Users are responsible for ensuring the security of their services in the cloud, even if they use Amazon Web Services (AWS). Fortunately, many cloud providers offer tools and services, such as AWS Identity and Access Management (IAM), to help with these tasks.
This service comes with numerous flexible features, but the plethora of customizations can make security challenging to implement. Instead, you can get the most out of AWS IAM by implementing these best practices.
What is AWS IAM?
AWS IAM is the central service that manages all permissions for your AWS accounts and resources. It includes users, groups, and roles that allow you to assign permissions to various users and services.
With IAM security policies, you can define custom access rules, which function like any other predefined permissions. You can also find all your permissions in one location and benefit from fine-grained access rules for your cloud resources.
AWS Security Best Practices [Cheat Sheet]
This cheat sheet goes beyond the essential AWS security best practices and offers actionable step-by-step implementations, relevant code snippets, and industry- leading recommendations to fortify your AWS security posture.
Download Cheat Sheet
AWS IAM security best practices
Over the years, many best practices have emerged from developers’ daily use of IAM. Below, you can learn how to get started with 13 of the most critical practices:
1. Apply the principle of least privilege
Your organization should practice the foundational principle of least privilege (PoLP) to mitigate security risks.
For example, don’t use broad permissions via admin or all-access policies for all your users and services just because it’s convenient. Instead, grant only the permissions users require to complete a specific task. That means setting no write permissions for users who won’t enter any data and have no access to all AWS resources of a particular type (like all S3 buckets or all Lambda functions).
The wildcards in the following policy statement are problematic because they allow all actions on all buckets:
{
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": [
"arn:aws:s3:::*",
"arn:aws:s3:::*/*"
]
}Try to minimize the use of wildcards, as in the following example:
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
],
"Resource": ["arn:aws:s3:::test/*"]
}S3 Security Best Practices [Cheat Sheet]
In this 15-page cheat sheet, we'll cover best practices in the following areas of AWS S3: Access control, data durability, storage visibility, and data loss prevention.
Download Cheat Sheet
2. Delete unused entities
Keep your IAM entities tidy by deleting unnecessary resources, such as unused:
Users
Groups
Roles
Permissions
Policies
Credentials
An organization initially defines a set of permissions, but as employees join or leave, it often adds new permissions without removing outdated ones. This accumulation of unnecessary permissions creates security vulnerabilities, so be sure to regularly review and remove access for former employees or unused services.
You can quickly delete a user by searching for “delete user” in the AWS IAM search, as shown in Figure 1:
3. Secure the root account and require multi-factor authentication
One of the first things you should do after creating a new AWS account is to secure the root account. This is your AWS account’s administrator, who has access to billing and all other services.
Make sure root user credentials have a strong, multi-factor authentication (MFA)-enabled password. Additionally, remove all access keys, don’t use a personal email for the account, and configure alternate contacts for the AWS account.
However, a better approach is to avoid using the root account for everyday tasks. Instead, you can leverage federation with your existing identity provider.
Federation allows users to use their existing credentials (such as those from Active Directory, Okta, or Azure AD) to access AWS resources without creating separate IAM users. By integrating federation with MFA, you can protect all access to your AWS environment with strong authentication.
Federation also contributes toward MFA when you use the AWS Security Token Service (STS).
Here’s how to set up federation:
Set up AWS IAM Identity Center and connect to your identity provider (like Okta or Azure AD).
Create permission sets in AWS IAM Identity Center to grant users access to specific AWS resources.
Grant users access to the AWS environment.
Your organization can still be vulnerable when so many people work from home, in hybrid offices, or in global locations, though. Because of this, it can be difficult to manage risks due to the different devices your employees use and changing Internet threats.
MFA solves this issue by requiring users to authenticate via multiple devices. If someone compromises an account, they will still need the device with the MFA app to get user access.
However, this process might be more cumbersome for users, so make sure there are reasonable session lengths for logins or consider only requiring MFA for critical actions. You can find this feature quickly by searching for “MFA” in the IAM search bar. When you select a user, you’ll see a “Security credentials” tab below their details, where you’ll find MFA:
4. Use secure password policies and password rotation
Password policies are a good way to ensure that people don’t use short and simple phrases as passwords. You can combine these rules with MFA and password rotation by giving passwords specific expiration dates. (Ideal password retention lengths can vary, but AWS uses 90 days for its password expiration example.) That way, even if attackers steal passwords, they’ll have only a limited time to act since the key becomes useless after a password rotation.
Again, reasonable policies and expiration times are crucial—otherwise, MFA may inadvertently annoy users during their daily work routines.
You can adopt policies like the following:
Implement a strong password policy: In IAM Account Settings, set the minimum password length requirement to at least 14 characters. Require uppercase and lowercase letters, numbers, and symbols to increase password complexity.
Enable password expiration: Set a password expiration period of 90 days or less. While this protocol may increase how often users need to change their password, it also reduces attackers’ window of opportunity.
Prevent password reuse: Institute a password policy that prevents users from reusing their old passwords to avoid predictable patterns. This includes prohibiting the reuse of at least five previous passwords.
You can find the password policy for IAM under account settings:
5. Establish IAM policy conditions
You can set conditions for your IAM policies to limit their use, such as time restrictions, request limits, restricted IPs, restricted resources, and even MFA-based conditions. This applies to PoLP by granting minimal permissions only for the necessary resources and time to complete a task.
In the following example, the policy statement remains valid only if the user has a temporary credential issued after a specific date:
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
],
"Resource": ["arn:aws:s3:::test/*"],
"Condition": {
"DateGreaterThan": {
"aws:TokenIssueTime": "2020-01-01T00:00:01Z"
}
}
}6. Implement customer-managed policies
When you first start with IAM, AWS-managed policies are a good option. They have reasonable defaults, so you’ll avoid ending up with broken policies. As your security requirements grow and you understand your workloads better, though, learning how to implement customer-managed policies properly will give you a more fine-grained way to define your access rules.
AWS recommends gradually refining permissions to align with the principle of least privilege. Doing so will ensure that users and roles have only the access they need. Managed policies may initially grant more permissions than necessary, so continuously fine-tuning them over time will also help you minimize risks.
You can create customer-managed policies in IAM by clicking on “Policies” under “Access management”:
7. Introduce inline policies to prevent shared permissions
If you want to prevent multiple policy assignments with critical permissions, use inline policies. You can leverage them when you need a one-to-one relationship between the policy and identity for specific cases.
However, note that AWS does increasingly recommend using these sparingly. When you delete a user, group, or role with an inline policy, the entire policy also faces deletion.
Because IAM creates inline policies on a per-user basis, you can find them in the user details section:
8. Set up service control policies at the organizational level
If you’re using AWS Organizations, you can opt for service control policies (SCPs) that limit the maximum available permissions for every AWS account in your organization.
SCPs grant account admins only a subset of permissions to manage their own users, groups, roles, and policies without accidentally using rules that jeopardize compliance. Because of this, they can be helpful if you want to prevent accounts from deleting logs or uploading unencrypted data to Amazon S3.
You can find SCPs in the AWS Organizations dashboard under Policies:
9. Opt for IAM roles instead of access keys
Access keys are strings of secret text you get from a service provider to copy into your applications’ environment variables to enable programmatic access to a service. Because they are persistent, access keys pose a security risk. (And as we learned above, MFA and password rotation are crucial for mitigating this risk.)
IAM roles allow you to grant service permissions that you can manage and update via IAM in a central location without affecting each service when you need to make changes.
If you need access keys, use temporary credentials via AWS STS instead, as they automatically disable after timing out. This service is only available via an API, so check out the docs if you want to issue these credentials.
10. Combine ABAC and RBAC
With role-based access control (RBAC), you can group your permissions and assign users to those groups instead of handing out policies individually. However, as your permission requirements become more complex, you might end up with more groups than users.
Attribute-based access control (ABAC) offers more flexibility by incorporating information from different sources to manage access effectively. The sources can be the user account (like user department or security clearance level), the resource in question (geographical location or memory size), or the environment (such as time of the day). Using variables in policy statements allows you to use ABAC on AWS.
The following example statement permits only users that the policy specifies to read data from an S3 bucket using their AWS user ID:
–Use original code snippet embed–
11. Monitor and audit continuously
If you don’t review your IAM configurations, things can go downhill without you even knowing. But beyond monitoring, you also have to understand the data and know what actions to take based on it. To help with this, integrate recurring internal and external audits into your process.
External audits can show you what to look for in your monitoring data. Although they are expensive, you should conduct them monthly to avoid unauthorized access to sensitive resources.
Additionally, you can set up CloudTrail to monitor all IAM activities. This helps you track IAM user logins within a 30-day cycle. For example, you can implement the following:
Set up a CloudWatch Alarm to detect unauthorized user creations.
Create a CloudWatch Metric Filter to extract IAM user creation events for CloudTrail logs.
Configure a CloudWatch Alarm to trigger when the metric exceeds a threshold (like more than one user creation in a short period).
12. Choose tools and services to help with AWS IAM implementation
You can use plenty of AWS-native resources to improve your IAM process. In the table below, you’ll find some suggestions, along with a short description of each:
| Tool | Description |
|---|---|
| AWS IAM Access Analyzer | IAM Access Analyzer continuously scans your IAM entities to detect rules that permit external access and identify unused entities. |
| AWS IAM Identity Center | IAM Identity Center allows you to manage single sign-on for multiple AWS accounts within a single organization. |
| AWS CloudTrail | AWS CloudTrail is a monitoring service that tracks access to your AWS accounts. It helps with compliance by showing which user or service accessed (or tried to access) your cloud resources. |
| Identity federation | Identity federation allows you to use external identity providers, like AWS Identity Center and IAM, to handle user authentication. You can also integrate their user accounts into IAM to manage resource authorization. |
| AWS Security Hub | The Security Hub provides a central location for all your security alerts and lets you integrate external AWS security partner solutions. It’s also an easy way to enlist third-party solutions if AWS services don’t support a security use case. |
| Amazon GuardDuty | GuardDuty leverages machine learning and integrated threat intelligence to uncover malicious activities in your AWS accounts. Since every security approach is flawed to some degree, the next best thing to prevent security risks is remediation. |
| AWS Config | AWS Config helps you evaluate your AWS account’s compliance status, which makes it more of a prevention than a remediation service. |
| Terraform AWS Secure Baseline | This Terraform module is a third-party tool for setting up your AWS account. After you create an account, you can run the module, which will automatically apply many of the above-mentioned best practices. |
What problems does IAM solve in AWS?
AWS IAM provides secure, granular, and scalable access management within AWS infrastructure. It also ensures that authorized identities can access assets using strong auditing and compliance capabilities. For example, a company could easily control data access by allowing an IT support representative to access more sensitive information without authorizing its sales team for the same privilege.
However, as companies grow, managing security controls through AWS IAM makes scalable security challenging. Because of this, companies must use a unified solution to help them manage and secure the cloud.
By consolidating security functions and solutions, you can find vulnerabilities through a more efficient and effective process, all in one place.
Case study: Blackstone
When Blackstone wanted to transition more of its infrastructure to the cloud, it chose AWS. However, it also needed a platform to thoroughly secure, scan, and streamline its data so stakeholders could use assets without worrying about external threats.
To accomplish this, Blackstone partnered with Wiz as a cloud-native solution. The cloud security platform’s agentless deep scanning quickly identified and correlated issues across the cloud stack.
Like Blackstone, when implementing IAM through a unified platform, you can use an improved secure cloud security posture without developing blindspots that expose key threats like the wrong authorization.
To find the right cloud-native security platform, evaluate its cloud infrastructure entitlement management (CIEM) offering first to see how it secures IAM. Then, find out how the rest of the platform provides a holistic solution.
Why manage and secure your AWS cloud environment with CIEM?
CIEM is an emerging solution that enhances the management and security of cloud environments like AWS, especially when you combine it with AWS IAM. CIEM tools like Wiz’s provide advanced capabilities to manage identities, access policies, and entitlements across cloud platforms.
Here’s how CIEM can specifically help with the AWS IAM best practices we’ve discussed:
Automated PoLP enforcement: CIEM solutions can automate PoLP enforcement by continuously analyzing permissions and usage patterns. They can also recommend or automatically adjust permissions to ensure that every entity (like users and services) has only the access it needs to perform its tasks, thereby minimizing the risk of over-privileged accounts.
Entitlement visualization and analysis: Effective CIEM tools provide a detailed visualization of permissions across all cloud assets. This can help organizations understand and manage complex permissions structures, which makes it easier to adhere to secure access policies and detect misconfigurations or risky entitlements that could lead to security breaches.
Scalable management across multiple accounts: For businesses that use AWS Organizations with multiple accounts, CIEM tools can manage identities and permissions across all accounts from a single pane of glass. This capability is vital for maintaining consistency in security policies and simplifying considerable cloud environment governance.
Generating remediation recommendations: A CIEM can also provide granular recommendations that enable teams to follow step-by-step remediation actions to right-size access and revoke unused or excessive permissions.
Risk assessment and compliance reporting: Strong CIEM platforms can assess risks associated with entitlements and access patterns and provide reports that help teams meet compliance requirements for various standards and regulations. This is especially useful in environments that require strict access control and regular audits.
Actionable AWS Security Best Practices [Cheat Sheet]
This cheat sheet goes beyond the essential AWS security best practices and offers actionable step-by-step implementations, relevant code snippets, and industry- leading recommendations to fortify your AWS security posture.
Download cheat sheet
Choosing Wiz as your CIEM
Wiz provides the CIEM pillars you need for effective and secure IAM protocols within AWS to protect your entire infrastructure. Instead of juggling multiple tools to secure your cloud, opening up vulnerabilities when they don’t talk to each other, or attempting to streamline the process on your own, you can choose one solution that does it all.
Wiz is cloud-native, which means it’s not a security platform that’s had to adapt to the cloud over time. Instead, it’s designed for the cloud, so you get first-rate solutions that are steps ahead of the evolving security landscape.
Start strengthening your AWS security through IAM today with Wiz’s AWS Best Practices Cheat Sheet.
Take Control of Your Cloud Entitlements
Learn why CISOs at the fastest growing companies secure their cloud environments with Wiz.
Other security best practices you might be interested in: