This blog aims to delve into the core of AWS security by exploring the best practices associated with IAM, specifically focusing on audit checkpoints and compliance with minimum or no cost.<\/p>\n
Section 1: Understanding IAM on AWS<\/b>
\n<\/span><\/b><\/h2>\nIAM Fundamentals<\/b><\/h3>\n
IAM, or Identity and Access Management, is the bedrock of security in AWS, consisting of key components:<\/span><\/p>\n\n- Users:<\/b> Individuals or systems interacting with AWS services, each with unique authentication credentials.<\/span><\/li>\n
- Groups:<\/b> Organizational units streamlining access management by applying policies to multiple users simultaneously.<\/span><\/li>\n
- Roles:<\/b> Permissions defined for making AWS service requests are not tied to specific users or groups but are assumed by trusted entities.<\/span><\/li>\n
- Policies:<\/b> JSON documents explicitly state permissions and dictate allowed or denied actions on AWS resources.<\/span><\/li>\n
- Permissions:<\/b> The crux of IAM, meticulously configured to adhere to the principle of least privilege, ensuring minimal access for necessary tasks.<\/span><\/li>\n<\/ul>\n
IAM use cases<\/b><\/h3>\n
IAM facilitates secure access to AWS resources by allowing organizations to:<\/span><\/p>\n\n- Control Access:<\/b> Define who can access AWS resources and what actions they can perform.<\/span><\/li>\n
- Grant Permissions:<\/b> Assign permissions to users, groups, or roles based on their responsibilities.<\/span><\/li>\n
- Enable Multi-Factor Authentication (MFA):<\/b> Add an extra layer of security by requiring users to provide two or more authentication factors.<\/span><\/li>\n
- Manage Resource-Level Permissions:<\/b> Fine-tune access controls at a granular level, ensuring precise authorization for specific resources.<\/span><\/li>\n<\/ul>\n
\n<\/span>Section 2: Best Practices for IAM on AWS<\/b>
\n<\/b><\/b><\/h2>\nPrinciple of Least Privilege:<\/b> Grant the minimum level of permissions necessary for users and processes to perform their tasks. This reduces the risk of accidental or intentional misuse of privileges.<\/span><\/p>\nStrong Password Policies:<\/b> Enforce robust password policies to enhance authentication security. This includes setting password complexity requirements, expiration periods, and the use of multi-factor authentication (MFA).<\/span><\/p>\nRole-Based Access Control (RBAC):<\/b> Leverage roles to define and manage permissions dynamically. Assign roles based on job responsibilities, allowing users to assume different roles as needed.<\/span><\/p>\nRegularly Rotate Credentials:<\/b> Periodically rotate access keys, secret keys, and other credentials to limit the window of opportunity for potential security threats.<\/span><\/p>\nContinuous Monitoring:<\/b> Implement continuous monitoring of IAM activities using AWS CloudTrail. Regularly review and analyze logs to detect and respond to suspicious or unauthorized actions.<\/span><\/p>\nRegular User Access Reviews: <\/b>Conduct periodic user access reviews to ensure it aligns with current roles and responsibilities. Remove or adjust permissions for users who no longer require certain accesses.<\/span><\/p>\nMFA Configuration: <\/b>Ensure Multi-Factor Authentication is enabled for all users, especially those with elevated privileges. This additional layer of security significantly reduces the risk of unauthorized access.<\/span><\/p>\nLogging and Monitoring: <\/b>Regularly inspect AWS CloudTrail logs for IAM-related events. Set up alerts for suspicious activities and anomalies, allowing for swift responses to potential security incidents.<\/span><\/p>\nPassword Policy Enforcement: <\/b>Audit and enforce strong password policies, including complexity requirements and regular password rotations. This ensures a robust first line of defense against unauthorized access.<\/span><\/p>\n
\nSection 3: Easy solutions to be implemented<\/b><\/h2>\n
Setup strong password policy – Standard IAM policies<\/b>
\n<\/i><\/b>
\n<\/i><\/b>This can be done as per the client\u2019s needs and can be edited under the IAM section. Please refer to the screenshot below –\u00a0<\/span>
\n<\/b>
\n![\"\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2024\/04\/1-300x141.png\")
<\/p>\nBelow is an example of a strong password policy.<\/span>
\n<\/i><\/b>
\n<\/i><\/b>Password strength<\/i><\/b><\/p>\n\n- Require at least one uppercase letter from the Latin alphabet (A-Z)<\/i><\/b><\/li>\n<\/ul>\n
\n- Require at least one lowercase letter from the Latin alphabet (a-z)<\/i><\/b><\/li>\n<\/ul>\n
\n- Require at least one number<\/i><\/b><\/li>\n<\/ul>\n
\n- Require at least one non-alphanumeric character<\/i><\/b><\/li>\n<\/ul>\n
\n<\/b>Other requirements<\/b><\/p>\n\n- Password expires in 90 days<\/b><\/li>\n<\/ul>\n
\n- Allow users to change their password<\/b><\/li>\n<\/ul>\n
\n- Prevent password reuse from the past 24 changes<\/b><\/li>\n<\/ul>\n
<\/p>\n
Review group-level permissions review –\u00a0<\/b><\/h3>\n
Step 1: Access the IAM Console<\/b><\/p>\n
Navigate to the AWS Management Console, select IAM, and click on “Groups” in the left navigation pane.<\/span><\/p>\nStep 2: Review Group Permissions<\/b><\/p>\n
Select the Group and c<\/span>hoose the IAM group you want to review.<\/span><\/p>\nView Attached Policies:<\/b><\/p>\n
Examine policies attached to the group to ensure they align with the principle of least privilege. <\/span>
\n<\/span>
\n<\/span>For Example:-\u00a0<\/strong><\/p>\nThe group for ses has only the required permission set to it. In this case, it is a policy that allows us to send emails via SES.<\/span>
\n<\/span>
\n![\"\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2024\/04\/2.png\")
<\/p>\nStep 3: Adjust Permissions
\n<\/b><\/b><\/h2>\n
Modify Policies: <\/b>Edit policies for precise permissions based on the principle of least privilege.<\/span><\/p>\nAdd or Remove Policies: <\/b>Adjust policies as needed, considering custom policies for specific requirements. <\/span>This Review can be done at the time of group creation as well as quarterly for all groups.<\/span><\/p>\n
\nCredential management report –<\/b><\/h2>\n
Why is the Credential Management Report used?<\/b>
\n<\/b>
\n<\/b>Credential management is vital for maintaining the security of AWS resources. Compromised credentials can lead to unauthorized access and potential data breaches. <\/span>With proper credential management, access to AWS resources can be tightly controlled, reducing the risk of security incidents. <\/span>It enables smooth operations by ensuring that the right individuals have the appropriate level of access to AWS resources, thereby enhancing overall operational efficiency.<\/span>
\n<\/b><\/b><\/p>\nHow to create a Credential Management Report?<\/b>
\n<\/b><\/h2>\n
Under the <\/span>Access Reports<\/b> section in IAM, we can find the <\/span>Credential Report<\/b>.<\/span>
\n<\/span>
\n<\/span>Click on <\/span>Download Credentials Report<\/b>.<\/span><\/p>\n![\"\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2024\/04\/3.png\")
<\/p>\n
A CSV file will be downloaded with all report findings; below is a screenshot for reference –\u00a0<\/span>
\n<\/b>
\n![\"\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2024\/04\/4.png\")
<\/p>\nYou can go through columns like mfa_active and password_enabled to check the exact type of access enabled for any particular user. We can also see the age of the access keys or passwords for the IAM users if we go through columns like <\/span>password_last_changed<\/b> or <\/span>access_key_last_rotated<\/b> columns.<\/span>
\n<\/b>
\n<\/b>Whichever users are non-compliant need to be highlighted, and if the access is no longer required, it must be removed effectively. It is recommended to do this activity monthly.
\n<\/b><\/p>\nAccess analyser reporting\u00a0<\/b><\/h3>\n
- \n
- Users:<\/b> Individuals or systems interacting with AWS services, each with unique authentication credentials.<\/span><\/li>\n
- Groups:<\/b> Organizational units streamlining access management by applying policies to multiple users simultaneously.<\/span><\/li>\n
- Roles:<\/b> Permissions defined for making AWS service requests are not tied to specific users or groups but are assumed by trusted entities.<\/span><\/li>\n
- Policies:<\/b> JSON documents explicitly state permissions and dictate allowed or denied actions on AWS resources.<\/span><\/li>\n
- Permissions:<\/b> The crux of IAM, meticulously configured to adhere to the principle of least privilege, ensuring minimal access for necessary tasks.<\/span><\/li>\n<\/ul>\n
IAM use cases<\/b><\/h3>\n
IAM facilitates secure access to AWS resources by allowing organizations to:<\/span><\/p>\n
- \n
- Control Access:<\/b> Define who can access AWS resources and what actions they can perform.<\/span><\/li>\n
- Grant Permissions:<\/b> Assign permissions to users, groups, or roles based on their responsibilities.<\/span><\/li>\n
- Enable Multi-Factor Authentication (MFA):<\/b> Add an extra layer of security by requiring users to provide two or more authentication factors.<\/span><\/li>\n
- Manage Resource-Level Permissions:<\/b> Fine-tune access controls at a granular level, ensuring precise authorization for specific resources.<\/span><\/li>\n<\/ul>\n
\n<\/span>Section 2: Best Practices for IAM on AWS<\/b>
\n<\/b><\/b><\/h2>\nPrinciple of Least Privilege:<\/b> Grant the minimum level of permissions necessary for users and processes to perform their tasks. This reduces the risk of accidental or intentional misuse of privileges.<\/span><\/p>\n
Strong Password Policies:<\/b> Enforce robust password policies to enhance authentication security. This includes setting password complexity requirements, expiration periods, and the use of multi-factor authentication (MFA).<\/span><\/p>\n
Role-Based Access Control (RBAC):<\/b> Leverage roles to define and manage permissions dynamically. Assign roles based on job responsibilities, allowing users to assume different roles as needed.<\/span><\/p>\n
Regularly Rotate Credentials:<\/b> Periodically rotate access keys, secret keys, and other credentials to limit the window of opportunity for potential security threats.<\/span><\/p>\n
Continuous Monitoring:<\/b> Implement continuous monitoring of IAM activities using AWS CloudTrail. Regularly review and analyze logs to detect and respond to suspicious or unauthorized actions.<\/span><\/p>\n
Regular User Access Reviews: <\/b>Conduct periodic user access reviews to ensure it aligns with current roles and responsibilities. Remove or adjust permissions for users who no longer require certain accesses.<\/span><\/p>\n
MFA Configuration: <\/b>Ensure Multi-Factor Authentication is enabled for all users, especially those with elevated privileges. This additional layer of security significantly reduces the risk of unauthorized access.<\/span><\/p>\n
Logging and Monitoring: <\/b>Regularly inspect AWS CloudTrail logs for IAM-related events. Set up alerts for suspicious activities and anomalies, allowing for swift responses to potential security incidents.<\/span><\/p>\n
Password Policy Enforcement: <\/b>Audit and enforce strong password policies, including complexity requirements and regular password rotations. This ensures a robust first line of defense against unauthorized access.<\/span><\/p>\n
\nSection 3: Easy solutions to be implemented<\/b><\/h2>\nSetup strong password policy – Standard IAM policies<\/b>
\n<\/i><\/b>
\n<\/i><\/b>This can be done as per the client\u2019s needs and can be edited under the IAM section. Please refer to the screenshot below –\u00a0<\/span>
\n<\/b>
\n<\/p>\nBelow is an example of a strong password policy.<\/span>
\n<\/i><\/b>
\n<\/i><\/b>Password strength<\/i><\/b><\/p>\n- \n
- Require at least one uppercase letter from the Latin alphabet (A-Z)<\/i><\/b><\/li>\n<\/ul>\n
- \n
- Require at least one lowercase letter from the Latin alphabet (a-z)<\/i><\/b><\/li>\n<\/ul>\n
- \n
- Require at least one number<\/i><\/b><\/li>\n<\/ul>\n
- \n
- Require at least one non-alphanumeric character<\/i><\/b><\/li>\n<\/ul>\n
\n<\/b>Other requirements<\/b><\/p>\n- \n
- Password expires in 90 days<\/b><\/li>\n<\/ul>\n
- \n
- Allow users to change their password<\/b><\/li>\n<\/ul>\n
- \n
- Prevent password reuse from the past 24 changes<\/b><\/li>\n<\/ul>\n
<\/p>\n
Review group-level permissions review –\u00a0<\/b><\/h3>\n
Step 1: Access the IAM Console<\/b><\/p>\n
Navigate to the AWS Management Console, select IAM, and click on “Groups” in the left navigation pane.<\/span><\/p>\n
Step 2: Review Group Permissions<\/b><\/p>\n
Select the Group and c<\/span>hoose the IAM group you want to review.<\/span><\/p>\n
View Attached Policies:<\/b><\/p>\n
Examine policies attached to the group to ensure they align with the principle of least privilege. <\/span>
\n<\/span>
\n<\/span>For Example:-\u00a0<\/strong><\/p>\nThe group for ses has only the required permission set to it. In this case, it is a policy that allows us to send emails via SES.<\/span>
\n<\/span>
\n<\/p>\nStep 3: Adjust Permissions
\n<\/b><\/b><\/h2>\nModify Policies: <\/b>Edit policies for precise permissions based on the principle of least privilege.<\/span><\/p>\n
Add or Remove Policies: <\/b>Adjust policies as needed, considering custom policies for specific requirements. <\/span>This Review can be done at the time of group creation as well as quarterly for all groups.<\/span><\/p>\n
\nCredential management report –<\/b><\/h2>\nWhy is the Credential Management Report used?<\/b>
\n<\/b>
\n<\/b>Credential management is vital for maintaining the security of AWS resources. Compromised credentials can lead to unauthorized access and potential data breaches. <\/span>With proper credential management, access to AWS resources can be tightly controlled, reducing the risk of security incidents. <\/span>It enables smooth operations by ensuring that the right individuals have the appropriate level of access to AWS resources, thereby enhancing overall operational efficiency.<\/span>
\n<\/b><\/b><\/p>\nHow to create a Credential Management Report?<\/b>
\n<\/b><\/h2>\nUnder the <\/span>Access Reports<\/b> section in IAM, we can find the <\/span>Credential Report<\/b>.<\/span>
\n<\/span>
\n<\/span>Click on <\/span>Download Credentials Report<\/b>.<\/span><\/p>\n<\/p>\nA CSV file will be downloaded with all report findings; below is a screenshot for reference –\u00a0<\/span>
\n<\/b>
\n<\/p>\nYou can go through columns like mfa_active and password_enabled to check the exact type of access enabled for any particular user. We can also see the age of the access keys or passwords for the IAM users if we go through columns like <\/span>password_last_changed<\/b> or <\/span>access_key_last_rotated<\/b> columns.<\/span>
\n<\/b>
\n<\/b>Whichever users are non-compliant need to be highlighted, and if the access is no longer required, it must be removed effectively. It is recommended to do this activity monthly.
\n<\/b><\/p>\nAccess analyser reporting\u00a0<\/b><\/h3>\n
- Prevent password reuse from the past 24 changes<\/b><\/li>\n<\/ul>\n
- Allow users to change their password<\/b><\/li>\n<\/ul>\n
- Password expires in 90 days<\/b><\/li>\n<\/ul>\n
- Require at least one non-alphanumeric character<\/i><\/b><\/li>\n<\/ul>\n
- Require at least one number<\/i><\/b><\/li>\n<\/ul>\n
- Require at least one lowercase letter from the Latin alphabet (a-z)<\/i><\/b><\/li>\n<\/ul>\n
- Grant Permissions:<\/b> Assign permissions to users, groups, or roles based on their responsibilities.<\/span><\/li>\n
- Groups:<\/b> Organizational units streamlining access management by applying policies to multiple users simultaneously.<\/span><\/li>\n
![\"\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2024\/04\/5.png\")
<\/p>\n![\"\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2024\/04\/8.png\")
<\/p>\n![\"\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2024\/04\/7.png\")
<\/p>\n![\"\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2024\/04\/9.png\")
<\/p>\n