Part 1 – Identity and Access management in AWS
This is the first in a five-part blog series that provides a checklist for proactive security and forensic readiness in the AWS cloud environment. This post relates to identity and access management in AWS.
In a recent study by Dashlane regarding password strength, AWS was listed as an organisation that supports weak password rules. However, AWS has numerous features that enable granular control for access to an account’s resources by means of the Identity and Access Management (IAM) service. IAM provides control over who can use AWS resources (authentication) and how they can use those resources (authorisation).
The following list focuses on limiting access to, and use of, root account and user credentials; defining roles and responsibilities of system users; limiting automated access to AWS resources; and protecting access to data stored in storage buckets – including important data stored by services such as CloudTrail.
The checklist provides best practice for the following:
- How are you protecting the access to and the use of AWS root account credentials?
- How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and API?
- How are you protecting the access to and the use of user account credentials?
- How are you limiting automated access to AWS resources?
- How are you protecting your CloudTrail logs stored in S3 and your Billing S3 bucket?
Best-practice checklist
1. How are you protecting the access to and the use of AWS root account credentials? |
|
2. How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and API? |
|
3. How are you protecting the access to and the use of user account credentials? |
|
4. How are you limiting automated access to AWS resources? |
|
5. How are you protecting your CloudTrail logs stored in S3 and your Billing S3 bucket? |
|
For more details, refer to the following AWS resources:
- IAM Best Practices
- Logging IAM Events with AWS CloudTrail
- Security Checklist – General
- AWS Security Best Practices
- Protect your S3 bucket in a right way
- New Amazon S3 Encryption & Security Features (2017)
Go back to the introduction AWS Cloud: Proactive Security & Forensic Readiness five-part best practice
Read Part 1 – Identity and Access management in AWS: best-practice checklist
Read Part 2 – Infrastructure level protection in AWS: best-practice checklist
Read Part 3 – Data protection in AWS: best-practice checklist
Read Part 4 – Detective Controls in AWS: best-practice checklist
Read Part 5 – Incident Response in AWS: best-practice checklist
Let us know in the comments below if we have missed anything in our checklist!
Update – added link ‘New Amazon S3 Encryption & Security Features’ (01/12/2017)
DISCLAIMER: Please be mindful that this is not an exhaustive list. Given the pace of innovation and development within AWS, there may be features being rolled out as these blogs were being written. Also, please note that this checklist is for guidance purposes only. For more information, or to request an in-depth security review of your cloud environment, please contact us.
Neha Thethi is a senior information security analyst at BH Consulting. She is an AWS Certified Solutions Architect – Associate and holder of the SANS GIAC Certified Incident Handler (GCIH). Neha has published papers, spoken at conferences, written blogs and delivered webinars about challenges of conducting forensics in the cloud environment. She has helped clients develop incident response plans and conducted several digital forensic investigations for cloud environments including AWS and Microsoft Azure.
Editors: Gordon Smith and Valerie Lyons
