Improper access controls are one of the top threats in cloud security. Furthermore, 80% of security breaches involve compromised privileged accounts. While having a solid identity and access management (IAM) program is a standard best practice in any environment, it's evident that companies are still falling victim to attacks due to lax controls, especially in the cloud. In addition, companies tasked with engaging in regulatory audits and maintaining compliance are struggling to adapt with 40% of professionals citing compliance as a challenge in cloud environments.
To help companies navigate the overcast skies of cloud IAM and compliance, an AWS specific security tool is necessary. Here are five AWS IAM best practices to keep in mind.
Account holders should only have access to the minimum resources needed to complete their job function. Similarly, root accounts should only be used for tasks that are absolutely necessary as root. The accounts have the most significant capabilities and the highest risk levels when compromised. For all other elevated privilege tasks, create an administrator account configured with appropriate permissions to perform remaining ongoing management activities in the environment.
Policies can be used to simplify the management of user access controls, and AWS comes with several out-of-the-box policies that act as a great starting point. However, if the default policies aren't meeting your requirements, there are other options. While the AWS defined policies can't be edited, customized policies can be created from scratch.
AWS also offers the option to apply conditions to policies for additional security. For example, instead of merely configuring "Resource A" to have access to "Subnet B" the policy can be further fine-tuned. A condition may be added that says "Resource A" can have access to "Subnet B" only on Friday between 9 am to 5 pm, or only if the request is coming from another approved subnet. Otherwise, access is blocked. Conditions can also be compounded to apply multiple requirements before granting access.
Also, set up groups so that the access granting and management process is consistent. As an alternative to assigning access permission for each distinct user, users can be added to these groups with pre-established permission sets.
A universal IAM best practice is to use strong passwords. Within AWS, an administrator should set character limits, add casing rules, include numeric and alphanumeric elements, and incorporate symbol requirements to create strong passwords. There is also an ability to set password expiration windows and block users from reusing old passwords.
However, the sophistication of attacks today is proving that sometimes passwords just aren't enough. For high-risk accounts, such as root accounts or privileged users, enable two-factor authentication for an added layer of protection. AWS offers a couple of options for allowing this in cloud environments. One is a token-based authentication in which, after the user enters their password, the token is used to generate a six-digit one-time password that is keyed into a separate webpage for access. SMS-based authentication is another multi-factor form available in which the one-time password is sent via text message to the user's mobile device. Security challenge questions can also be enabled.
Finally, don't share accounts or passwords. Each user should have their own unique login account and should be prohibited from sharing account information with others.
Ensure that user and account activities are documented and tracked. This is not only a good AWS security practice but also a compliance requirement for various audits. To help organizations monitor their cloud environment, AWS offers CloudTrail. For organizations using multiple services and seeking more robust insight into the environment, a cloud access security broker (CASB) solution can be leveraged as well.
It's important to review and clean up accounts periodically. AWS has a built-in access credentials report that can provide insight into the use of access credentials across accounts. These reports can be used to view details such as when an account was last used or when the password was last updated. Such information can be used to guide cleanup efforts such as removing unused keys and ensuring passwords are being changed regularly.
Also, the reporting capability supports compliance efforts. Several audits, such as Sarbanes Oxley (SOX), require a periodical review of user access accounts. With the information included in these reports, maintaining AWS compliance and submitting evidence is less cumbersome for administrators. Lastly, organizations should set a schedule to review their policies and groups, ensure access permissions are aligned with organizational needs and follow the principle of least privilege.
In conclusion, though IAM is a leading threat in cloud security, there are ways to mitigate the risk in AWS environments by following best practices. A cloud IAM strategy that applies the principles of least privilege, access groups and policies, strong password management, logging and monitoring, and ongoing governance will help organizations maintain secure and compliant cloud environments.