AWS Identity and Access Management (or IAM) is a service that offers secure access control mechanisms for all of your AWS services and in some cases resources. AWS IAM is at the heart of AWS security because it empowers you to control access by creating users and groups, assigning specific permissions and policies to specific users, setting up multi-factor authentication for additional security, and so much more. And the cherry on top, IAM is free to use!
In this article, we will demystify the fundamentals of AWS IAM to offer you a complete overview of IAM, help you identify its unique benefits, and learn how to start empowering users to safeguard your AWS accounts. We will walk through key features, latest updates, and how to configure simple and important features such as MFA, and other best practices. Let’s get started!
Security in the Cloud remains one of the biggest barriers to Cloud adoption. For SecOps and SysOps teams, it becomes paramount to follow security best practices to ensure a smooth transition with a strong foundation. With all the scrutiny and public attention surrounding major Cloud platforms, it’s admirable that AWS IAM follows an incredibly granular approach in providing permissions and access control within your environments. IAM lets you control who can use your resources (authentication) and in which ways (authorization). This is why it’s possible to create exceedingly secure environments using AWS.
We should think of IAM as the first step towards securing all your AWS services and resources. Let’s look at some of the key features that make IAM so versatile and powerful:
Authentication or identity management in AWS IAM consists of the following identities:
IAM roles fulfill a unique and powerful niche in the identity and access management landscape. Instead of assigning permissions to an entity directly, roles allow an entity to be granted permissions temporarily (on an as-needed basis) to perform tasks. This enforces the least privilege principle which is based on both identity and time, as you can restrict entities to both the minimum amount of access needed as well as the minimum amount of time needed to complete a task.
Consider this: an administrator in your organization accidentally issues a command to delete a production resource. In an environment where permissions are controlled entirely with users and groups, this command would go through. On the contrary, in an environment controlled with roles, this command would only go through if the administrator had recently assumed the DeleteProductionResources role, or something similar. This allows services and users to have the capability to do everything their tasks require while minimizing the risk of compromised credentials and systems.
Authorization or access management in IAM is controlled by Policies that grant Permissions.
A policy is a document with a set of rules, having one or more statements. Each policy grants a specific set of permissions and can be attached to any of the IAM identities we covered earlier — users, groups, and roles. Policies are always written in JSON or YAML format and each policy has a name.
There are two types of policies you should know about:
AWS recommends the use of managed policies instead of inline policies so that permissions are more standardized and can be reused.
Permissions enable you to perform actions on AWS resources. When a new user or group is created, it has no permissions and a policy must be attached to allow actions to be taken on AWS resources.
You can assign permissions to all AWS identities (users, groups, and roles). Permissions are assigned in the following two ways:
When writing new policies, the following resources can be helpful:
Generally, policies should follow the principle of least privilege, which means only the absolute minimum set of access should be granted to get the job done. Policies can be extremely specific — consider the following code block, for example:
Code language: JSON / JSON with Comments (json)
Or policies can be broadly defined, such as in the following code block:
Code language: JSON / JSON with Comments (json)
Finding the right balance is important, as overly granular policies lead to undue overhead, and overly broad policies can lead to inappropriate access, which is a major factor in security breaches. Following the principle of least privilege can go a long way in ensuring that only a minimal amount of damage occurs during unexpected security events.
The threat landscape changes rapidly, which is why it’s more important than ever before to continuously tighten your security practices. Great security practices in the cloud are often the simplest of steps designed around access management and control. Let’s jump into two such quick tutorials that will allow you to enforce water-tight password policies and help set up multi-factor authentication to strengthen your organization’s overall security posture.
In this section, we’ll help you set up your AWS account password policy.
2. Next, click on the Set password policy button
3. You can now set up your password policy by defining a set of rules and selecting the complexity requirements for the password an IAM user can set. The example below meets the standards recommended by the Center for Internet Security (CIS):
Multi-Factor Authentication (MFA) protocols offer a great way to improve the overall security posture of your AWS cloud services and resources. This simple step could even prove instrumental in preventing costly breaches for your organization. In this tutorial, we will show you how to set up MFA using a mobile device.
3. Scroll down the page until you reach the section titled Multi-factor authentication (MFA), then select the Assign MFA Device button
4. Select virtual or hardware MFA device as appropriate
4a. If a virtual MFA device was selected, scan the QR code with your MFA app (such as Duo Mobile, Google Authenticator, Microsoft Authenticator, etc.) and input two subsequent codes. Select the Assign MFA button and you’re all set!
4b. If instead, you wish to use a hardware MFA device (such as a yubikey) for additional security, you will be prompted to insert the MFA device and tap the button. Your web browser may inform you that aws.amazon.com is requesting information about your hardware device. If so, grant it. Now your hardware MFA device is ready to go.
During re:Invent 2019 earlier this month, AWS announced a new feature to IAM — AWS Identity and Access Management (IAM) Access Analyzer. The AWS Identity and Access Management Access Analyzer offers an additional level of security that lets you continuously examine and analyze permissions given using policies for all organization’s resources — IAM roles, Amazon S3 buckets, AWS KMS keys, Lambda functions, and SQS queues. Before we dig into what Access Analyzer does, let’s understand what triggered its release.
With increased scrutiny surrounding customer data leaks and recent high-profile episodes of Capital One breach that allowed misconfigured access, and Attunity Leaks which exposed Amazon S3 buckets data from top clients (Netflix, Ford, and TD Bank), Access Analyzer was just the tool everyone was anticipating.
Another announcement concerning admins and SecOps teams was that of direct integration capabilities between AWS Security Hub and AWS IAM Access Analyzer to send detailed findings when policies allow public or external access to resources.
IAM Access Analyzer helps you generate a comprehensive report for all your AWS resources that could be accessed publicly i.e. outside of AWS accounts. This also includes “service last accessed” data which essentially is a timestamp of what resources and services were accessed by which users and roles. By using Access Analyzer, admins can examine thousands of policies in their environments in a matter of seconds. Access Analyzer is part of Amazon’s Provable Security efforts to achieve the highest levels of security using automated reasoning technology and mathematics logic.
IAM Access Analyzer (also includes Access Analyzer for Amazon S3, had its separate press release) is in line with the overall ethos of AWS IAM service, meaning it involves no additional cost and is included as part of the IAM console.
Before we wrap up, let’s review some of the best practices you will find useful to help secure your AWS resources:
As the biggest cloud platform and provider, AWS has introduced several measures to improve security, and IAM is the most critical of all of them. However, security and IAM is a complex subject, which is why AWS launched the Shared Responsibility Model aimed at establishing and sharing the responsibility for security and compliance between both customers and AWS.
With all its amazing capabilities and potential, the learning coverage around IAM lacks the gravitas it deserves. Through our content and article series, we aim at helping users like yourself, get the most out of topics like this powered by crisp and example-driven content. Stay tuned for more engaging cybersecurity content!
Get started today by requesting a personalized demo.