AWS recommends the following AWS Identity and Access Management service – IAM Best Practices to secure AWS resources Root Account – Don’t use & Lock away access keys- Do not use AWS Root account which has full access to all the AWS resources and services including the Billing information.
- Permissions associated with your AWS Root account cannot be restricted.
- Do not generate the access keys, if not required
- If already generated and not needed, delete the access keys.
- If access keys needed, rotate (change) the access key regularly
- Never share your Root account credentials or access keys, instead create IAM users or Roles to grant granular access
- Enable AWS multifactor authentication (MFA) on your AWS account
User – Create individual IAM users- Don’t use the AWS root account credentials to access AWS, and don’t share the credentials with anyone else.
- Start by creating a IAM User with Administrator role, which has access to all resources as the Root user except to the account’s security credentials
- Create individual users for anyone who needs access to your AWS account and give each user unique credentials and grant different permissions
Groups – Use groups to assign permissions to IAM users- Instead of defining permissions for individual IAM users, create groups and define the relevant permissions for each group as per the job function, and then associate IAM users to those groups.
- Users in an IAM group inherit the permissions assigned to the group and a User can belong to multiple groups
- It is much easier to add new users, remove users and modify the permissions of a group of users.
Permission – Grant least privilege- IAM user, by default, is created with no permissions
- Users should be granted LEAST PRIVILEGE as required to perform a task.
- Starting with minimal permissions and add to the permissions as required to perform the job function is far better then granting access all and trying to then tightening it down
Passwords – Enforce strong password policy for users- Enforce user to create strong passwords and enforce them to rotate their passwords periodically
- Enable a strong password policy to define passwords requirements forcing users to create passwords with requirements like at least one capital letter, one number, how frequently it should be rotated.
MFA – Enable MFA for privileged users- For extra security, Enable MultiFactor Authentication (MFA) for privileged IAM users, who are allowed access to sensitive resources or APIs.
Role – Use temporary credentials with IAM roles- Use roles for workloads instead of creating IAM user and hardcoding the credentials which can compromise the access and are also hard to rotate.
- Roles have specific permissions and do not have a permanent set of credentials.
- Roles provide a way to access AWS by relying on dynamically generated & automatically rotated temporary security credentials.
- Roles associated with it but dynamically provide temporary credentials that are automatically rotated
Sharing – Delegate using roles- Allow users from same AWS account, another AWS account, or externally authenticated users (either through any corporate authentication service or through Google, Facebook etc) to use IAM roles to specify the permissions which can then be assumed by them
- A role can be defined that specifies what permissions the IAM users in the other account are allowed, and from which AWS accounts the IAM users are allowed to assume the role
Rotation – Rotate credentials regularly- Change your own passwords and access keys regularly and enforce it through a strong password policy. So even if a password or access key is compromised without your knowledge, you limit how long the credentials can be used to access your resources
- Access keys allows creation of 2 active keys at the same time for an user. These can be used to rotate the keys.
Track – Remove unnecessary credentials- Remove IAM user and credentials (that is, passwords and access keys) that are not needed
- Use the IAM Credential report that lists all IAM users in the account and status of their various credentials, including passwords, access keys, and MFA devices and usage pattern to figure out what can be removed
- Passwords and access keys that have not been used recently might be good candidates for removal.
- Define conditions under which IAM policies allow access to a resource.
- Conditions would help provide finer access control to the AWS services and resources for e.g. access limited to specific ip range or allowing only encrypted request for uploads to S3 buckets etc.
Auditing – Monitor activity in the AWS account- Enable logging features provided through CloudTrail, S3, CloudFront in AWS to determine the actions users have taken in the account and the resources that were used.
- Log files show the time and date of actions, the source IP for an action, which actions failed due to inadequate permissions, and more.
Use IAM Access Analyzer- IAM Access Analyzer analyzes the services and actions that the IAM roles use, and then generates a least-privilege policy that you can use.
- Access Analyzer helps preview and analyze public and cross-account access for supported resource types by reviewing the generated findings.
- IAM Access Analyzer helps to validate the policies created to ensure that they adhere to the IAM policy language (JSON) and IAM best practices.
AWS Certification Exam Practice Questions- Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
- AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
- AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Which of the following is AWS IAM best practices?
AWS Identity and Access Management Best Practices. Require multi-factor authentication (MFA) ... . Rotate access keys regularly for use cases that require long-term credentials. ... . Safeguard your root user credentials and don't use them for everyday tasks. ... . Set permissions guardrails across multiple accounts.. Which of the following are IAM best practices select all answers that apply?
AWS IAM Best Practices. Root Account – Don't use & Lock away access keys.. User – Create individual IAM users.. Groups – Use groups to assign permissions to IAM users.. Permission – Grant least privilege.. Passwords – Enforce strong password policy for users.. MFA – Enable MFA for privileged users.. Which of the following are AWS IAM best practices for AWS select three?
Security best practices in IAM. Require human users to use federation with an identity provider to access AWS using temporary credentials.. Require workloads to use temporary credentials with IAM roles to access AWS.. Require multi-factor authentication (MFA). Which of the following are the best practices to secure your account using IAM?
5 Advanced IAM Best Practices. Enable multi-factor authentication (MFA) for privileged users. ... . Use Policy Conditions for Extra Security. ... . Remove Unnecessary Credentials. ... . Use AWS-Defined Policies to Assign Permissions Whenever Possible. ... . Use Groups to Assign Permissions to IAM Users..
|
