Amazon Web Services (AWS) Identity and Access Management (IAM) is the cornerstone of security when it comes to managing access to AWS resources. And everyone that has worked with AWS knows, how powerful and sometimes complicated IAM can be. At least I had some trouble when I began diving into the AWS universe.
To make your AWS account, but also your infrastructure, secure, there are many best practices out there that we can, and probably should, implement. From my experience, the following ten practices are crucial when using AWS as a production environment.
What security best practices do you always make sure to follow?
1. Safeguard Your AWS Root User Access Keys
This should be your first action after setting up your AWS account. You never want someone to have access to your AWS account as a root user. There are horror stories out there, where people had to pay immense AWS bills because their root account got hijacked. And no one wants to be that person who needs to ask AWS to regain access (if that's even possible).
To avoid your root access being stolen, give it a very secure password, store it in a vault, and just never use it to access AWS. You can create yourself as an IAM user with the required permissions for your daily operations.
2. Enable Multi-Factor Authentication (MFA)
The second action you want to do after setting up your AWS account is to enable multi-factor authentication. In a perfect world, every IAM user should have MFA enabled. But for sure your root access user needs to have it. With MFA you can add a layer of security by requiring users to provide a second authentication factor, such as a time-based one-time password (TOTP) generated by a phone. It is not even bound to a specific app, you can use e.g. Google Authenticator or Microsoft Authenticator.
3. Use Roles for Delegating Permissions
IAM roles are a powerful feature in IAM that allows you to grant permissions to entities like AWS services, users, or resources without the need to share long-term access keys. Roles work by defining a set of permissions, which are specified in an IAM policy, and then allowing trusted entities to assume the role. Once, a service or a user makes use of the role, AWS creates temporary credentials. You can use roles throughout your whole AWS infrastructure.
4. Follow the Principle of Least Privilege
The principle of least privilege means, that by default, a user or a role does not have any permission at all. Depending on the needs, you grant atomic permission required to perform only necessary tasks. Every additional, not necessary permission, can create a security vulnerability.
Sounds good in theory, right? Especially when starting with AWS, it is quite difficult and time-consuming to only apply the least privilege to users. There are many situations where I'm stuck debugging because some roles do not have the correct permissions. But anyway, this practice is crucial when setting up a production environment. We can start with giving wider permissions, but at some point, we need to take our time and focus on securing all roles down to the least privileges.
5. Begin with AWS Managed Policies
A good starting point when digging into IAM and policies is to use the default policies that AWS offers. There are many and for every scenario, you can find a matching policy. In many cases though, the default policies give a user/role too many permissions. Always consider modifying the policy and remove all unnecessary permissions.
6. Implement a Strong Password Policy
Strong passwords should be used by any user who wants to work with AWS. Make sure to force everyone to have a strong password by defining robust password policies for your IAM users. IAM gives you various options to configure: require complex passwords, regular password changes, and lockouts after too many failed login attempts.
7. Utilize Roles for Applications on EC2 Instances
When you want to connect applications that run on an EC2 instance to other resources such as databases or S3 storage, you can make use of roles. As an alternative to storing credentials within your EC2 instance, roles simplify the whole access to those resources. AWS automatically creates temporary credentials when your EC2 instance makes use of a provided role. On top of simplicity, you make your setup more secure.
8. Avoid Sharing Access Keys
I cannot think of any scenario where it is really necessary to share access keys. We always want to make sure that we know who is using our infrastructure. Make sure to create independent access keys for every user who needs to interact with AWS. This might be more effort setting up all users, but in the end, it is easier to reject access to single parties if you have to.
9. Remove Unnecessary Access Permissions
I created a recurring reminder to check our AWS permissions every three months. Most of the time there is no need to modify anything, but this way I make sure that we always use policies with the least privileges and only authorized users have access to our AWS account.
10. Monitor and Audit AWS Activities
Services like AWS CloudTrail allow you to track actions across your AWS account, focusing on security compliance and threat detection. It helps you maintain security compliance by tracking and recording all API calls and actions performed within your AWS account. Monitoring activities allows you to detect suspicious or unauthorized actions. You can set up alerts and triggers to notify you when specific events occur, such as failed login attempts, changes to security groups, or access to sensitive data.
Conclusion
In conclusion, implementing these AWS IAM best practices is not just about ticking off items on a security checklist, it's about building a robust, and secure foundation for your AWS environment. In my opinion, there are more exciting topics within the AWS world, but mastering IAM is one of the most important ones. We should always focus on improving the security of our infrastructures. And of course, it let's us sleep better at night, knowing we won't wake up to a data breach. 😉
Top comments (0)