Identity and Access Management (IAM) is critical to get right, and one of the easiest things to get wrong. Identity is one of the first layers of defense against unauthorized parties looking to do harm. Thanks to how AWS users and services can leverage IAM this is also an opportunity to restrict, control, and manage access at many points throughout your architecture. Through appropriate separation of access, you can do more with less risk.
Embracing your data to gain a thorough understanding of your environment will lay the foundation to follow tried and true security best practices throughout your cloud Identity Management strategy. Identity management will become an enabler, instead of a roadblock.
These steps are on the path to achieving least privilege in a way that allows your developers to innovate and build. Along your journey, here are 5 things you should be doing right now:
Custom applications, third party tools, and AWS services need to interact with the AWS platform. Human users need to use the AWS platform, too. But the functions and tasks humans need to perform are not the same. As when following the AWS Well-Architected Framework, consider the question: “How do you control human access?” 1 Developers, security and reliability engineers have different access requirements based on job function and responsibilities. These permissions should not be mixed with the access that was provided to a company’s flagship revenue generating application, or the app the intern built last summer.
Since human users and machine users do not interact with roles the same way, having both:
When crafting permissions for a role, consider the full scope of AWS service actions and resources to which those permissions grant access. Does your application need every one to operate? Broad permissions such as "Actions": "s3:*" (for all actions possible within the AWS S3 Service), or "Resource": "*" (for all Data stored on S3, within an Account) bring with them a high risk of data exposure, should be temporary, and at best avoided entirely. A key part of moving an application following this use case to production is downscoping those services and resources to the minimum required by that application in pursuit of least privilege access.
When that reduction fails to happen, it creates a broad opportunity for exposure and ultimately the risk of data theft. These extraneous permissions are the culprits that increase your attack surface and can make misuse of, or theft of, data devastating.
"Resource": "*" where possible.Flexibility and speed to build, deploy, and interact with AWS resources is front and center to the AWS Platform’s strength. That power is rooted in having the access you need, when you need it. However, unfettered ability to create IAM permissions can result in broad, overly permissive roles. These broad permissions increase the attack surface and risk of data exposure on an otherwise well architected application. Organizations often choose to pursue more restrictive models in their responsibility to manage this risk.
Managing risk through guardrails and controls can be done in a way that allows engineers to get what they need with the core flexibility that embodies the Cloud. IAM Permission Boundaries are a vehicle for restriction to maximum possible permissions an IAM Policy can have. Only the actions allowed fall within the overlap of what is specified within a given IAM policy, and also what is defined within a Permission Boundary. For behaviors that need to be managed at scale, AWS Organizations Service Control Policies (SCP) can be used to set permissions restrictions at an Organizational Unit (OU) level within AWS Orgs.
IAM key credential pairs provide access to AWS services and resources similarly to an IAM User or Role. IAM Keys can be handled and passed programmatically to interact with the AWS platform. No one wants their IAM keys and associated access to fall into the wrong hands of an unauthorized party. Some common pitfalls which increase the likelihood of realizing risk:
These pitfalls present a de-centralized key management approach, where keys are not protected from unintended viewing, and when keys must be rotated it becomes a manual and labor intensive effort.
IAM Roles can usually replace IAM Access Keys, eliminating the time and resources invested in managing and rotating your keys. Ultimately, the most secure way to handle Access Keys is to not use them at all. If keys are necessary, ensure they are rotated and managed responsibly. 10
As teams continue to deploy and grow their cloud presence, having an understanding of who is doing what within AWS will help you stay ahead of security issues. AWS has multiple services which provide valuable identity enriched event data. AWS CloudTrail provides detailed information about every action taken against the AWS API, with detailed identity information. AWS Config provides historical configuration data about all of your resources, including all of your IAM entities (users, roles, policies).15 In addition to providing state data, Config also has the capability to write rules based on configuration changes of interest.
Embracing identity enriched data is the first step towards continuous monitoring. Once issues have been found and addressed, continuous monitoring combined with governance controls is what is needed to manage cloud security risks permanently.
This continuous state data of your AWS environment gives the additional advantage of monitoring improvements. Are security issues increasing? Are they decreasing? Continuous monitoring over time will inform the effectiveness of a Cloud Security program.
These tips are stepping stones on a journey to embrace a mature Cloud Security Program. The first 4 things to do with IAM as discussed in this article also set you up for more success with Continuous Monitoring:
Knowing is half the battle. Winning the last half requires a lot of work, engagement, and coordination across any single organization. It’s important to acknowledge the complexity that comes with driving change uniquely in a given organization. Whether faced with long standing applications that are now moving to the cloud, or bootstrapped organizations which have to do more with less, every change in the right direction is addressing a risk, bringing you one step closer to a modern and well secured cloud ecosystem.
Read more about leveraging IAM as an essential component of good security posture by applying the Principle of Least Privilege.
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_management_console_access.html#console_disable ↩︎
https://wa.aws.amazon.com/wat.pillar.security.en.html#sec.iaam ↩︎
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#keep-a-log ↩︎
https://aws.amazon.com/blogs/security/identify-unused-iam-roles-remove-confidently-last-used-timestamp/ ↩︎
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-access-levels-to-review-permissions ↩︎
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html ↩︎
https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-to-set-permission-guardrails-across-accounts-in-your-aws-organization/ ↩︎
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html ↩︎
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html?ref=wellarchitected#delegate-using-roles ↩︎
https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html ↩︎
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html ↩︎
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials ↩︎
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#keep-a-log ↩︎
https://aws.amazon.com/blogs/security/continuously-monitor-unused-iam-roles-aws-config/ ↩︎
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#keep-a-log ↩︎
https://docs.aws.amazon.com/AmazonS3/latest/dev/using-s3-access-logs-to-identify-requests.html ↩︎
ScaleSec is an APN Consulting Partner guiding AWS customers through security and compliance challenges. ScaleSec’s compliance advisory and implementation services help teams leverage cloud-native services on AWS. We are hiring!
Connect with ScaleSec for AWS business.