AWS IAM Best Practices

AWS IAM Best Practices

This is the first blog post in our "Cloud Best Practices" series. You see, CloudNative is all about wrapping the best known cloud practices in an easy-to-use package. We study them regularly and we love sharing what we learn, whether you use our tools or not. Today we start with the subject of AWS security, the most important one when moving your application up to the cloud.

As you may know, AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources. Anders Samuelsson gave an excellent talk at AWS re:invent 2014 titled "IAM Best Practices", so let's start there and dig a little deeper.

What do we learn from this session?

Users and groups

Least privileged policies

  • When defining policies always grant them the least amount of privileges. This follows the common sense of not letting your users do more than they're supposed to. So lock down a group's policies as much as you can.

  • Restrict privileged access with conditions. Conditions are applied to policies and further specify when a policy should take place. Some example conditions: enable only MFA-authenticated users (possibly coming from predefined IP range) to terminate EC2 instances, enable access keys management only over SSL or enable an IAM user to manage only his own "home directory" in an Amazon S3 bucket.


Enable AWS CloudTrail

Rotate passwords and credentials

Use MFAs

  • Enable multi-factor authentication for root access and privileged users. MFA has become the standard way of authenticating user access in addition to traditional credentials like password and access keys. Traditional credentials are something users know and can be compromised or brute-forced while MFA devices are something users own and are therefore much harder to compromise.

    There are many MFA options available, the simplest being Google Authenticator, but our favorite is Authy. Authy provides a Chrome extension so you don't need to reach out for your mobile phone every time, an option to backup and restore your accounts so there's no need to recreate them when switching phones (or it gets lost or stolen) and an option to use multiple devices so all Android and iOS device at your disposal can be used for MFA access.


Use IAM Roles

That's it! These are some of the best IAM practices and lessons learned. If you feel like digging this subject even deeper - here are some additional IAM resources to keep your busy:

Now, having covered security aspects of your applications, we're going to review some best practices in making them performant, scalable, resilient and cost-effective. Stay tuned!

Learn more about Yeobot today!

comments powered by Disqus