Amazon AWS IAM – Several Tips and Practices
The cloud presents many security management challenges. Ensuring compliance, identity management, and other security best practices can be a challenging task. AWS Identity and Access Management (IAM) is one of the tools that can be used to mitigate the risks associated with these challenges. In this article, I will discuss a few of the high points of IAM, including the different options and limitations that this AWS service brings together with its fascinating capabilities.
Many cloud computing users strive to apply security best practices to their cloud computing strategies. One of the best components that Amazon offers to manage security in their cloud computing service is their IAM mechanism, which allows an account owner to create users and manage their permissions within an AWS account.
> > > Federation and SSO
IAM is accessible through a specific API, and most of the major programming languages support IAM’s API. Cloud adoption brought enterprise IT to understand that Identity and Access Management can be achieved by deploying a federated tier comprising public cloud services and on-premises IT. Before such implementations, Single-Sign-On requirements generated a huge amount of helpdesk requests by users looking to reset passwords and unlock accounts.
For example, an enterprise that has standardized on Microsoft’s Active Directory may consider using Microsoft’s Active Directory Federation Service in conjunction with AWS IAM; this ensures that policies and password controls implemented in the Active Directory settings (including AD based MFA) are enforced by the cloud service providers.
AWS IAM supports SSO and federation that help you use your enterprise authentication to grant access to Amazon’s tools and continue to easily maintain account provisioning and management.
> > > Least Privilege Access
AWS IAM supports per-user and per-group policies, so you can implement a role-based access model, ensuring that users and groups have the policies that are appropriate for their roles. A good example for this would be ensuring that your developers do not have access to the S3 buckets and EC2 machines that your operations group is responsible for managing.
IAM is secure by default – newly created users do not have access rights to any AWS items until permissions are explicitly granted. Unfortunately, in my experience in auditing customer’s IAM profiles, many companies do not invoke the “Least Privilege” model so that each new user has access only to the data and IT resources that are necessary for his role and activities. When defining users, the IT person in charge must uphold policies to ensure that IAM policies and accounts are hardened against attacks.
> > > Multi-Factor Authentication
Amazon also supports a token-based Multi-Factor Authentication (AWS MFA) – requiring you to have both something you know (your username and password) and something you have (the physical token) in order to log in to your account. Amazon’s Multi-Factor Authentication can
also be used for users that have been created using IAM. Virtual MFA is free and you can simply load it onto your smart phone. I strongly recommend to my clients that they purchase MFA tokens for users who have administrative control of their AWS Accounts:
- Access to sensitive data (as defined by the company’s security policies)
- Access to user administrative functions.
If you opt for the hardware MFA, the cost is only $13.00 – still a bargain for the peace of mind and security that comes with it.
> > > The biggest challenges
…that most companies face when implementing IAM are:
Determining who has access to what resources – Most startups give full control to anyone who needs cloud access. You really want to design your cloud solution to be a robust implementation. Having sensible policies from the beginning ensures that you’re making the right move going forward.
Determining who controls the user accounts – What do you do when a consultant or vendor leaves?
- Writing the actual policies.
Correct planning and implementation must leverage AWS IAM APIs to support the enterprise security policies. Enterprise AWS cloud resources must be protected and access to AWS functionality must be restricted by policy rules, refraining from doing so can lead not only to serious security breaches, but also to resource sprawling and hence to an out-of-control environment in terms of cloud availability and cost.
Keywords: amazon aws iam, amazon aws tips, aws ec2 practices, aws service, aws account, amazon aws mfa, aws account, AWS cloud resources, aws iam api, AWS functionality, AWS identity and access management, cloud computing service, iam mechanism.
About the Author
Ian Wilson is a Red Hat Certified Architect with over five years of experience on the Amazon Web Services platform. He has been providing exemplary customer support for the last ten years, working on both hardware and software projects, for both employers and clients. He is currently the principal at Ian Wilson Consulting Group, located in Morehead, Kentucky. Contact Ian via Linkedin