AWS IAM: User, Groups, Access Keys and Best Practices that you must know.
Amazon Web Services — One of the widely used cloud platforms has more than 100 services. From web development to Artificial Intelligence, AWS plays a significant role.
In this time where cloud platforms have a huge impact on software development, one of the important aspects is the security of cloud system.
To handle this AWS provides a service known as AWS IAM — Identity and Access Management. AWS IAM is responsible to allow management of users, groups and other services using roles and policies.
In this article we will discuss how to effectively manage users logging into the AWS account in detail.
If you wish to learn about IAM roles and policies, you might want to check out a dedicated article here.
AWS IAM Users
AWS users are simple users having an email address and a password and they are registered in the AWS organization. The amount of data they can see or alter is controlled by AWS IAM permission policies. These policies can be attached directly to a user or via a user group.
There are some pre-defined policies that can be used as well.
AWS Access Keys
AWS Access Keys are a pair of credentials — Access Key ID and Secret Access Key — used to programmatically access AWS services via the AWS CLI, SDKs, or APIs. These keys authenticate the user or application making the request.
You can generate an Access Key for your user by going to ‘Security Credentials’ tab and selecting ‘Access Keys’ on the User view page.
AWS IAM User Groups
User group — as the name suggests, users are classified into groups where each group having different set of permissions. For example, if you wish to allow reading of S3 buckets to a particular set of users, you can add S3 permissions to the group and assign users in that group.
A user can be added to one or more groups depending on the requirement.
To create a group, go to the ‘User Groups’ section in the left sidebar in IAM.
AWS IAM User Permission Policy
This is the JSON policy that defines permissions to the resources. It is same as the policy that is attached to an IAM role. The only difference is that the ‘Principal’ key is omitted while adding permissions to a user/group.
If you wish to learn about IAM roles and policies, you might want to check out a dedicated article here.
AWS IAM Best Practices
The following things need to be kept in mind while creating/modifying the users:
- Principal of Least Privilege
Principal of Least Privilege asks to grant only the necessary permissions to anyone. DO NOT over permit a user or group. Just add those permissions which is required for a user to work. - Use IAM Groups wherever possible
Managing permissions user-by-user can become a difficult task as the user count increases. It is always better to classify users into groups and set the permissions for the group. Make sure that you assign a user to the perfect group. - Enable MFA
Mandate enabling multi-factor authentication (MFA) for each user. This ensures that no person can log in to a user’s AWS account without the second layer of security even he has the password. - Rotate Access Keys
AWS access keys can be used by various users like developers. Mandate the rotation of access keys time-to-time so that if the key goes into wrong hands, it can be of no use. - Monitor IAM Activity
Always log and monitor the IAM activity to check out any suspicious or un-intended activity. This can be done via AWS CloudTrail. - Avoid use of root account
It is always recommended to avoid the usage of root account for day-to-day tasks. Create users with limited permissions for use. Using the root account has unrestricted access to the AWS account. An attacker can create irreversible damage if this account is compromised. - Avoid Ignoring unused or stale credentials
It is always recommended to remove the unused credentials. Stale credentials can be exploited if they are exposed through leaks or brute-force attacks. Plus, they might not be monitored as closely, leading to delayed detection of malicious use.
That’s all for this article, if you like this please clap and share.
Follow me on LinkedIn: https://linkedin.com/in/neelesh-arora
