This is the first blog post in our "Cloud Best Practices" series. You see, CloudNative is all about wrapping the best known cloud practices in an easy-to-use package. We study them regularly and we love sharing what we learn, whether you use our tools or not. Today we start with the subject of AWS security, the most important one when moving your application up to the cloud.
As you may know, AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources. Anders Samuelsson gave an excellent talk at AWS re:invent 2014 titled "IAM Best Practices", so let's start there and dig a little deeper.
What do we learn from this session?
Users and groups
DO NOT use root credentials. There's no way to control root's password policy, expiration or root's permissions. Root can always do everything, regardless of how you manage your IAM. Sign-in as root, create an "Admin" group with full access to all services, add your admin users to this group and lock out root credentials to never use them again.
You should always create individual IAM users, add them to IAM groups and attach IAM policies to these groups. Policies define group's permissions allowing or denying access to AWS resources. When attached to groups (rather than users) they make it easy to fine-tune a policy to affect a group and all relevant users at once.
- IAM Users and Groups
- IAM Policies:
- Overview of AWS IAM Policies
- Back to School: Understanding the IAM Policy Grammar
- Granting Users Permission to Work in the Amazon EC2 Console
- Demystifying EC2 Resource-Level Permissions
- An In-Depth Look at the IAM Policy Simulator
- IAM Policy Elements Reference
- AWS re:Invent 2014 - Mastering Access Control Policies (slides)
Least privileged policies
When defining policies always grant them the least amount of privileges. This follows the common sense of not letting your users do more than they're supposed to. So lock down a group's policies as much as you can.
Restrict privileged access with conditions. Conditions are applied to policies and further specify when a policy should take place. Some example conditions: enable only MFA-authenticated users (possibly coming from predefined IP range) to terminate EC2 instances, enable access keys management only over SSL or enable an IAM user to manage only his own "home directory" in an Amazon S3 bucket.
Enable AWS CloudTrail
Enable AWS CloudTrail for recording of all AWS API calls made in your accounts and storing the logs in your S3 bucket. AWS CloudTrail Partners lists resources you can use for processing and monitoring of CloudTrail logs.
Rotate passwords and credentials
Configure a strong password policy. Password policies define complexity requirements and rotation periods for IAM passwords.
Rotate security credentials regularly. Rotating an access keys is a 5-steps process: create a new access key, update application to use the new key, set the Status of the old key to Inactive, confirm applications are still working, delete old key.
Also, remember there's an option to "Require user to create a new password at next sign-in" which comes handy when creating new users and their initial passwords.
- Enabling credential rotation for IAM users - password, access keys
- How to rotate access keys for IAM users
- New IAM Features: Enhanced Password Management and Credential Reports
Enable multi-factor authentication for root access and privileged users. MFA has become the standard way of authenticating user access in addition to traditional credentials like password and access keys. Traditional credentials are something users know and can be compromised or brute-forced while MFA devices are something users own and are therefore much harder to compromise.
There are many MFA options available, the simplest being Google Authenticator, but our favorite is Authy. Authy provides a Chrome extension so you don't need to reach out for your mobile phone every time, an option to backup and restore your accounts so there's no need to recreate them when switching phones (or it gets lost or stolen) and an option to use multiple devices so all Android and iOS device at your disposal can be used for MFA access.
Use IAM Roles
DO NOT share your credentials. No exceptions! Instead use IAM roles for EC2 instances to share access to your AWS resources. In other words, when you need to provide an access to your AWS resources to another human, service or an application - think IAM roles right away. Some common scenarios:
Launching EC2 instances and providing them with an IAM role. This way, an application running on EC2 instances is allowed to access AWS resources specified by that IAM role without storing access keys on an instance. The access keys are then made available as instance metadata under
"iam/security-credentials/role-name"and are frequently rotated. All AWS CLI and SDK tools are aware of this and do not require any special configuration, they just work on role-granted EC2 instances.
Cross-account access sharing is where users or applications of AWS Account A need to access resources of AWS Account B. CloudNative is doing exactly that to access AMIs and Auto Scaling Groups in your AWS account.
Identity federation when Web or mobile applications require programmatic access to your AWS resources. This allows users to first sign in to an application with Amazon, Facebook, or Google and then use their authentication information to assume a role to get temporary security credentials.
- IAM Roles for EC2 instances:
- Access sharing:
- Sharing - How does it work?
- How to Use External ID When Granting Access to Your AWS Resources
- How to enable cross-account access to the AWS Management Console
- Delegating API Access to AWS Services Using IAM Roles
- Cross-Account Access: Sharing Resources Between AWS Accounts + Assuming a Role
- AWS re:Invent 2014 - Delegating Access to Your AWS Environment (slides)
- Identity federation:
That's it! These are some of the best IAM practices and lessons learned. If you feel like digging this subject even deeper - here are some additional IAM resources to keep your busy:
- AWS Security Blog
- IAM Documentation
Now, having covered security aspects of your applications, we're going to review some best practices in making them performant, scalable, resilient and cost-effective. Stay tuned!