AWS Security Blog
Adhere to IAM Best Practices in 2016
As another new year begins, we encourage you to review our recommended AWS Identity and Access Management (IAM) best practices. Following these best practices can help you maintain the security of your AWS resources. You can learn more by watching the IAM Best Practices to Live By presentation that Anders Samuelsson gave at AWS re:Invent 2015, or you can click the following links that will take you to IAM documentation, blog posts, and videos.
- Create and use IAM users instead of your root account
Do not use your AWS root account to access AWS. Instead, create individual IAM users for access to your AWS account. This allows you to give each IAM user a unique set of security credentials and grant different permissions to each user. Related: Documentation, blog posts, video.
- Grant least privilege
Apply fine-grained permissions to ensure that IAM users have least privilege to perform only the tasks they need to perform. Start with a minimum set of permissions and grant additional permissions as necessary. Related: Documentation, blog posts.
- Manage permissions with groups
Assign permissions to groups instead of to users to make it easier for you to assign and reassign permissions to multiple users at the same time. As people in your company change job roles, you can simply change which IAM group each IAM user belongs to. Related: Documentation, blog posts, video.
- Restrict privileged access further with policy conditions
Use conditions to add more granularity when defining permissions. The more explicitly you can define when resources are available and to whom, the safer your resources will be. Using conditions also can prevent your AWS users from accidentally performing privileged actions. Related: Documentation.
- Enable AWS CloudTrail to get logs of API calls
Enable logging of AWS API calls to gain greater visibility into users’ activity in your AWS resources. Logging lets you see which actions users have taken and which resources have been used, along with details such as the time and date of actions and the actions that have failed because of inadequate permissions. Related: Documentation, blog posts, video.
- Configure a strong password policy
Configure password expiration, strength, and reuse to help ensure that your users and your data are protected by strong credentials. For enhanced security, use a strong password policy together with multi-factor authentication (MFA)—see the ninth IAM best practice below. Related: Documentation, blog posts.
- Rotate security credentials regularly
Change your own passwords and access keys regularly, and make sure that all IAM users in your AWS account do as well. You can apply a password policy to your AWS account to require all your IAM users to rotate their passwords, and you can choose how often they must do so. If a password is compromised without your knowledge, regular credential rotation limits how long that password can be used to access your AWS account. Related: Documentation, blog posts.
- Remove unused security credentials that are not needed
Generate and download a credential report that lists all IAM users in your AWS account and the status of their various credentials. Review the credential report to determine which credentials have not been used recently and can be removed. Removing unused credentials reduces your attack surface. Related: Documentation, blog posts.
- Enable multi-factor authentication (MFA) for privileged users
Supplement user names and passwords by requiring a one-time password during authentication. This allows you to enable extra security for privileged IAM users (users who are allowed access to sensitive resources). Related: Documentation, blog posts, video.
- Use IAM roles to share access
Never share credentials! Instead, use IAM roles that allow you to specify whom you trust and what each role can do in your account. Also use IAM roles to delegate permissions across and within your accounts to both IAM and federated users. Related: Documentation, blog posts.
- Use IAM roles for Amazon EC2 instances
Use IAM roles to manage credentials for your applications that run on EC2 instances. Because role credentials are temporary and rotated automatically, you don’t have to manage credentials. Also, any changes you make to a role used for multiple instances are propagated to all such instances, again simplifying credential management. Related: Documentation, blog posts.
Adhere to IAM best practices to manage AWS users, groups, permissions, and credentials in order to make your AWS account as secure as possible. If you have questions or feedback about IAM best practices, go to the AWS IAM forum.
– Craig