services to accomplish their tasks. If users or roles are provided with excessive permissions, it may lead to unauthorized access to AWS resources or inadvertent modifications. This, in turn, can result in system disruptions, data breaches, or other security incidents.

How to start granting limited permissions to users and roles

Granting of permissions for duties

Managing individual permissions for each IAM user can be a tedious task. Instead, streamline the process by creating IAM Groups with fundamental permissions tailored to the specific tasks users need to perform on designated AWS Services. For example creating IAM Group for Billing purposes, Administration of the console, Deployment approvals, and so on.

More info

Use of IAM Roles in AWS resources
IAM Roles are entities attached to AWS Resources that allow access to other AWS Resources with temporary credentiales managed directly by AWS. It's recommmended to use IAM Roles instead of Access Keys and Secret Keys that are meant to long-term access. Also IAM Roles are intended to be assumable by anyone who needs them.

More info

Top comments (0)