Part 1 – Identity and Access management in AWS
This is the first in a five-part blog series that provides a checklist for proactive security and forensic readiness in the AWS cloud environment. This post relates to identity and access management in AWS.
In a recent study by Dashlane regarding password strength, AWS was listed as an organisation that supports weak password rules. However, AWS has numerous features that enable granular control for access to an account’s resources by means of the Identity and Access Management (IAM) service. IAM provides control over who can use AWS resources (authentication) and how they can use those resources (authorisation).
The following list focuses on limiting access to, and use of, root account and user credentials; defining roles and responsibilities of system users; limiting automated access to AWS resources; and protecting access to data stored in storage buckets – including important data stored by services such as CloudTrail.
The checklist provides best practice for the following:
- How are you protecting the access to and the use of AWS root account credentials?
- How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and API?
- How are you protecting the access to and the use of user account credentials?
- How are you limiting automated access to AWS resources?
- How are you protecting your CloudTrail logs stored in S3 and your Billing S3 bucket?
|1. How are you protecting the access to and the use of AWS root account credentials?||
- Lock away your AWS account (root) login credentials
- Use multi-factor authentication (MFA) on root account
- Make minimal use of root account (or no use of root account at all if possible). Use IAM user instead to manage the account
- Do not use AWS root account to create API keys.
|2. How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and API?||
- Create individual IAM users
- Configure a strong password policy for your users
- Enable MFA for privileged users
- Segregate defined roles and responsibilities of system users by creating user groups. Use groups to assign permissions to IAM users
- Clearly define and grant only the minimum privileges to users, groups, and roles that are needed to accomplish business requirements.
- Use AWS defined policies to assign permissions whenever possible
- Define and enforce user life-cycle policies
- Use roles to delegate access to users, applications, or services that don’t normally have access to your AWS resources
- Use roles for applications that run on Amazon EC2 instances
- Use access levels (list, read, write and permissions management) to review IAM permissions
- Use policy conditions for extra security
- Regularly monitor user activity in your AWS account(s).
|3. How are you protecting the access to and the use of user account credentials?||
- Rotate credentials regularly
- Remove/deactivate unnecessary credentials
- Protect EC2 key pairs. Password protect the .pem and .ppk file on user machines
- Delete keys on your instances when someone leaves your organisation or no longer requires access
- Regularly run least privilege checks using IAM user Access Advisor and IAM user Last Used Access Keys
- Delegate access by using roles instead of by sharing credentials
- Use IAM roles for cross-account access and identity federation
- Use temporary security instead of long-term access keys.
|4. How are you limiting automated access to AWS resources?||
- Use IAM roles for EC2 and an AWS SDK or CLI
- Store static credentials securely that are used for automated access
- Use instance profiles or Amazon STS for dynamic authentication
- For increased security, implement alternative authentication mechanisms (e.g. LDAP or Active Directory)
- Protect API access using Multi-factor authentication (MFA).
|5. How are you protecting your CloudTrail logs stored in S3 and your Billing S3 bucket?||
- Limit access to users and roles on a “need-to-know” basis for data stored in S3
- Use bucket access permissions and object access permissions for fine-grained control over S3 resources
- Use bucket policies to grant other AWS accounts or IAM users access to an S3 bucket.
- Use S3 Inventory report to view the encryption status of each object.
For more details, refer to the following AWS resources:
Go back to the introduction AWS Cloud: Proactive Security & Forensic Readiness five-part best practice
Read Part 1 – Identity and Access management in AWS: best-practice checklist
Read Part 2 – Infrastructure level protection in AWS: best-practice checklist
Read Part 3 – Data protection in AWS: best-practice checklist
Read Part 4 – Detective Controls in AWS: best-practice checklist
Read Part 5 – Incident Response in AWS: best-practice checklist
Let us know in the comments below if we have missed anything in our checklist!
Update – added link ‘New Amazon S3 Encryption & Security Features’ (01/12/2017)
DISCLAIMER: Please be mindful that this is not an exhaustive list. Given the pace of innovation and development within AWS, there may be features being rolled out as these blogs were being written. Also, please note that this checklist is for guidance purposes only. For more information, or to request an in-depth security review of your cloud environment, please contact us.
Neha Thethi is a senior information security analyst at BH Consulting. She is an AWS Certified Solutions Architect – Associate and holder of the SANS GIAC Certified Incident Handler (GCIH). Neha has published papers, spoken at conferences, written blogs and delivered webinars about challenges of conducting forensics in the cloud environment. She has helped clients develop incident response plans and conducted several digital forensic investigations for cloud environments including AWS and Microsoft Azure.
Editors: Gordon Smith and Valerie Lyons