AWS Identity and Access Management (IAM) Best Practices

Mahesh Samarasinghe
AWS in Plain English
7 min readJun 23, 2021

--

Photo by Barthelemy de Mazenod on Unsplash

IAM or Identity and Access Management frameworks let an organization control who has access to what and also keep track of what each user is doing inside the application. AWS IAM service is a fully-fledged service that allows the admin users to control who is authenticated and who is authorized to use AWS resources. And also IAM allows administrators to keep track of all user actions inside the AWS account.

To have proper control over IAM users and services accessing other services it is important to understand how IAM infrastructure is set up, how it operates, and the meaning of those relevant terms. There are few such terms which we need to know properly.

Principal

The application or the user who requests an AWS resource specifying an action to be performed on the resource. These principles are authenticated and authorized using IAM users or IAM roles.

Request

A principal sending a request to AWS specifying the following details to act on an AWS resource.

  • Action: The action which the principal wants to be performed on the resource
  • Resources: Resource which the action should be performed on
  • Principal: The person or the application who is sending the request
  • Environment data: Environment data such as IP address, user agent, time, etc.
  • Resource data: Further details related to the requested resource

Authentication

The principal who is sending the request should be authenticated before sending the request. If the request is sent via the AWS console, the IAM user should be authenticated using the username and password. If a request is sent using the CLI or the API then the access key and secret key should be used to authenticate. Other than these common scenarios AWS STS and S3 can generate temporary access to an unknown user.

Authorization

The principal should have required permission to perform any action on a resource. This is evaluated by IAM policies in AWS. IAM will evaluate the request actions against the principal’s policies and if there is at least a single policy denying an action then the whole request will be denied because all requests are denied by default. This is called an explicit deny.

Action

The action which the principal wants to be performed on the resource. This will start with the resource name and then a colon and the action name. (ex: s3:PutObject)

Resources

AWS resource in which the action is performed. If the principal has the required permission then the action will be performed on the resource.

IAM under the hood

When an application or a user needs to perform an action on an AWS resource it will send a request through either AWS console, AWS CLI or AWS API. Once this request is received IAM will first authenticate the principal. Make sure the requesting principal is valid. After that IAM will look into the actions list in the request and validate against the principal’s policies to make sure the principal is authorized to perform the specified actions.

Once the authentication and authorization process is completed and IAM verifies the principal and the actions list the resource will be fetched based on the details in the request and then the specified action will be performed on the resource.

No more unauthorized access with IAM?

IAM is more than capable of handling authentication and authorization and also provides further smooth access control with features like IAM groups. But if access keys and credentials are not handled properly with best practices results can be catastrophic. Therefore it is important to know the IAM best practices and follow them.

IAM best practices

Never use access keys of the root user account

The root user is the user which we get right after creating the AWS account. The best practice is to never use access keys of the root user and instead create an IAM user with Administrator permission and use that IAM user for further operations. Because the root user has some critical and unique permissions like,

  • Change account settings such as email, billing account, account name, root user password, etc.
  • Restore IAM user permission when there are no other existing IAM users with administrator permission
  • Close AWS account
  • Activate IAM access to billing and cost management dashboard

Therefore if a person with malicious intents gets hold of root user access keys the results can be catastrophic.

Secure root user account with MFA

Due to the criticality of root user account access, it is always recommended to use MFA for the root user account so that even though someone got their hands on the root user account password still they will not be able to access the root account.

Create individual IAM users and use IAM groups to permit IAM users

Create separate IAM users for the users who need access to the AWS account. With separate IAM users, it makes it much easier to control access to each user separately, and even more, by creating IAM groups permission can be managed for a group of users. (Ex: DeveloperGroup, TestersGroup, AdminGroup)

Follow least privilege access control model

Start with zero permissions. Then gradually assign required policies and make sure users, groups, or roles do not have permission to perform any unnecessary actions on AWS resources.

Validate custom policies with IAM policy simulator

IAM policy simulator is a tool that can be used to test the policies that we create. The IAM policy simulator is using the same policy evaluation engine which AWS is using to evaluate real requests therefore this simulator can do a correct evaluation of the policy. But since it is not sending any real requests to AWS no resources will be created, and therefore it cannot report any responses instead the simulator will report whether the policy has access to perform a certain action on a certain resource or not.

Configure strong password policy with MFA

When handing IAM users to multiple users some users tend to have simple passwords like their name, birthday or a pet’s name as their password which would be in the first guesses of anyone who wants to hack into the account. And therefore this is a condition which we must avoid. To enforce users to set a strong password IAM has a feature to set a password policy so that users must create a password that adheres to the password policy. And also when MFA is enabled with a strong password policy AWS account administrators should be able to sleep peacefully without worrying much about one of the IAM user accounts getting hacked.

Never embed keys into code

When I was an intern and 3rd day into my internship I pushed the AWS IAM access key and secret key into a public git repository accidentally and within a minute I received an email from AWS that my access keys had been pushed to a public repository and the IAM account was blocked. And in a couple of days, AWS informed the company that all users should consider that their access keys have been compromised and should rotate the access keys.

Not the best experience as an intern but it taught me clearly how serious it can be. Regardless of the hassle which everyone had to go through, if a person with malicious intent got their hands on the access keys the result would have been catastrophic. And also it is important to keep in mind there are such crawlers in version controlling hosting services always scanning for any access keys pushed into public repositories. Therefore if you push your access keys even for a couple of seconds it is safe to assume those keys have been compromised. Therefore it is very important to keep in mind not to embed any access keys into the code. Always use IAM roles and IAM user with AWS CLI on local computers for setting up required permission.

Use temporary credentials where possible

In cases where it is possible to use temporary credentials instead of permanent credentials like IAM users always choose temporary credentials since it reduces the risk a lot. IAM roles are one of the best examples of temporary credentials. IAM roles are generating temporary credentials with each session.

Rotate access keys regularly

The longer an IAM access key pair has been used, the more opportunities a hacker might have had to get their hands on it. And even users might have unknowingly exposed the access keys. Therefore it is always a best practice to rotate access keys regularly which protects AWS account access from unintentional mistakes.

Verify access with IAM Access Analyzer

IAM Access Analyzer allows administrators to identify resources in the organization such as S3 buckets which have been exposed to external entities such as other AWS accounts. This allows the administrators to identify unintended access early and take necessary actions to make sure only required parties have access to each resource.

Conclusion

IAM is a fully-fledged service implemented for controlling user authentication and authorization for AWS resources. Therefore it is very important to follow best practices to ensure no one who should not have access does not have access to perform any action on AWS resources. On the other hand, this might be a trade-off between time constraints, requirements, budget, and many other factors. But it is very much important to understand the importance of IAM best practices and make sure necessary actions are in place to control access between users and to prevent any unintended access to AWS resources.

Reference

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html

[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html

[3]https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_policy-validator.html

[4]https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html#policies_policy-simulator-how-it-works

More content at plainenglish.io

--

--